[PragmaticPulp]

Absolutely baffling that the crypto community normalized this process of connecting your wallet to a random website and letting it access all of your money.

I see a lot of victim-blaming suggestions that it's the fault of the person who didn't set up a new crypto wallet for every interaction they might want to make and then transfer enough money into said wallet to cover unpredictable gas fees (while also paying gas fees to transfer the money) and then, presumably pay even more gas fees to transfer everything back out of the wallet if it turns out to not be a scam. It's incredible that crypto has reached a point where some people seem to think this is all totally reasonable and natural to expect the average user to know.

[dcolkitt]

That's not how it works at all. When you connect a wallet, the only unrestricted access it gives the app is the ability to see your public address.

The app does not have the ability to sign transactions on your behalf without your explicit approval.

[dlubarov]

The parent is probably thinking of websites which make use of ERC20's 'approve' method, which "Sets `amount` as the allowance of `spender` over the caller's tokens."

It's used by a lot of DeFi apps, often with an unlimited amount. It doesn't give control of the tokens to a website, but rather to a contract. It's fine if the contract is secure and immutable, but of course that's not always the case.

[quickthrower2]

It depends on the site of course.

It is easy to create a site that asks you to provide your wallet private phrase. The DNS MyEtherWallet hack that I vaguely recall exploited this.

On the other hand, good crypto citizens will just use the web3 library that will request permissions on an ad-hoc basis from your wallet extension (such as MetaMask).

However even then you can scam someone using social engineering: Just tell them "how" to do XYZ. E.g. "To get your free mini-monkey NFT, just connect your wallet with your bored ape, and when the confirm box pops up from metamask just click OK".

The fiat equivalent of course is a site that asks you to log into paypal and send them $1000 - but that is way more obvious than the crypto equivalent, where you interact with a smart contract and it isn't necessary clear ahead of time what will happen. Especially as smart contracts might be used for, for example user registration. If the user registration endpoint asks for money then you could get scammed that way.

[gowld]

What does a user see? How should a user investigate a transaction to check what it does? Is there any good automated explanation/visualization of the effect of a transaction?

[bko]

This is what I do:

When a site initiates a transaction, you can see the address you're interacting with. You should then look up the address on etherscan to see if it has public code and a lot of transactions. Then you should search that address in google and see if the main site links to it. A lot of projects have a list of addresses in their github. You can also inspect the function code. Once you're comfortable, you should add it to your saved addresses on your wallet and next time you'll see the name of the address.

Also you can create a new throw away address, transfer just a little bit of coins to it and interact with the contract. If it does what you think it should do, then you can create a new account and do it again.

It's not perfect. It could be a proxy, so you're not guaranteed the contract you're interacting with.

There's no easy way to "see what a transaction does". You just need to do risk management.

[happyopossum]

> When a site initiates a transaction, you can see the address you're interacting with. You should then look up the address on etherscan to see if it has public code and a lot of transactions. Then you should search that address in google and see if the main site links to it. A lot of projects have a list of addresses in their github. You can also inspect the function code. Once you're comfortable, you should add it to your saved addresses on your wallet and next time you'll see the name of the address

Oh, that’s it? So simple.

[tsimionescu]

> Also you can create a new throw away address, transfer just a little bit of coins to it and interact with the contract. If it does what you think it should do, then you can create a new account and do it again.

How much money would you be spending on this scheme (in transaction fees)?

[pmcjones]

Any suggestions for how this could be scaled up to the general public (the vast majority of whom aren't comfortable reading code and have no idea what github is)?

[bko]

There may be a public repo of known addresses. Of course it would be centralized and carefully curated, but I think that would be a good start.

I wish wallets made it easier to create a burner throw away account or there were some trusted contracts that would create an account, do something and then transfer back to another account. I don't know if anything like that exists or even if the workflow is generalizable enough

[davidmurdoch]

I'm currently building in the ability to inspect a transaction's effects before it is run directly into MetaMask. So... we'll alleviate some of the problem Soon (TM)

[jensvdh]

Problems that have been solved by regular banking decades ago. Jesus Christ the stupidity of crypto amazes me every day.

