Protection from phishing dApps


#1

It would be great if WalletConnect could offer some protection from phishing sites.

Any dApp can claim to be any other dApp, and there’s no way of a wallet knowing which is legitimate. There’s no verification on dApp name strings, and I’m concerned that some users will assume there is.

There’s been some chatter in the Telegram about possibly letting dApps set colours and logos, and I think that’ll make the problem much worse: if a user gets a transaction request with a CryptoKitties logo, CryptoKitties name and colours, there’s a fairly high chance they’ll fall for it.

I don’t have any solutions at the moment. Have any thoughts?


#2

This is super necessary we need a Token Curated Registry for Dapp metadata that we can trust so that Wallets dont relay on Dapps to tell them through WalletConnect, instead something like a TCR linked to IPFS hashes that have metadata available to verify which Dapps is which

It would need to include the basics:

  • SC Address
  • Logo or Icon
  • Name

Other potential metadata fields could be:

  • Primary Colour
  • Secondary Colour

To allow Wallets to provide better UI for transaction requests


#3

This is something I have been looking into the past few months and @pedrouid asked me to respond with the proposal I’m working on. It would be interesting for me (also as developer of ethtective.com) to have access to more metadata about addresses in general, this includes metadata on scams and hackers.

Current centralised solutions such as MyCrypto’s scamdb (https://etherscamdb.info) and MetaMask’s address info (https://github.com/MetaMask/eth-contract-metadata) depend on non-profit efforts that are usually bottlenecked by the amount of time these entities can invest in keeping the list up to date. I know from Michael (from MyCrypto) that they are open to working together to achieve a scamdb on-chain.

My current efforts are in developing a TCR for Metadata that would initially be curated as a Web-of-trust by several trusted parties (I hope this could be a collective effort between wallets) on a for-profit basis. I’m looking for feedback and comments on this and will open an ERC on the following proposal in the (if time allows) coming week, then apply for an Aragon Nest grant to develop this further:

I agree with OP @localethereumMichael that (visual even moreso) identifiers create an attack vector for scam accounts. We have seen from Twitter that users are easily fooled by these imitation accounts. The value of being able to enter false information into such a registry quickly goes up upon large-scale adoption.

This is why I think such a TCR should be very slowly decentralized and have a very strong founder bias. Spam/scamming the registry should be prohibitively expensive. Submitting scams should be rewarding. Having your logo associated with your address is valuable in itself if wallets adopt this as a standard. Curators are rewarded for verifying the submissions with fees (paid in Eth) by submitters.

I have some more thinking that I could share about visual identifiers and user safety on Ethereum. Here is a relevant discussion on ‘avatars’ (which applies to logos as well):


The biggest takeaway here is combining metadata into recognisable/security features, user personalisation is great protection (very hard to attack) as long as it’s not public (then it becomes an attack vector)

Cheers!
Alex


#4

ConsenSys Diligence (see here) is working on a Token Curated Registry for smart contract whitelisting. The project is called Panvala and you can find more infos here and here.


WalletConnect Plugins
#5

Following up on this discussion we have created an EIP for Address Metadata JSON schema

EIP Discussion: