“Trillion Dollar Security - Phase 2”

Since announcing the Trillion Dollar Security project, we person surveyed the ecosystem to recognize which improvements are highest precedence to each furniture of the Ethereum stack and community.

Now it is clip to statesman the adjacent signifier of this initiative: acting connected the highest precedence issues we face.

For this archetypal question of actions, we volition mostly absorption connected UX issues. Our probe showed these to beryllium the astir urgent issues facing some idiosyncratic and organization users of Ethereum and Ethereum-based applications.

During this archetypal question we volition footwear disconnected a scope of enactment targeting important areas successful UX security. The enactment we statesman contiguous is simply a operation of precocious leverage short-term actions and semipermanent projects that we expect volition proceed for years. We mean to regularly motorboat caller waves of projects, tackling antithetic precedence information domains implicit time. As these projects summation momentum implicit the adjacent fewer weeks and months, we volition crook our attraction to the adjacent question of priorities targeting different domains.

As always, we are anxious to enactment and collaborate with others moving to further amended Ethereum’s information and marque Ethereum safer for billions of users and trillions of dollars of on-chain capital. Reach retired to america astatine [email protected].

1. Coordinating a “Minimum Security Standard” for Ethereum wallets and supporting Walletbeat

Wallet UX is wherever information begins for each users of Ethereum. If users cannot safely negociate keys, motion transactions, and interact with on-chain applications past they cannot usage Ethereum safely.

We judge the Ethereum ecosystem should make and follow a minimum information modular for wallets, which tin service arsenic a trusted and morganatic notation constituent for which wallets are harmless for mean users of Ethereum. We judge this modular should necessitate features like:

• Transparent transactions
• Compromise-resistant interfaces
• Privacy-supporting architecture
• Standards for wallet behaviour, e.g. support management, cardinal handling, frontend verification
• + more

We are inspired by the occurrence of L2BEAT successful educating users and making the information and decentralization properties of L2s transparent to the ecosystem.

We judge a Minimum Security Standard for wallets could assistance code 2 antithetic sides of this problem. First, giving mean users a reliable usher to choosing lone those wallets that conscionable this modular means that a greater stock of Ethereum users volition person entree to the features they request to person a unafraid on-chain experience. To bash this effectively, the modular indispensable beryllium a precise precocious barroom and it indispensable regularly beryllium raised arsenic caller information features are developed by the ecosystem oregon caller threats are found. Second, the modular volition promote wallet teams to prioritize important features to stay compliant.

To assistance make and beforehand specified a standard, we are excited to beryllium providing a grant to Walletbeat, who person been moving towards a akin vision. Walletbeat volition beryllium some a contributor to this assemblage modular and an enactment that tin assistance bash the hard enactment of measuring wallets against the modular and making accusation easy accessible to users.

Stay tuned for much accusation astir enactment connected this modular and however to contribute.

2. Unblocking the “tech tree” to lick unsighted signing

One of the astir important issues facing UX information is unsighted signing. Users are often expected to motion transactions without the quality to recognize what those transactions volition do.

Through discussions with ecosystem advisors and our stewards, we person identified a fewer ways we tin assistance unblock the “tech tree” that volition alteration much wallets to deploy features to code this problem.

Unblocking transaction decoding

One solution to the unsighted signing occupation is for wallets to decode the earthy transaction data, and construe it into a human-readable statement of what the transaction volition do. Instead of seeing a agelong drawstring of code, a idiosyncratic mightiness spot accusation similar “Transferring 1,000 of token ABC to recipient 0x123”.

One situation for wallet teams is that this benignant of diagnostic requires a broad dataset of relation signatures, which requires entree to databases of verified contracts, galore of which are closed root and necessitate costly licenses to use.

Over the past fewer years, the Verifier Alliance (VERA) has been softly moving to code this, and contiguous has built a database of much than 8 cardinal contracts. Through our probe it became wide that galore teams were unaware of the resources VERA offers, and implicit the adjacent weeks and months we volition beryllium promoting their enactment to guarantee that wallet teams are alert of these unfastened root resources, and exploring different ways to maximize the interaction of their work.

Secondly, we’re opening immoderate R&D projects that we judge mightiness unlock caller methods for transaction transparency successful wallets.

• Standards that would promote applications to adhd codification to their contracts which makes it easier for wallets to construe transactions.
• Revisiting past proposals to code this occupation which were not prioritized by the ecosystem astatine the time, similar ERC 4430, EIP 7730, EIP 719, and exploring however to proceed the enactment of the Human Readable Transactions Group.

Wallets tin adjacent spell a measurement further and really simulate the results of a transaction successful an EVM situation against Ethereum’s existent state. This simulation would past instrumentality a connection similar “this X volition effect successful you sending 1 ETH from X to Y, and receiving 1 NFT from postulation Y.”

If wallets could reliably categorise the level of spot successful contracts with which users are interacting, this would spell adjacent further towards solving this problem.

Some wallets connection these features today, but we privation to marque it easier for much wallets to bash truthful and for each transaction simulation features to beryllium reliable and precocious quality.

We person besides begun aggregate R&D projects to research whether in-protocol improvements connected things similar opt-in transaction assertions and further information features would further summation the information of users.

3. Making it easier for developers to debar deploying susceptible code

Having an open-source database of astute declaration vulnerabilities, which tin beryllium utilized arsenic a notation by IDEs and different developer tooling, is thing we judge could assistance trim compromised contracts. These tools could scan pre-deployed contracts against the open-source database earlier deploying the codification onchain, allowing developers to much easy observe vulnerabilities successful their exertion earlier they deploy it.

While not strictly a UX project, we judge this is simply a precocious leverage undertaking wherever the EF is successful a unsocial presumption to assistance coordinate a wide utilized database, and we invitation anyone who would similar to help, specified arsenic audit contention platforms, auditors, achromatic hats, oregon others, to assistance lend their findings.

Once we person a large-scale open-source database successful place, the adjacent measurement is to advocator for instrumentality developers to physique features that instrumentality vantage of this.

Here’s what the ecosystem tin assistance with:

Ultra elemental non-tech wallet

A precise communal portion of feedback during our survey signifier has been that the existing wallets are targeting the tech crowd. There appears to beryllium a precocious request for wallets for non-technical users crossed the satellite which supply features that practically guarantee a unafraid situation by gathering defender rails that inactive let users to person the on-chain experience. Survey respondents mentioned things specified arsenic casual transactions to friends and businesses (not having to benignant a nationalist key), casual payments for goods and services, built-in basal swapping, and the quality to reconstruct your wallet. If you person ideas connected however to code these issues past delight scope out.

Enterprise focused wallets

Enterprises person mentioned the value of privacy, censorship absorption (including outer services being utilized by the wallet to interact with the network), and compliance requirements for cardinal management. If you person ideas connected however to code this past delight scope out.