2023 Should Be the Year of On-Chain User Security

If crypto does not get its house in order, regulators will do it for them.

AccessTimeIconDec 22, 2022 at 2:43 p.m. UTC
Updated Dec 27, 2022 at 2:30 p.m. UTC
AccessTimeIconDec 22, 2022 at 2:43 p.m. UTCUpdated Dec 27, 2022 at 2:30 p.m. UTC
AccessTimeIconDec 22, 2022 at 2:43 p.m. UTCUpdated Dec 27, 2022 at 2:30 p.m. UTC

Next year will be a big year for building in “tech crypto.”

While the investment side of crypto (aka “money crypto”) struggles to repair grotesque violations of trust in centralized finance (CeFi), tech crypto must focus even more intently on improving user safety on-chain.

This issue needs to be addressed now more than ever – and thankfully the work has already started. Self-custody and peer-to-peer (P2P) transactions enabled by blockchain is perhaps what crypto is all about. Any work to improve this is a positive trend that will have profoundly beneficial and lasting impacts across the crypto ecosystem.

Bill Hughes is the senior counsel and director of global regulatory matters at ConsenSys Software Inc. This article is part of Crypto 2023.

It can be dangerous on-chain

The lesson to take away from FTX and other CeFi debacles is not just that “this digital asset investment stuff should have been regulated … yesterday.” Instead, it’s that disintermediating transactions using software on global peer-to-peer networks could go a long way to avoid these sorts of failures. In other words, decentralized finance (DeFi) might fix this.

The problem with that argument, of course, is that DeFi’s risk profile looks very different from that of CeFi. For middleman-less finance to take off, protocols must be not only useful but safe. DeFi only “fixes” things if its risk profile is low enough for everyday people to feel safe enough to actually use it.

Today, DeFi users face a host of meaningful threats the tech has yet to catch up to. Bad actors have many attack vectors. And news of splashy exploits and countless scams is causing some to walk away in frustration, fear and, in the worst case, financial ruin. Many more simply never become users due to the difficulties and risks involved.

After system security comes user security

It is famously said that Jeff Bezos’ success with Amazon came down to his realization of one inescapable truth: It’s all about the customer. In 2023, builders must start thinking “it’s all about the user.”

With it being still very early in “tech crypto,” developers have understandably focused squarely on making the technology work. They have made great strides in this regard, with more to come. No one should be criticized for putting the horse before the cart.

However, making the tech work is certainly not the only concern. User experience within the system is meaningfully important, and a big part of that experience is how safe it is. Today, it simply is not safe enough.

Putting aside the fact a technological paradigm shift will require patience and an appetite for trial and error, leaving each user to brave on-chain risks alone will mean almost no one will show up.

Better serve the users

Users need to be better equipped to avoid predators. Scammers deploy malicious smart contracts. They engage in phishing over email, social media posts and direct messages. Some will spoof front-end user interfaces. These threats pose serious challenges.

Fighting these common scams starts with understanding them. User interfaces like MetaMask and other software wallets play a big role here, both by providing insights into the transactions users are engaging in and designing ways to preempt fraud and scams.

A common attack is the “token allowance” attack. This is where a scammer surreptitiously designs a contract so that a user upon executing a transaction involving a small number of tokens actually approves unlimited control over their funds. The owner of the malicious address can then steal the user’s remaining funds. You see very similar attacks targeting non-fungible tokens (NFT).

Right now, wallets and other interfaces are working on better ways to tell users in real time what approvals they are being asked to sign. Companies that focus on anti-phishing and pre-transaction fraud detection will proliferate in 2023 – they have an unmistakable value proposition.

Improving education

Despite the best efforts of the Ethereum community and institutions, the general understanding of how to stay safe in crypto is lackluster. Blogs, Twitter threads, FAQs and other means are a high-effort, low return endeavor. The lessons are normally abstract, voluntary and do not necessarily impact actual behavior.

It’s how and when you educate that is critical to improving safety. Tech crypto builders realize that and are working on ways to supplement general education (which remains important despite its limitations) with mechanisms to better inform users about specific transaction risks in real time.

One approach involves using security service providers. These third parties including platforms, decentralized autonomous organizations (DAO) or even CeFi operators are experts as to the threats targeting their particular communities. The idea is that they gather real-time intelligence about attacks on their communities, which they are already incentivized to collect.

Your favorite platforms could warn you in advance of exposing yourself to a threat. Protocols and apps can design security messages (i.e., pop ups that read something like “what your security provider says about this transaction”), that could inform people before executing a risky transaction. Such systems could prove effective going forward, if people enable their wallets to receive these messages.

