The crypto world has certainly taken a beating in 2022. The year has seen hacks across exchanges and ecosystems, and millions of dollars lost in scams and phishing attacks.
Around $4.3 billion in cryptocurrency was lost to hackers from January to November – a 37% increase from the same period in 2021, according to investigative website Privacy Affairs. Solidus Labs, a blockchain risk monitoring firm, recently said it’s been detecting 15 new crypto scams every hour!
Most importantly, a large number of crypto scams target individual users. People can generally be susceptible to schemes like investment fraud or scammers impersonating businesses or government authorities. Bad actors have deployed phishing attacks to obtain private keys, which they’ve used to clean out users’ funds.
Considering the lower security awareness around Web3 applications due to their nascent nature and rapid evolution, it is hard for users to stay on their guard and keep up to date with constantly evolving scams.
Additionally, the unfriendly UX in the majority of Web3 applications doesn’t help users stay vigilant when they simply don’t understand what they are asked to agree to in their MetaMask wallet.
There have been some initiatives by security browser extensions to include additional pop-ups on top of the MetaMask window with further explanations and warnings regarding transactions. Similarly, some wallet providers are providing more clear messages that help users understand what they are signing. However, downloading these security extensions also comes with potential security issues: How can users verify the extension source and avoid spoofed extension providers, for example?
Introducing Web3 Guard
Opera Crypto Browser addresses these exact challenges with Web3 Guard. Built into the browser itself, Web3 Guard helps you safely navigate the decentralized web by providing timely security warnings and recommended actions when browsing Web3, visiting Dapps, and signing transaction requests with both smart contract addresses and regular recipient addresses. As an integrated feature in Opera Crypto Browser, there’s no third-party extension to download and verify, eliminating the risk posed by untrusted apps.
How it works
In this release, two security checks have been introduced:
Receive security details about the Dapps1 you visit.
Based on the URL you are visiting, Web3 Guard will look for known security risks connected to the Dapp you are exploring, such as:
- If the Dapp contains malicious contracts2
- If the Dapp has a malicious owner2
- Whether the Dapp has been audited
- Whether the Dapp’s contracts are open sourced
If a Dapp contains malicious contracts or is owned by a malicious creator, you will be warned prior to entering the Dapp’s website.
Additionally, you can easily check for security information yourself at any time when you’re on a Dapp’s official website or related sites such as Twitter, Discord, Telegram, Github, or Medium. Just click the Web3 Guard icon to the right of the address bar and all available security information about the Dapp you are exploring will be displayed.
If a Dapp has not been audited and/or its smart contracts are not all open sourced, you will also receive a more prominent warning just beneath the address bar with an option to see more security information about the Dapp. This is specifically made for smaller and lesser-known Dapps to ensure you are well informed.
If you visit a Dapp that is not yet known by Web3 Guard, the summary screen will display “No information found.” This does not necessarily mean that the Dapp you are visiting is safe or risky however. It just means that there isn’t yet any security information available about the Dapp. If you encounter any unknown security issues, feel free to contact us with the details so we can continue to enhance Web3 Guard.
When assessing Dapps, Web3 Guard compares the URL against a database of Dapp security information that Opera maintains internally. This database is kept within your local storage, and the check itself is run locally any time you enter a website. Because of this, the check is performed without collecting any of your personal data, and without storing any of the URLs you visit.
In addition to using the Web3 Guard feature, it’s always a good idea to do further research and increase your security awareness about the Dapps you interact with.
Seed Phrase Phishing Check
Check for threats on the websites you visit to prevent theft of your seed phrase3.
This check is powered by the Phishing Pattern Engine, which checks web pages you visit for suspicious seed-phrase phishing behaviors, such as:
- Common phishing keywords: private key, seed phrase, mnemonic phrase, etc.
- Common phishing properties: input box, list of wallet options to connect with
- Certain sizes, numbers and positions of text input components
- Files and documents that include phishing patterns
When a risk is detected, a message is displayed to warn you against engaging in risky interactions with the phishing site. This check protects you specifically from active phishing scam websites that haven’t yet been reported or included in any major phishing site blacklist. If the security risk has not yet been reported, there won’t be a warning from Google Safe Browsing, PhishFort or MetaMask phishing detection. Web3 Guard serves as a last line of defense when you land on a phishing site, making sure you are well alerted and guarded against such phishing attacks.
To run the check, the Phishing Pattern Engine monitors the DOM (document object model), a piece of the interfacing layer of the actual web page, and screens for any phishing patterns. So the check does not listen to or watch the actual content of your browsing, and does not collect, process or share any of your browsing data.
The Phishing Pattern Engine is built internally by the Opera Crypto Info Security team and is continuously optimized to improve its detection efficiency against rapidly evolving phishing scams in the Web3 space.
Web3 Guard statuses
When Web3 Guard is enabled, you can find the check icon to the right of your address bar. The icon and its color changes to provide you with the status of your Web3 navigation security at a glance. Statuses include:
- Web3 Guard has not identified any threat, and has not found any security information for the webpage or Dapp you are visiting.
- Web3 Guard has identified some threats on the webpage or Dapp you are visiting. You’re encouraged to click the icon for more details about this alert.
- You have already opened Web3 Guard and seen the details of this alert, but the identified threats are still present in the webpage or Dapp you are visiting.
If you deem it necessary, you can go to Settings and enable or disable the individual security checks. At least one security check must be enabled for Web3 Guard to remain active, however you can also click on the gear icon to disable the entire feature.
If you disable one or more of the security checks, you will see a broken shield icon as your protection will be less comprehensive.
- 1Dapp: Decentralized application (DApp, dApp, Dapp or dapp). This is an application that can operate autonomously, typically through the use of smart contracts, which runs on a decentralized computing, blockchain or other distributed ledger system.
- 2Smart contract: A computer program or transaction protocol that is intended to automatically execute, control or document legally-relevant events and actions according to the terms of a contract or agreement.
- Malicious contract: A contract coded with potential threats
- Malicious creator: A contract creator that has been associated with malicious behaviors in the past, such as honeypot tokens, stealing attacks or other suspected malicious behaviors.
- 3Seed Phrase (recovery phrase): A series of words generated by your cryptocurrency wallet that gives you access to the cryptocurrency funds associated with that wallet.
If you haven’t already, download the latest version of Opera Crypto Browser, which comes with Web3 Guard built in.
Feel free to contact us if you believe a website has been wrongly flagged by Web3 Guard, if you have reason to believe the warning information about a Dapp is wrong, or if you have any questions or suggestions. You can reach us via our support page.