Anyone else sick of connecting their precious wallets to random sites that you have no idea if you can trust? Do you panic-scramble over to Revoke.cash on a weekly basis to cover your points of exposure?
There’s clearly a problem when the core vehicle for interaction in web3 is also a massive risk center that leaves dozens of degens dejected and downtrodden.
Navigating Web3 Kinda Sucks, Actually
It’s a popular lament in the industry to finger-wag at how awful the fundamental user experience is. In order to buy, sell, and simply interact, you need to expose a wallet and its contents to a web-based interface whose origins and sanctity are — at best! — unknown. That is, unless, you’re comfortable sliding your mints through Etherscan.
Even saving a draft of this post at this point required a wallet sign-in, just to log some text outside of Google Docs in a cloud-based server. (Not to knock Mirror in particular; loving what it’s about thus far.)
The larger problem here is the inconvenience of accessing new opportunities, a tradeoff for the decentralization that’s so sought after in the space. No matter the platform or the protocol, there’s no other way to easily engage in digital experiences without making several clicks to expose your wallet.
Far worse than the inconvenience is the security risk involved in the wallet sign-in process. Wallet verification often involves signing over some permission set to a web application — and often those permissions granted might not always be so clear to the end user. The savviness required to sort out the information and permissions being offered is necessarily specific and uncommon, even within web3.
So many exploits abound wherein malicious actors set up fake mint pages, entirely fake projects, and scam away the contents of people’s wallets.
In order to stem the tail risk, it’s common for power user to run several wallets for mints, hodling, gaming, defi, all of it — a systemic inconvenience for anyone trying to play it safe out there.
Browsing for a Solution
Whenever someone insists on maintaining several wallets for security, SAY THEE NAY. Instead, insist on a better path forward paved with better products.
There is certainly a bevy of possible solutions for a more secure, more convenient wallet experience, so here’s one: make the browser the centerpiece for web3 interactions, a familiar tool for all things desktop and many things mobile.
A simple browser built on Chromium would suffice, but with one major departing feature: wallets can be seamlessly and deeply integrated into the browser itself. Web3 users can import their wallets from Metamask, Web3Auth, or other major providers using the associated methods of secret passphrases, OAuth, or private keys.
From here, there are two paths:
- The browser would capture the public wallet address in this process and store it locally and encrypted, but broadcast it out like a beacon, if the user so chooses, at websites and dApps. Assuming there are sufficient safeguards, it would be impossible to spoof another wallet address.
- Uploading the wallet address into the browser signals an on-chain transaction, as a beacon to the chain signifying a particular browser identifier is linked to the wallet address, ideally forevermore. The browser would broadcast out an identifier to sites and dApps, similar to Apple’s deprecated IDFA.
Obviously these are gigantic technical feats to build with flawless execution, but think about this: websites could feasibly never need another signature again. Instead, a site would simply read the chain for the wallet identifier or public address and adapt the digital experience accordingly.
Is the wallet on an approved list for a minting event? Boom, the site opens up the minting function and, perhaps, beams out the contract data to the browser-wallet for execution. Or, even better, the wallet signature could be assumed by the browser and the mint could then be a single-click experience (the envy of online merchants everywhere!).
Maybe this is a technical pipe dream, but thinking around the problems is still helpful. So, assuming it’s remotely possible, the scenario share resume charging forward.
Secure Through Fragmentation
Anyone else remember this mostly useless move in the Pokémon games? Minimize would raise your Pokémon evasive potential as it supposedly shrank to a fraction of its size.
While minimize has likely never slowed anyone down from their road to the Pokémon League, the concept is immensely valuable in security. The smaller and more numerous the targets, the higher the effort costs are for hacks and exploits. If wallets aren’t exposing themselves to sites and asking for permissions, then dApps and sites become less enticing targets for hackers.
Instead, the targets are now all the devices with wallets stored in browsers. Individual wallet collections will always be less valuable than the assemblage of wallets circling for a choice mint. And the security solutions market for devices is much, much more mature than the market for web3 and wallet security.
This does shift the onus of security even more onto the user, but the burden’s pretty high already. What’s another extra bit of work that should probably be done anyway?
