I intentionally connected Metamask to scam phishing sites to test and review 3 new wallet security tools
Trustless Design
0xE3f0
October 26th, 2022

The most critical UX challenge in web3 is security

Anyone who attempts to do anything on-chain is at risk of being scammed by fake websites that trick them into connecting their wallets with false promises of airdrops or other benefits, and then drain them. Even sophisticated Solidity auditors can be fooled, which means the average person is in real trouble. Fortunately, several talented teams are building tools to help by simulating transactions and warning about risks.

In order to test how well these tools work, I installed a few of them, created a test wallet with a tiny bit of ETH and a cheap NFT, and intentionally allowed myself to get scammed by some known phishing sites to see how well the tools held up. I have no affiliation with these projects and have never communicated with anyone on their teams.

If you’re too busy to read it all, I recommend installing Pocket Universe, and also think Fire has great future potential. Here are the areas where I found each performed best:

  1. Fire - the most detailed rendering of simulated transactions, especially NFTs

  2. Pocket Universe - Clear warnings of suspicious approvals/transactions. The only extension that warned of dangerous universal approvals to all assets in the wallet

  3. Sunrise - Provided “verified” message for whitelisted safe websites.

I also wanted to test Blowfish, but it is currently only integrated with Phantom on Solana, so I may test it separately. Wallet Guard is another that has not launched simulations yet.

I put them through three rounds of testing. Read for the winners below.

All of the extensions performed really well on the test they’re most designed for - simulating transactions for a wallet that contains NFTs. However, I list that test last because the first two tests that show where there is room for improvement are more interesting. None of them worked with the L2s that I tried.

The Scam

For each product, I visited the same scam website, connected my wallet, approved all transactions, and took screenshots of the warnings flashed along the way towards my wallet getting drained, then refilled my test wallet and repeated with the next tool.

DO NOT GO TO THIS URL! IT IS NOT SAFE! DO NOT TRY THIS AT HOME!
DO NOT GO TO THIS URL! IT IS NOT SAFE! DO NOT TRY THIS AT HOME!

Round 1: Malicious Site Detection

None of the tools detected that this was a malicious site based on the url. Fire and Pocket did not show any message at all. Sunrise at least showed a message when clicking the extension stating that it had no info on this url in its database and to be cautious.

This is helpful because when visiting an established official site, Sunrise shows a Verified message. The other extensions don’t do this.

Round 1 Winner: Sunrise

All of these tools attempt to detect and warn malicious sites, but their blacklists are limited and many scam sites will not trigger a warning. The added feature of Sunrise to also give a seal of verification for sites known to be safe at least helps a bit.

Round 2: Wallet with Ethereum only

I then clicked the Mint button. For round 2, there were no NFTs in the wallet, only $10 of Ethereum. When the scam site detects no NFTs, it prompts me to approve a gasless transaction giving universal access to my wallet.

This would allow the site to steal everything in my wallet at once without any additional transactions.

Unfortunately, only Pocket Universe triggered a warning for this. Sunrise and Fire did not trigger any message or warning at all.

After I gave this universal approval, 100% of the contents of my test wallet were drained without any additional transactions.

Metamask also triggered a warning, but it’s easy to miss, much less noticeable than the Pocket Universe alert which is clear and in your face.

Round 2 Winner: Pocket Universe

Only the Pocket Universe extension gave a warning for this universal approval - the most malicious kind which grants complete control of your wallet and allows the transfer of all assets.

In their Twitter, they said that they originally didn’t warn for these either because they assumed the Metamask warning would be enough. However, after a user was scammed, they added a warning for this type of approval (and apparently gave the user $100 as well).

It’s likely that the other extensions also didn’t give warnings because Metamask provides one. However, I strongly recommend that Fire and Sunrise add prominent warnings for these universal approvals. The Metamask warning is easy to miss.

Round 3: Wallet with NFTs

This is where these tools really shined, especially Fire. When I added an NFT to the test wallet and connected it to the scam site, all three of the extensions triggered alerts simulating the results of the contract interaction.

