I have no idea what I’m doing — transaction clarity in DeFi

(Source: https://knowyourmeme.com/memes/i-have-no-idea-what-im-doing)

Meta-Transactions, EIP-712, and other magic tricks

Native Ethereum Transactions vs. Meta-Transactions — Simplified! (Source: own elaboration)
Example of pre-EIP-712 Meta-Transaction… hard to understand and clearly dangerous (Source: [4])

Ignorance is bliss?

Real-life EIP-712 Meta-Transaction… “easy” to understand and ready to be signed. BTW, it gives permission to use all your WETH tokens (Source: own elaboration)

Why it matters — a short story of BadgerDAO hack

MetaMask pop-up as seen by victims of BadgerDAO hack, recreated by ZenGo (Source: https://github.com/ZenGo-X/badger_dao_script_analysis)

How to live? What to do?

Total Value Locked in DeFi (Source: https://www.defipulse.com/)
  • Domain Visibility: Make user access to the Domain part of EIP-712 messages easier in software wallets like MetaMask. The domain part of EIP-712 is meant to prevent the signature of one dApp from being used by another dApp. It holds information like dApp name, Chain ID, and address of Contract which will verify the signature. This might significantly facilitate the verification process for curious or cautious users.
  • Verification Instructions: Currently, when signing EIP-712 messages Hardware wallets present a hash value of the signed message and its domain part. However, for many users, those might be hard or even impossible to verify. Software and Hardware Wallets providers should collaborate to produce clear step-by-step instructions on how such hashes can be verified. Without those hash values presented on the Hardware wallet screen does not provide any additional level of security.
  • Meta-Transaction Review-Ability: As presented in the BadgerDAO section of this article, MetaMask pop-ups can somehow descriptively present to the end-user what kind of request is being signed and what potential harmful consequences are connected with it. We know that as an outcome of the BadgerDAO hack MetaMask is “currently working on some confirmation review-ability improvements [8]”. I believe those improvements should not only be done for native Transactions but for EIP-712 Meta-Transactions too. Ideally, software wallets should descriptively present all standard ERC-20 functions no matter what kind of transaction is performing them.
  • Meta-Transaction Editability: One of the security practices preached widely nowadays is to alter spend limits on allowance requests from the default (infinity) to smaller values. This advice is very reasonable yet can be performed only on native Ethereum Transactions where software wallets like MetaMask allow you to edit the DATA field of the transaction. Currently, there is no way of easily changing allowances done via Meta-Transactions. As a result, such security practices are out of reach of Meta-Transactions as they are not editable. Such a situation is unacceptable when Meta-Transactions can do the same amount of harm as the native ones.
  • Meta-Transaction History: Last but not least, software wallets should provide an option to keep the user history of signed messages. Currently, messages become invisible to the user as soon as they are signed (until they are pushed on-chain by the relayer). Each user should have an option to clearly see what kind of messages he signed as Meta-Transactions very often can hold the power to move his funds without his knowledge.
(Source: https://www.memecenter.com)

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store