How to identify online fraud and fully protect the security of Web3?

OKX:http://ok.b615.com/6/

Inducing authorization to steal money

Inducing malicious authorization is one of the common methods of Web3 fraud. In some investment or transfer transactions, fraudsters disguise authorization transactions by various means to induce users to sign authorization, so as to gain the operation authority of user assets.

1. Approve authorization fraud

Fraud case

Approve authorization allows users to grant a smart contract (or EOA address) access to their own assets. Common fraud cases are:

Phishing links: fraudsters publish so-called "high-yield" investment information through the community, guide users to click on links, and defraud users of authorization for "saving money for mining" or "pledge airdrop".

OTC Camouflage: A swindler impersonates an OTC merchant, asking the user to make a small test transfer of $1 first, but in essence it is an authorized transaction to obtain the user's asset operation authority.

OKX Web3 wallet protection measures

In view of this fraud method, OKX Web3 wallet provides protection for users through multi-layer technical means:

The first line of defense: malicious detection is carried out for the login URL, and if the URL is found to be a malicious website, access is directly blocked.

The second line of defense: If the website itself is not marked as malicious, but the user initiates authorization for EOA on the website, the wallet will also intercept it.

The third line of defense: even if the website is normal, if the user authorizes the contract and the contract is detected as malicious, the system will intercept it.

The fourth line of defense: for some special networks (such as Tron), if the signature content and description are inconsistent, the transaction will be intercepted immediately.

2. Permit and Permit2 authorize fraud.

Fraud case

Permit and Permit2 are gas-saving asset authorization methods introduced by Uniswap. However, this kind of authorization method without Gas fee is often easily overlooked by users, so Permit authorization has gradually become a tool for hackers to trick authorization.

OKX Web3 wallet protection measures

Using OKX Web3 wallet can also effectively identify and intercept this kind of fraud:

The first line of defense-clear transaction type: clearly show that the transaction type is license, clearly identify the tokens involved, the scope of operation authority and the expiration time of authorization, and ensure that users have a comprehensive understanding of the transaction.

The second line of defense-transaction interception: For potentially risky Dapp requests, OKX Web3 wallet will automatically block and prompt users to carefully check the transaction risks before signing.

3. eth_sign authorizes fraud.

Fraud case

Eth_sign allows any transaction hash to be signed, which is equivalent to providing a "blank check" in Ethereum. Fraudsmen often induce users to sign with ethsign, so that they can construct any custom transaction to steal users' assets.

OKX Web3 wallet protection measures

Automatic interception: eth_sign method is rarely used in normal transactions due to its excessive authority and unknown signature object. Because most eth_sign transactions are phishing, OKX Web3 wallet will automatically identify and directly intercept such transactions to ensure the safety of users' assets.

Safety tips

Stay alert and don't trust other people's investment advice: avoid blindly following the investment information in social media or group chat, especially when it comes to unknown links or so-called "high-yield" projects.

Avoid interacting with unfamiliar contracts: Before authorizing any contract, verify its source reliability. It is recommended to only interact with well-known platforms or DApp that you fully understand, and handle any contract requests from unknown sources with caution.

Refuse to sign an unknown transaction: Before approving the transaction, carefully check the authorized object and amount, especially the operations of "Approve" and "increaseAllowance" to ensure that the potential consequences of authorization are fully understood. Priority is given to the scope of authority and the expiration time of authorization, and uncertain transactions would rather not be signed.

Understand the potential risks of new licenses: Although new licenses such as Permit and Permit2 can save Gas fees, they may also bring security risks.

Don't mistake the signature transaction for risk-free because it doesn't generate Gas fee.

Understand the nature of signature authorization: we should understand the uses and possibilities of different signature authorizations, and be sure to clarify the scope of authority and expiration time when authorizing, so as to reduce unnecessary authorization risks.