Unsurprisingly, Google’s presence among those scripts is pervasive: 41 DeFi sites (56%) embed at least one script provided by Google. Among our 78 DeFi sites, 48 (66%) embed at least one third party script from a total of 34 third parties. We also find that many sites embed third party scripts-which is always a security risk but that risk is particularly pronounced in DeFi given that funds are at stake, and third party scripts could phish the user by initiating fraudulent wallet transactions, and by manipulating the DeFi site’s DOM, to make it more likely that the user accepts the fraudulent transaction. Google, being an advertising business, has an incentive to monetize that data. Ethereum address leakage to Google is particularly problematic because the company likely already has PII about you, which it can then link to your Ethereum address, which can then be linked to your transaction history on the blockchain. You can see the full list below.ĭespite the lightweight front ends, we find that several DeFi sites rely on third parties and occasionally even leak your Ethereum address to those third parties-mostly to API and analytics providers. We began by compiling a list of 78 DeFi sites (including the top 50 sites by “total value locked” ) and built a crawler to analyze those sites for security and privacy issues. What role does security and privacy play in all of this? Our paper set out to answer this question. This blog post summarizes our findings and puts them in perspective for Brave users.ĭeFi resembles a financial Wild West: new sites pop up every other day, others implode, people make and lose a lot of money, without any safety nets or sound governance. We at Brave Research just published a technical report called “Privacy and Security Issues in Web 3.0” on arXiv.
0 Comments
Leave a Reply. |