Fire has the most sophisticated rendering of simulated transactions by far. You can clearly see every step that will happen. Assets out, assets in, purpose, a picture of the specific NFT that is being transferred, To address, and a written “this transaction would swap x for y” description.

The Pocket Universe transaction interface gives a much more simplified display, but it’s very clear and readable. It doesn’t give as detailed a breakdown of all of the effects of the transaction or show the NFT image like Fire does, but it does show the OpenSea verification check which Fire does not. It also gives you the full contract address you are approving, which Fire does not.

Sunrise gave the least amount of detail for the simulated transaction. It did not show the name or logo of the NFTs being approved, much less the image. If it was the wrong NFT, I wouldn’t be able to tell. It also doesn’t show the contract address. When I hovered my cursor over the window, it actually did show me the name of the NFT collection in a little tooltip. Why not just show without needing to hover? Also, it didn’t show the To address.

Round 3 Winner: Fire + Pocket Universe (Tie)

Fire provides the clearest vision into the effects of the transaction you’re about to make, breaking down all of the parts and showing the specific NFT being affected. However, Pocket Universe does a better job of warning you when a transaction is suspicious, and does so in a clear way that gets your attention.

Sunrise fell short when it came to transactions.

Overall Winner: Pocket Universe + Fire (Tie)

Each of these extensions had at least one area where it shined, and at least one area where it fell short. All of these teams should be commended for the work they are doing on such an important problem and the progress they have made. It is clear that we still have a long way to go before we can consider this a solved problem, but we are fortunate to have so many dedicated teams working on innovative solutions.

Comparison breakdown:

Fire

PROS

  • The most sophisticated rendering of transaction simulations and clear UI

  • Predicted results of all transactions

  • Shows picture of individual NFT affected

  • Showed details of approvals for individual assets

  • Blacklist warning with popup if known scam site

CONS

  • Did not detect universal approvals - the most malicious kind which grant complete control of your wallet and allow the transfer of all assets.

  • No whitelist indicator to signify that a site is official and safe

  • None of the scam sites that I tested triggered a blacklist warning

  • Blacklist/whitelist status is not accessible from extension

  • Transaction simulations require more attention to read due to information density

Pocket Universe

PROS

  • The only extension that warned about universal approvals - the most malicious kind which grant complete control of your wallet and allow the transfer of all assets.

  • Dedicated to keeping people safe - added a new security feature when a user was scammed by a site, and compensated them with a policy called Pocket Protect.

  • User friendly UI with simple but clear and easy to read transaction simulation. Warnings and simulated effects are intuitive.

  • Blacklist warning with popup if known scam site

CONS

  • Did not show picture of individual NFT

  • No whitelist indicator to signify that a site is official and safe

  • None of the scam sites that I tested triggered a blacklist warning

  • Blacklist/whitelist status is not accessible from extension

Sunrise

PROS

  • Whitelist indicator in dropdown verifies that a site is known and official

  • Blacklist/whitelist status is accessible from extension

  • Simple UI for simulated transactions

CONS

  • Did not detect or show any message for approvals of individual tokens

  • Did not detect universal approvals - the most malicious kind which grant complete control of your wallet and allow the transfer of all assets.

  • Limited transaction information - did not tell me which NFT was going to be transferred until I hovered with the cursor, and didn’t show address

  • Did not show picture of individual NFT

If you have any questions or comments you can find me on Lens or Twitter

I have no affiliation with any of the projects in this review, and have had no communication with their teams.

Subscribe to Trustless Design
Receive the latest updates directly to your inbox.
Mint this entry as an NFT to add it to your collection.
Verification
This entry has been permanently stored onchain and signed by its creator.
Arweave Transaction
jRSVUDxyxVs-BTg…Mlnu6IPh_Rl7g8U
Author Address
0xE3f0E550993Bb73…BAfc21B533c2e13
Content Digest
CDPJT-xn-iKm110…pha1UxFrzOf-ckk