Read on Twitter
You know what's a bit strange?
In #DeFi, we see hackers drain millions of dollars in real-time; then we debate the ethics of anon. projects, pumping millions into unaudited code, and the immutability of said code.
But we seldom talk about the role of UI in shaping security.
In #DeFi, we see hackers drain millions of dollars in real-time; then we debate the ethics of anon. projects, pumping millions into unaudited code, and the immutability of said code.
But we seldom talk about the role of UI in shaping security.
1/ The other day, I came across this on Discord: A fake @UniswapProtocol account peddling a fake @HegicOptions giveaway. To my eyes, this immediately had "scam" written all over it, but I had to appreciate that whoever was behind it went to great lengths to fool people.
2/ The scammer set up a fake IDENTICAL Uniswap website (this one is http://uniswap.io , the official one is http://uniswap.org ). They even went so far as to ensure each link redirects you to its official Uniswap page.
3/ To "claim accumulated ETH rewards" you're required to connect your wallet on a fake MetaMask page that asks for your 12-seed phrase. You can guess where this goes...
Some takeaways on why this kind of scam is going to be the norm, and what we need to do about it:
Some takeaways on why this kind of scam is going to be the norm, and what we need to do about it:
4/ While this is immediately recognizable BS to native #DeFi users, it isn't that obvious to most people. DeFi's composability and open-source nature means it's ridiculously easy to copy + paste entire protocols, apps and websites à la @picklefinance, @SushiSwap, etc.
5/ Ignoring all the issues of anon. projects printing fake internet money for bros to pump and dump (don't even get me started! 
), there's a lesson here: we can't underestimate the role that UI plays in eliciting a [sometime false] sense of security.
), there's a lesson here: we can't underestimate the role that UI plays in eliciting a [sometime false] sense of security.
6/ The fact that #DeFi's UX is so clunky to begin with means most users have learned to be LESS alert than they'd care to admit.
We expect 5+ steps before every transaction: connect, approve, buy, quick due diligence on Twitter, maybe skim the docs, etc. It becomes monotonous.
We expect 5+ steps before every transaction: connect, approve, buy, quick due diligence on Twitter, maybe skim the docs, etc. It becomes monotonous.
7/ So when we're faced with yet another complicated procedure, we switch off. That's just the way #DeFi is.
What does this say about the tools we're building?
They're so unbelievably user-scary that not only is this inconvenient, it's dangerous.
What does this say about the tools we're building?
They're so unbelievably user-scary that not only is this inconvenient, it's dangerous.
8/ Many dapps recognize the danger ahead. Trust me, we're thinking hard about what needs to be done. But I genuinely think it's time for an "internal intervention" of sorts. Apps like @argentHQ have pioneered a security-focused UI.
What are the rest of us doing?
What are the rest of us doing?