[ikt]

> Problems that have been solved by regular banking decades ago.

https://www.savings.com.au/news/scamwatch-2021

Australians lost a record $323 million to scams in 2021

--

So glad they solved fraud prevention 'decades ago'.

[threeseed]

There is nothing about crypto that prevents scams.

But in the regular banking system we have decades of experience in how to mitigate the impacts of them e.g. account insurance, MFA for any new transfers or over a certain limit, auditing by independent regulators.

[roflyear]

How do ya get your scammed cryptocurrency back, again?

[mitchdoogle]

Crypto attracts a lot of statements like this and it's so ridiculous when you think about it because usually the statement applies so generally as to be virtually irrelevant. Almost every invention or new thing solves a problem that was solved already, and yet they often find success and may even become more popular than whichever way people were using to solve that problem before.

The tech community should be keenly aware of this because there are new apps, new languages, new libraries, new plugins, etc all the time, which solve a problem that was pretty much solved already.

You might counter that new things usually have to have some value proposition to gain a footing, like cheaper, faster, more reliable, etc. For one, that's not always true, but also crypto does have a value proposition like that. It's immutable, trustless, and can be anonymous. And it is even cheaper and faster than the regular banking system in some circumstances, depending on the sum being sent and where it goes.

[davidmurdoch]

I'm not Jesus Christ, but I understand your sentiment.

(let's keep the discussions civil)

[im3w1l]

People want the benefits of regular banking without the drawbacks.

[inkblotuniverse]

Unless you want to send money to truckers

[s5300]

Where have you heard anything about having issues sending money to truckers?

The only thing I can imagine you’re talking about is when some wannabe domestic terrorists rightfully had their funding declined.

[zeven7]

It depends on the website and the wallet, but either way the wallet app tells you what permissions it's giving the website. My guess is people don't pay attention or think about it. But it's not as parent described "the way the crypto community designed it". It's actually the opposite. The crypto community designed wallets that give you control over what third parties are allowed to do with your accounts. It's a lot more than what debit cards offer (I say debit cards because credit cards do of course offer a good rollback system).

[sdenton4]

Last year I had about $6k stolen via a compromised debit card and spent on some fly-by-night crypto exchange. The money was rolled back to me by the bank; no idea what happened on the crypto exchange side.

[zeven7]

Maybe you have a good bank. Or maybe I've just received incorrect information about the differences between a credit and debit card.

[cstejerean]

The difference is with a debit card you are out the money until it gets resolved. With a credit card you aren’t. But most banks will extend the same fraud protections regardless.

[dlubarov]

To be clear though, if the issuer doesn't impose its own limitations on cardholders' liability, there are still limitations based on Federal laws, and these are different for credit and debit cards. For credit cards it's a simple "liability shall not exceed $50" rule. For debit cards it depends; it can be unlimited in the case of "failure of the consumer to report within sixty days".

So it's safest to just avoid debit cards, unless you know that the issuer has their own legally-binding limits on cardholder liability.

[OJFord]

I think debit cards are more variable with bank and perhaps jurisdiction - credit cards somewhat naturally come with such protection since as a user your agreement is with the issuer (and hand wave, hand wave, ability to authorise payments) not the vendor.

[leesalminen]

I think it depends on whether the PIN was entered if not.

If entered, the transaction happens on the Maestro et. al. network and you can’t do chargebacks.

If no PIN was entered, the transaction happens on Visa/MC systems and you can chargeback.

[threeseed]

Fraud events are different from chargebacks.

Your bank irrespective of whether it's a savings account, credit card etc will almost always insure you against fraud provided you didn't do anything reckless e.g. write your PIN on the card.

[api]

> My guess is people don't pay attention or think about it.

