A follow-up on Web3 Antivirus release, dwelling on how to avoid expensive errors while looking for opportunities.
It keeps happening all the time. You’re browsing through tech communities, Web3 platforms or services, as whoop — you stumble upon a requirement to connect your existing crypto wallet. Why entrust access to your funds right away, before you even know you want to deal with the service? What if it’s about to drain your account?
Sure, this doesn’t inspire a relaxing user experience within Web3, not to speak of impeding the overall adoption progress. Besides, scams and fakes get increasingly inventive, meaning we can all be taken off guard — even DeFi giants experience vulnerability exploits. This got us thinking of a way out, so we heavily researched, coded, test-drived, and finally rolled out Web3 Antivirus.
Phishers knocked on our door themselves
Looks like we didn’t really have a say in that, our mission just chose us itself. While we were busy polishing Web3 Antivirus, we got a sweet email on our Dribbble account. Alongside accolades for the team, there was a job offer involving the creation of an NFT collection.
To assess the page’s current look and feel while giving a rough estimate, we were suggested to check in on a specific website to copy the idea. The P.S. paragraph went: “If you have problems with logging in, you will need to connect in the first window and approve the signature request in the second window. Also, the wallet must have a balance, this is a fraud protection with multi-accounts”.
Imagine how alert this got us? Yet, there couldn’t be a better chance to get the game on with Web3 Antivirus, and so we did. As our solution investigated suspicious schemes behind signing the smart contract in question, the request turned out to be good old phishing in disguise. Had we accepted it, all of our tokens would have been gone into thin air.
The thing is, if it weren’t for W3A, we could have signed a kind of a “blank check”, as the page camouflaged the scam with a basic “login with MetaMask” procedure. What exactly was behind the scam? It was nothing but the eth_sign method, with all of your assets as the target. Meaning, you confirm it… and kiss your tokens goodbye for good.
Sure, we informed the Dribbble team on this social engineering scheme right off — the community’s tech support got to grips with the issue hot on the trail, with the CEO appreciating our timely warning.
Waving scams goodbye is now easier
The hack we’ve described above is a disturbingly common practice, a somewhat similar scheme enabled stealing $1M of Bored Ape Yacht Club NFTs. By promoting their phishing links in popular communities, fake airdrop scammers prompt users to enter malicious websites and, most definitely, sign secret messages.
Unlike traditional transactions, these messages are invisible on the blockchain and are free of gas fees. Once a user signs them, hackers get easy permission for asset transfer.
Given how popular these one-click frauds are, we’ve meticulously crafted mechanisms to fight them. Web3 Antivirus is well-equipped to detect wealths of threats, wallet draining risks, smart contract vulnerabilities, and malicious logic. Also, we are a trust-first team, so we’ve totally ruled out asking for access to user seed phrase, wallet, and assets.
In a quick walkthrough mode, what major kinds of vulnerabilities can W3A flag? Namely, it’s anything from improper access control and Ponzi schemes to miner extractable value, re-entrancy, and far beyond. In a matter of seconds, Web3 Antivirus emulates all the transactions involved in smart contracts, shows their outcomes, and sheds light on potential risks.
Once a suspicious contract gets scanned, Web3 Antivirus generates a report with an overall score of threats based on a massive underlying risk matrix. And like that, you get all the data to make an informed decision. Risks seem acceptable? You are free to proceed with signing a transaction, otherwise simply reject it.
Disclaimer. Cointelegraph does not endorse any content or product on this page. While we aim at providing you with all important information that we could obtain, readers should do their own research before taking any actions related to the company and carry full responsibility for their decisions, nor can this article be considered as investment advice.