It’s the worst thing about web3.
You visit a website, a service, a community, or a game, hoping to check it out and maybe join. But before you can even get through the door, the service asks you to connect a cryptocurrency wallet like MetaMask. It’s the digital equivalent of being able to shop in a boutique only after handing the store owner all your banking details. It feels backward, unnecessary, and dangerous.
It’s also a serious brake on adoption of web3.
“$2.7 billion worth of crypto has been lost in 2022 to hacks of smart contracts or protocol infrastructure,” Delphi Digital, the “institutional grade” crypto research firm recently tweeted. “This represents a 63% increase from last year.”
What can you do?
Serial entrepreneur Alexei Dulub thinks he has the answer: web3 “antivirus.” Years of building blockchain and auditing smart contract solutions for clients via his outsourced software development firm PixelPlex taught him that web3 is riddled with errors. Those errors can be exploited by hackers, or just smart technologists who find ways to use the smart contracts in ways their creators did not intend. Poorly written smart contracts have resulted in millions being locked away from both creators and customers, or millions being simply stolen.
Errors are one thing. In some way worse are smart contracts that are literally written to steal your cryptocurrency, NFTs, or other digital artifacts of value. And because we are trained to not read the fine print in EULAs (end-user license agreements) and probably can’t read the code in smart contracts, we’re ripe for being scammed.
“Do you know what you are signing with Metamask?” Dulub asked me.
The short answer, for me, is no.
That’s where Web3 Antivirus comes in. Installed as a Chrome plugin, Web3 Antivirus activates when you’re about to sign a transaction, then momentarily pauses the transaction and analyzes it for risk factors. Having a website that’s on what the company says are “thousands” of block lists is one, as is code that requests access to all your crypto, or instructions that are hard-coded and therefore presumably act only in favor of the smart contract author.
Having analyzed the smart contract, Web3 Antivirus then offers you an overview of the potential risks, and lets you make what Dulub says is a more informed decision about whether to proceed or not.
“The plugin also protects users from visiting phishing websites: it checks domain names against thousands of blocklists, identifies suspicious logic with its proprietary ML models, and warns users if the website isn’t safe,” Dulub says.
Crucially, according to the company, the Web3 Antivirus does not ask for access to your wallet, to your digital assets, or the seed phrases (crypto-style long passwords) that protect your cryptocurrency.
It is worth noting that the Chrome plugin, however, does require access to “read and change all your data on all websites,” and manage your apps, extensions, and themes.” These are likely necessary to do its job, but theoretically in the wrong hands this is clearly a security risk.
When I mentioned this Dulub said that’s one of the reasons the Web3 Antivirus tool is open source — anyone can view its code on GitHub — essentially to show that the company has nothing to hide.
“The key goal of the solution is to help the web3 community save billions of dollars by making the decentralized ledger ecosystem a safer place to cooperate and work in, which will benefit all stakeholders in the long run,” he added. “You don’t need to trust us, but at least you get into more details.”
One thing that’s not yet clear: monetization.
I asked Dulub how he’s planning to monetize Web3 Antivirus.
“Lots of ways,” he answered. “B2C [business to consumer] premium subscriptions for additional details and financial risk assessment, B2B [business to business] SaaS models with pay per request, and collaboration: while interacting with a protocol a user might get notified about other available options.”
“One example: when buying a token on OpenSea, users might receive a message that there is a way to save on fees by using Sudoswap, Blur, or X2Y2 instead.”
The plugin is brand new, having just been published. According to the Chrome Web Store, it has fewer than 100 users to date. However, it definitely hits a need in the market: the ability to get reputable third-party confirmation that the smart contract you’re about to sign won’t drain all your Ethereum. So if it proves to be effective, there’s certainly an opportunity for significant growth.
And it would be nice to know with some level of confidence that swapping crypto, buying an NFT, joining a DAO, or playing a web3 game is safe.