This is a well known fact in secure system design. Most people just click through dialogs. If you must get their attention you have to make the dialog huge and scary but then people will usually just turn back instead of reading. Scary dialogs make it seem like you should never say OK.

[a4isms]

And not just secure system design.

“Undo” is powerful in any app, not just because it can roll a change back with a single click, but because scary dialog boxes (“Really, really REALLY delete this file? It can not be recovered once deleted, so check this box saying you know what you’re doing before clicking OK”) don’t work for regular apps, either.

[worksonmine]

How would you undo a crypto transfer, and is that a feature that fits in that system?

[zeven7]

There are ways it could be built into the contract. But most don't support that operation today.

[xwolfi]

But debit cards are protected and cant be used without several factors authentication. At least mine is.

[giaour]

Users might think to themselves, I give my credit card number to all kinds of sites; how is this any different?

The internet has kind of conditioned all of us to be OK with passing around complex payment instruments without paying too much attention. If you're a hardcore believer in cryptocurrency as a political project, you almost certainly understand the difference and see the "code is law" dark forest as a feature, not a bug. But if you started buying crypto and NFTs because Matt Damon and Larry David told you to, then you're in for a world of hurt.

[jensvdh]

Because credit cards have consumer protection and laws and regulations. Crypto has none of that.

[Gigachad]

The crypto space is rediscovering the financial system from first principals. At least by the end they can hopefully appreciate that the original government controlled system actually works the way it does for a reason.

[rodgerd]

> At least by the end they can hopefully appreciate that the original government controlled system actually works the way it does for a reason.

"A religion cannot fail, it can only be failed"; I admire your optimism, but I expect that the true believers will not question whether the premise of cryptocurrencies is wrong, but rather will twist themselves in knots to find new scapegoats as to why it doesn't work the way they expected.

[cowtools]

Huh? Cryptocurrencies operate just as expected, basically the same as they did ten years ago. Crypto never changed, the users did.

[cowtools]

The crypto space isn't rediscovering anything. Speculative investors and other noobs are discovering cryptocurrency for the first time.

[Gigachad]

All of these scams, crashes, and exploits are things that happens previously with regular currencies and have since been regulated away. Now crypto comes in with unregulated currency and runs in to every issue the regulations existed to prevent.

[SilasX]

Scams … have been regulated away?

[cowtools]

These scams, crashes, are exploits are non-issues to anyone with a reasonable degree of competence and skepticism. The solution is not to "fix" the system by removing user agency so that even an idiot can use it safely, but to educate users so that an idiot doesn't need to use cryptocurrency in the first place.

This criticism of cryptocurrency would be analogous to criticizing the concept of fiat currency by pointing to the inflation of the deutsche mark as an example. The cryptocurrencies being discussed here are real cryptocurrencies, they are bloated and useless shitcoins. Any credible project would not have all the bloated crap that enables the "exploits" mentioned in the article in the first place.

[cowtools]

Credit cards wouldn't need such stringent "protection" and surveilance if they were secure and dependable in the first place.

Of course cryptocurrencies do not have such regulations. the purpose of cryptocurrency is to facilitate exchange with untrusted parties.

[kahnclusions]

The point is that cryptocurrencies are not secure nor dependable in the way that people actually need them to be, and they don’t solve any of the actual problems that people have with the banking and credit system.

[cowtools]

Cryptocurrencies are secure and dependable in the way that I need them to be and they solve problems that I have with the banking and credit system.

I mean, really. The security of the banking/credit system is not even based on public/private key cryptography. There is no notion of a separate spend address vs a sending address. Anyone with access to your (usually open source or easily findable) information can make a transaction on your behalf. Identity theft is a massive problem which is enabled by the current state of the industry.

[epigramx]

That's literally like saying Windows is terrible because it allows you to run programs outside a phone-like sandbox.