Again, this is all a little hand-wavey, but there’s surely a possible future to be built here, right?
Advertising to the Wallet
No one really loves the digital advertising model, which has long relied on cookies to identify the demographics and interests of folks browsing the ‘net. Google finally caved to criticism and is now retiring cookies from its ecosystem, first trying to replace it with Federated Learning of Cohorts (FLoCs), then the proposed Topics API (which goes live with a test this summer).
It’s hard to see how precisely the Topics API will be able to target advertisements, but Google seems to be staking its core business on it so there’s a high likelihood it’ll work to some degree.
That said, this whole approach is well-known for hoarding people’s data, exploiting their privacy, and engendering a sweeping regime of surveillance capitalism.
Instead of arbitrary identifiers that are dubiously collected, why not empower people to send the signals they want? Why shouldn’t they decide what the internet gets to know about them? At the browser level, the human could tick off the wallets available for broadcast to the sites and dApps they use, controlling what data they want to share.
Under this framework, site and dApp owners would read the blockchain to see what the wallet(s) hold, which then determines some identity parameters for targeting advertisements. With enough speed and sophistication, a crawler could build a robust profile based on the wallets’ activity. Does this person trade a lot or buy and hold? Whale, piranha, guppy, minnow, eel?
In constructing this wallet profile, the dApp could attempt to determine the owner’s interests. Activity with Socios fan tokens may indicate an interest in sports (or speculation 😜), owning an Adam Bomb Squad NFT may suggest a love of streetwear, and Food Fighters Universe tokens in the bag could hint that someone’s a foodie.
Analyzing the chain can be a bit taxing, but there’s nothing stopping a site from caching first party data with the wallet identifier, aside from a person requesting for the data to be deleted, but that’s surely an edge-case behavior.
Token ownership is a decently clear marker for identity and affinity, so web3-powered ads could create an entirely new approach to targeting.
And if a dApp or site operator was feeling froggy, it would offer nominal remuneration via tokens in exchange for data to associate with the wallet identifier. Under a contract like this, that data was bought and paid for and can likely be kept in perpetuity. Eventually, someone could build a robust profile for an entire cohort, such as Cool Cat or Doodle holders.
A More Interesting Future for Surfing
Can this new paradigm push forward to radically alter digital experiences based on wallet holdings?
If a wallet clearly belongs to a whale, depending on the application, why should that person receive an identical experience to someone with an empty wallet? Wallets with few or no transactions could and should be offered more educational materials in their experiences to support the owners’ exploration of web3.
This methodology would be valuable for anyone providing token-gated experiences. If someone holds a Murder Head, why shouldn’t the Liquid Death site be a little bit different for its web3-based audience? Instead of pushing someone to a store locator, perhaps the site would show off token-unlocked merchandise or offer some other holder benefit on the splash page.
This capability gets supercharged when brands start dropping their own tokens to their customers, whether these tokens are full-on PFP projects with roadmaps or are simple markers that don’t have much in the way of metadata, but are valuable for intel to the brand. Imagine dropping a non-transferrable token to a wallet for every purchase above fifty dollars or euros and building a loyalty program with custom digital experiences on top of that data.
Once a brand has some sort of token-watching strategy in place, the next step is to naturally build a web3-powered CRM and start to assign data points around behavior and contact info to the wallet, which it seems the grand people at Holder are well on their way to doing.
Innovative brands that drop a series of non-transferable marketing tokens to their customers could craft a clever drip campaign by changing up the site or products, as a reflection of their onboarding progress or time spent using the products. Marrying first party data on traffic with a view wallet holdings can be a powerful technique for better understanding and serving customers.
Wrapping this up, the whole concept of the wallet beacon signal could be cockamamie, but the ideation is necessary for getting out under these hurdles. Education will only get the web3 space so far because web2 sapped everyone’s attention spans and patience as a response to the horrible experiences of web1. Asking people to click more to buy less with questionable currencies when there were multiple unicorn startups building single-click e-commerce checkout is, at best, asinine.
To get to a billion holders, the digital experiences need to be simple, neatly wrapped, and highly engaging. Wrapping the wallet more tightly into a browser, however it ultimately works, seems like a possible map for zooming down the long road ahead.