There have been a few browser extensions being built with the intention of helping users know when they are calling a token approval function.
The intention is obviously good, however, I believe they don't improve security and add unnecessary risk.
Let me explain why...๐งต๐๐ป
1/
Let's talk vulnerabilities, threats, and controls.
The vulnerability is that a token approval gives full control of tokens to another address.
The threat is that a user delegates this control to a bad actor's address unknowingly, resulting in asset loss.
2/
Ok so we know the vulnerability and the threat. Now, let's talk controls.
There are 3 Control Types in cyber security - Administrative, Technical, and Physical.
There are 3 Control Functions - Preventative, Detective, and Corrective.
3/
Let's just have a quick run down of each Control Type.
Administrative - human-based control, behavioural or management related. Known as a "soft control"
Physical - something tangible and not technology-based
Technical - technology based control (software or hardware)
4/
Next are the Control Functions
Preventative - prevents a vulnerability being exploited
Detective - detects unauthorised activity
Corrective - repairs damage or restores services to their original state
5/
Now that we understand control types and functions, let's go back to understanding the original threat and the control that has been developed by revoke.cash and others
Threat = uneducated user giving token approval to bad actor
Control = Technical and Detective
6/
The extension is a Technical control since it uses technology to apply a Detective function. It is Detective, because it does not prevent the user from accepting, it is merely detecting something and providing information.
So far, so good...
7/
So, why am I even writing this thread then?!
Let's look at the risk management process. We've assessed the risk of the threat. We are now looking at implementing this extension as a control to bolster our security posture. Then what? We re-assess for residual risk!
8/
Residual risk is a term that defines any risk that is left over after security controls have been implemented.
So what residual risk do we have here?
Well, for one.. we have just introduced an entirely new vulnerability to our security posture. Another browser extension!
9/
Why is a browser extension a risk? Because any additional code running on your device is another source of potential vulnerabilities.
"But, the code is open-source!" I hear you say!
So was the tool that @PREMINT_NFT were using to upload assets, that was recently attacked.
10/
Open-source != inherent security
Yes, open-source is imo better for security than closed-source products, but it doesn't mean that they are inherently secure.
ALL software products have security vulnerabilites, known or unknown - that's why we patch.
11/
Ok, so even though @RevokeCash seems competent, it would be unwise to inherently trust that their codebase will never be compromised.
What even is the threat here in the first place? Let's look at how the extension works.
12/
The extension works as a friendly man-in-the-middle. It catches and checks for function calls == setApprovalForAll, if "approved" boolean is true
This basically means it's looking for a token approval call by intercepting your on-page click before it hits your wallet
13/
After you hit Continue on the extension, it then takes the original call and passes it to your wallet
So what is the threat then?
A malicious code injection to this extension COULD allow the extension to act as a malicious man-in-the-middle.
What does this look like?
14/
Say you go to OS and list an NFT that you haven't yet approved
The extension pops up as expected and shows that you are approving that asset and the spender is OS
The compromised extension then changes the operator (OS) to the bad actor's address and sends to your wallet
15/
You have been conditioned to trust the extension, and now you aren't reading the data in your wallet and you have just signed away a token approval!
Another threat that I think is more likely is that something goes wrong with your extension or it is unknowingly disabled.
16/
You click mint on a fake mint site and the extension doesn't pop up.
You are now trained to believe that if the prompt doesn't show, the transaction is NOT a token approval and you sign the token approval.
These two threats have been introduced, so how do we control them?
17/
The only real answer here is an administrative based control - education.
You as a user need to be able to read the functions that you are signing in your wallet. That is the only way that you can detect these two possible threats.
18/
Right, so we learn how to read what we are signing in our wallet. That's the best control that we have for these threats.
So let's assess where we are at in this risk assessment...
19/
We had a threat of a token approval unbeknown to the user, mitigated with the extension as a control. The extension then introduced a new threat of a token approval unbeknown to the user...
Oh... wait.
BOTH THREATS ARE THE SAME ๐คฏ
20/
The original threat that was mitigated with the extension STILL requires user education, while introducing new risk.
Either way, the user still needs to understand what a token approval looks like in their wallet.
EDUCATION IS THE APPROPRIATE CONTROL IN THE FIRST PLACE
21/
There is no easy fix for these issues in crypto. You are the custodian of your assets, you need to understand what you are doing with them.
Education is key and no hard control is going to reduce the need for your education.
Learn how to read what you are signing.
22/
Let me be clear, I'm not being negative towards anyone developing these extensions. I applaud them for trying to provide a solution to a real problem.
But this solution is misguided and, without knowledge and understanding of the risks introduced, dangerous to users.
23/
I'll say it time and time again, security professionals are your best friend in this space.
If you are developing something like this, please reach out to me, or to any of the other security people that I regularly rt, qt or recommend in my threads.
We can give feedback.
24/
If you like this breakdown, please follow myself and these peeps for more info like this
@0xQuit
@Feld4014
@mattborchert
@Jon_HQ
@Wii_Mee
@Plumferno
@GrassyEth
@lukenamop
@BoringSecDAO
@Server_Forge
And a big shout out to @JRNYcrypto for hiring me to do this stuff!
25/
Some more accounts to follow -
@cryptoShields
@wallet_guard
@rugpullfinder
@Serpent
4lteredBeast.eth | aussiebloke.eth ๐ฆ๐บ ๐ฎ๐ฆ๐
@4lteredBeast
Cybersecurity professional, blockchain aficionado, producer and rapper. @6529collections | @pepecoins maxi