[luxuryballs]

I’d probably blame the victim if they kept their USD as 1 dollar bills scotch taped to the outside of their clothing though.

I think it’s the nature of crypto that part of the benefit comes from the cost of it being up to the individual to maintain. Selling a product/service that consumes crypto or holds it easily might be the answer (like a bank is to usd), now the individual is giving up the keys though.

There’s a trade-off there that is very cool because it only exists because bitcoin adds the option of more reliably securing the money “all by yourself” rather than needing a bank due to physical limitations.

In that sense there are many crypto holders out there that may wish they had just kept it on Coinbase…

TLDR the cost of having it be serious to use crypto is well worth it for the power and value of crypto itself, it’s like the cost otherwise paid to run a bank, put into a different form, the average economy of carelessness

[MomoXenosaga]

Banking the unbanked lol.

[wp381640]

More unbanking the banked recently

[Thorrez]

>Absolutely baffling that the crypto community normalized this process of connecting your wallet to a random website and letting it access all of your money.

Is it worse than browsers+OSes allowing you to download and run a program? Or Github or npm or browser extensions? All 4 of those could steal all your crypto too if you install them.

[nubb]

you’re right. the unreasonable complexity of crypto is why people fall for phishing scams. thanks.

[mushbino]

Right? It's a good thing our monetary system and financial instruments aren't complex, phew!

[giaour]

It's one thing to have complex payment instruments where innocent mistakes are reversible. Having them in a world where everything is permanent is another situation entirely.

[mitchdoogle]

Tell that to everyone who has had their identity stolen through no action of their own

[julianlam]

> unpredictable gas fees

The fact that gas fees even exist just boggles the mind.

Bank fees at least on paper pay for overhead of running the wire transfer system. Gas fees (to my uninitiated understanding) literally just pay for the excess waste that is Ethereum, by design.

[melony]

Yeah they should pay Plaid a grand a month for that privilege instead.

[xur17]

Oh man.. don't get me started on Plaid. The fact that we normalized entering your bank login details in random apps is absolutely insane to me.

[trompetenaccoun]

It turns out you're not the first person to realize that this is an issue. If you'd actually read up on cryptocurrency wallets before commenting, you might have found there are multiple solutions for this out already, including one of the most popular Ethereum wallets called Argent, which let's you set limits.

Basically the fraud described is a twist on the classic "Musk giving away BTC" scam that's all over Youtube because Google is apparently unable to prevent it. You have to be fairly naive to fall for it in the first place. But ok, no victim-blaming. The way you can prevent it on smart contract platforms is simply holding the funds in a smart contract that allows users to set restrictions so that they couldn't take that expensive NFT even if the user mindlessly clicks on a fishing link, connects the wallet and approves the transaction without checking what it is. Same as having a withdrawal limit on your bank card. And you can also whitelist wallets, the contract then automatically blocks any transfers to untrusted wallets. If the user manually overrides this by getting his guardians to agree, there's no stopping them of course.

Ultimately you won't be able to protect everyone. A determined enough fool can also go to Western Union and mail money to the scammer. In the US they have those prepaid card scammers. Or they come to your home, telling you they're police and need to inspect your valuables. Yes, that's a real actual scam that exists in Europe.

[PragmaticPulp]

> If you'd actually read up on cryptocurrency wallets before commenting, you might have found there are multiple solutions for this out already, including one of the most popular Ethereum wallets called Argent, which let's you set limits.

You're making a great example of the victim-blaming I mentioned in my comment: That anyone who is surprised by their money disappearing clearly just didn't do all of the right research and use the right wallets and set all the right options to set the right limits and so on and so on.

Obviously there are right ways to navigate the crypto space and not get burned, but the issue is that the crypto community seems to think it's okay that everything is complicated and prone to new users making mistakes that people are routinely losing huge amounts of money due to not being 100% up to date on the right way to do everything.