Fighting phishing

Social media is a breeding ground for these scammers. Platforms like Twitter should do more to stop these frauds, but tech crypto is also exploring novel ways to help users identify scams in real time.

For example, the teams behind MetaMask and Laconic have partnered on a new initiative to proactively protect users from phishing. This project, called MobyMask, is cultivating a community of reporters who identify and aggregate phishing scams. This information can be built into applications to help prevent users from getting suckered.

Real-world law and order should properly play a role – these scammers are criminals. In fact, phishing operations are growing in scale and complexity and becoming more entwined with international criminal organizations. We should embrace a collaboration between crypto and traditional law enforcement, as plenty of us are sick and tired of simply playing defense.

Improving private key safety

We should see more introspection in 2023 about risks presented by foundational blockchain tech. Some already agree that user safety would increase with improvement to a central feature of the blockchain space: the private key.

Private keys and secret recovery phrases (SRP) have long been a user safety concern, and 2023 will bring more warnings and protections. We will also see further integrations of software wallets with different hardware wallet cold storage solutions, making it harder for criminals to access a victim’s funds.

But tech crypto will build beyond these measures and towards solutions like multi-party computation (MPC). One example of MPC involves multi-factor authentication, specifically entailing a user splitting his key between a local wallet and a signing server. Those shards would work together when a transaction needs signing but would guard against a loss of funds if either is compromised.

You will also see further debate in 2023 about concepts such as “account abstraction.” Described well by Argent wallet and Ethereum co-founder Vitalik Buterin, account abstraction involves updating Ethereum itself to essentially make all addresses programmable, not just smart contracts. This would allow for tech crypto to explore more options to safeguard wallets and improve recovery of lost or stolen funds.

The chorus of voices calling for account abstraction development is growing and growing. The arguments for it are only becoming more compelling. That is likely to accelerate in 2023.

Engineering principles really matter

User safety is also directly impacted by how the community of tech crypto developers works and acts. There is a smart, responsible way of engineering blockchain software. Those principles, which include incremental change, auditability and reliability, have been articulated to some extent, but they must be expanded, refined and more broadly embraced.

Services such as smart contract security auditing should be expanded and become more routine, especially where a smart contract has explicit financial applications. Analyses like Solidus Labs’ recent “Rug Pull Report” and other sober assessments of on-chain scams are also sorely needed if the ecosystem is going to make honest assessments of its progress.

Lastly, the community should also think seriously about whether to simply laugh off incidents where a developer hurts users through negligence or fraud.

Money crypto should incentivize best practices

Venture capital and other investors not hibernating through this crypto winter should seek out projects that prioritize user safety to invest in. That is, if they’re truly “in it for the tech.” It could be a sound investment strategy: Utility plus safety equals adoption.

Money crypto should apply a due diligence checklist for things like responsible development principles, audits and code transparency. Requiring these elements as table stakes for making an investment not only will help identify good founders and projects, good founders who are focusing on safety, but also incentivize markets towards more sustainable and safer building practices.

Regulators will address user safety if builders do not

The final, and perhaps most important point is that if we do not prioritize safety, then regulators will on our behalf. Few things are more certain.

In 2023, we will start to see greater movement out of consumer protection policymakers. They will first attend to CeFi, because that is where the fire currently is. Then, if people are still getting hurt frequently enough in the P2P space, regulators will determine what rules are needed to better protect P2P network users.

Perhaps those rules will apply only to for-profit software developers. Perhaps regulators will simply say “it’s all too dangerous” and accordingly write rules directly restricting users. We don’t know, necessarily. But we do know, it bears emphasizing: If user safety does not meaningfully improve as adoption increases, then P2P programmable networks and the apps on them will be regulated by investor and/or consumer protection authorities.

This is concerning both because regulators are unlikely to know how to help without materially degrading innovation or user choice, and because consumer protection enforcers, state Attorneys General in particular, have incredibly broad powers to hold service providers and product developers accountable for user injuries. It is far better to get tech crypto’s house in order than to let regulators do it.

The P2P ecosystem will flourish if it is safe enough for everyday people to use. It’s simply not there yet, but we can get there. Those builders that make user safety a priority in 2023 will help build that space which sees the most dramatic adoption. And those builders will be the leaders in it.

Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Bill Hughes

Bill Hughes is senior counsel and director of global regulatory matters at ConsenSys.