Introduction

In Web2, most users have a certain degree of familiarity with threats to their online accounts, be those of financial nature or pertaining to other services like social media. In one form or another, the attacker wants to learn the user’s password. It could be done through a dictionary attack, taking advantage of a poorly chosen secret, or through many forms of phishing and social engineering attacks, enticing the user to share their credentials. With the password 🔑 compromised, the attacker can then extract whatever value is associated with the account, or use that account to perform some form of escalation to compromise further accounts. According to recent surveys, the following best online security practices remain a challenge for both end-users and IT professionals alike.

Usability issues around security have some parallels in Web3. For instance, phishing attacks can vary from tricking the user to disclose the private key, to obtaining a signature that grants permission for unlimited fund transfer. Flawed, but popular open-source software can generate vanity blockchain addresses (i.e, Profanity), but in the process makes it trivial for the attacker to compute the corresponding private key.

Most products in this space are built with relatively standalone threat models in mind. For example, hardware wallet solutions tend to mainly focus on having an air gap with less trusted software components. Threat intelligence products like Chainalysis provide an insight into the counterparty risk. Users are left to devise their own threat mitigation strategies through some combination of these products. This approach not only puts an undue burden on the user, but may leave users exposed to Web3 threats in unforeseen ways.