> The way you can prevent it on smart contract platforms is simply holding the funds in a smart contract that allows users to set restrictions so that they couldn't take that expensive NFT even if the user mindlessly clicks on a fishing link, connects the wallet and approves the transaction without checking what it is.

Yep, sounds easy. To avoid losing everything you just have to set up a smart contract and then...

I can't believe this stuff passes for reasonable suggestions in the crypto world.

[mitchdoogle]

You ignored the part about how people are scammed using credit cards, cash, wires, etc. The problem isn't crypto - it's dishonest people developing scams to trick others into sending money. I'd bet that far more money is lost in scams using methods that don't depend on cryptocurrency rather than the ones that do. Just like with those other scams, education is a very important part of prevention.

[captn3m0]

With other scams, it’s supremely hard for scammers to cash out without a clear identity trace to follow. As a simple example, the huge explosion in ransomware is directly linked to the rise in cryptocurrency, because prior to that getting paid for ransomware was much tougher.

With Crypto, payments are irreversible, all transactions are transfers, all payees are equal (no merchants for payments and P2P for transfers) and it all combines together to be the perfect scammer heaven - you can scam people without any repercussions anonymously.

[trompetenaccoun]

It's an app that you download and setting up is so easy an 8 year old can do it. No one has to deploy a smart contract on their own, you just go to the app store and install it. It's inexplicable to me why someone would complain about software they've clearly never used or even looked at.

Of course people can use other wallets if they like to. These are open networks just like the internet itself. No one can stop folks from doing dumb stuff online, input their credit card information where they shouldn't, wire thousands of dollars to a "girl" overseas who "loves" them, visit shady sites with their outdated Internet Explorer on a WindowsXP machine... Why didn't Microsoft prevent this!?

[infotogivenm]

> The way you can prevent it on smart contract platforms is simply holding the funds in a smart contract that allows users to set restrictions so that they couldn't take that expensive NFT even if the user mindlessly clicks on a fishing link, connects the wallet and approves the transaction without checking what it is.

Yes, so simple! Just put your coins into this website’s smart contract and you’ll be much more secure.

[trompetenaccoun]

It's not a website. Read this if you're unsure what a smart contract is: https://ethereum.org/en/developers/docs/smart-contracts/

Btw yes, from a user perspective it actually is very simple and easy to use. It's a good wallet for beginners. Most who're more active and understand the tech have hardware wallets. You could combine the two solutions as well.

[jensvdh]

Good luck explaining that to the supposedly unbanked crypto is trying to reach.

[trompetenaccoun]

Do you explain TLS to casual internet users? I'd like to see that.

The regular non-tech savvy user doesn't necessarily have to understand the details. That's why people are working on such solutions in the first place. Someone experienced with blockchains would never connect their wallet to a random stranger's and approve draining their funds. However the massive hype around them has brought in a lot of new users.

Wallets have come a long way from people writing their private key on a piece of paper back in the early days. The above complaint is bizarre in this context, because what they described is the exact opposite of what's actually happened. Every reputable wallet team has worked hard on improving security over the past years using strategies like social recovery, multi sig, cold storage of keys, etc.

[uncomputation]

> smart contract that allows users to set restrictions so that they couldn't take that expensive NFT

If they got someone to execute a malicious transaction, couldn’t the scammer just `curl etherscan.io/VICTIM`, get the restriction amount and go just under that? With normal banking, everything is closed so you can’t access that kind of information that easily, but since crypto is so open, isn’t this possible?

[ikt]

How do you go under a restriction to not take a users digital items? The restriction is, you have access to X which is being traded, not X+Y+Z.

[daniel-cussen]

This is why you use a reputable website, like Coinbase, despite the outrageous fees. They have a brand as collateral if they fuck up. They had that crazy early growth rate, and at the very least the dot-com of a word Satoshi coined, and he's coined more wealth than literally anybody. Modern day Croesus of Lydia. Literally as rich as Croesus.

[joshgroban]

You don't know what you're talking about.