[dcolkitt]

That's not how it works at all. When you connect a wallet, the only unrestricted access it gives the app is the ability to see your public address.

The app does not have the ability to sign transactions on your behalf without your explicit approval.

[dlubarov]

The parent is probably thinking of websites which make use of ERC20's 'approve' method, which "Sets `amount` as the allowance of `spender` over the caller's tokens."

It's used by a lot of DeFi apps, often with an unlimited amount. It doesn't give control of the tokens to a website, but rather to a contract. It's fine if the contract is secure and immutable, but of course that's not always the case.

[quickthrower2]

It depends on the site of course.

It is easy to create a site that asks you to provide your wallet private phrase. The DNS MyEtherWallet hack that I vaguely recall exploited this.

On the other hand, good crypto citizens will just use the web3 library that will request permissions on an ad-hoc basis from your wallet extension (such as MetaMask).

However even then you can scam someone using social engineering: Just tell them "how" to do XYZ. E.g. "To get your free mini-monkey NFT, just connect your wallet with your bored ape, and when the confirm box pops up from metamask just click OK".

The fiat equivalent of course is a site that asks you to log into paypal and send them $1000 - but that is way more obvious than the crypto equivalent, where you interact with a smart contract and it isn't necessary clear ahead of time what will happen. Especially as smart contracts might be used for, for example user registration. If the user registration endpoint asks for money then you could get scammed that way.

[gowld]

What does a user see? How should a user investigate a transaction to check what it does? Is there any good automated explanation/visualization of the effect of a transaction?

[bko]

This is what I do:

When a site initiates a transaction, you can see the address you're interacting with. You should then look up the address on etherscan to see if it has public code and a lot of transactions. Then you should search that address in google and see if the main site links to it. A lot of projects have a list of addresses in their github. You can also inspect the function code. Once you're comfortable, you should add it to your saved addresses on your wallet and next time you'll see the name of the address.

Also you can create a new throw away address, transfer just a little bit of coins to it and interact with the contract. If it does what you think it should do, then you can create a new account and do it again.

It's not perfect. It could be a proxy, so you're not guaranteed the contract you're interacting with.

There's no easy way to "see what a transaction does". You just need to do risk management.

[happyopossum]

> When a site initiates a transaction, you can see the address you're interacting with. You should then look up the address on etherscan to see if it has public code and a lot of transactions. Then you should search that address in google and see if the main site links to it. A lot of projects have a list of addresses in their github. You can also inspect the function code. Once you're comfortable, you should add it to your saved addresses on your wallet and next time you'll see the name of the address

Oh, that’s it? So simple.

[tsimionescu]

> Also you can create a new throw away address, transfer just a little bit of coins to it and interact with the contract. If it does what you think it should do, then you can create a new account and do it again.

How much money would you be spending on this scheme (in transaction fees)?

[pmcjones]

Any suggestions for how this could be scaled up to the general public (the vast majority of whom aren't comfortable reading code and have no idea what github is)?

[bko]

There may be a public repo of known addresses. Of course it would be centralized and carefully curated, but I think that would be a good start.

I wish wallets made it easier to create a burner throw away account or there were some trusted contracts that would create an account, do something and then transfer back to another account. I don't know if anything like that exists or even if the workflow is generalizable enough

[davidmurdoch]

I'm currently building in the ability to inspect a transaction's effects before it is run directly into MetaMask. So... we'll alleviate some of the problem Soon (TM)

[jensvdh]

Problems that have been solved by regular banking decades ago. Jesus Christ the stupidity of crypto amazes me every day.

[ikt]

> Problems that have been solved by regular banking decades ago.

https://www.savings.com.au/news/scamwatch-2021

Australians lost a record $323 million to scams in 2021

--

So glad they solved fraud prevention 'decades ago'.

[threeseed]

There is nothing about crypto that prevents scams.

But in the regular banking system we have decades of experience in how to mitigate the impacts of them e.g. account insurance, MFA for any new transfers or over a certain limit, auditing by independent regulators.

[roflyear]

How do ya get your scammed cryptocurrency back, again?

[mitchdoogle]

Crypto attracts a lot of statements like this and it's so ridiculous when you think about it because usually the statement applies so generally as to be virtually irrelevant. Almost every invention or new thing solves a problem that was solved already, and yet they often find success and may even become more popular than whichever way people were using to solve that problem before.

The tech community should be keenly aware of this because there are new apps, new languages, new libraries, new plugins, etc all the time, which solve a problem that was pretty much solved already.

You might counter that new things usually have to have some value proposition to gain a footing, like cheaper, faster, more reliable, etc. For one, that's not always true, but also crypto does have a value proposition like that. It's immutable, trustless, and can be anonymous. And it is even cheaper and faster than the regular banking system in some circumstances, depending on the sum being sent and where it goes.

[davidmurdoch]

I'm not Jesus Christ, but I understand your sentiment.

(let's keep the discussions civil)

[im3w1l]

People want the benefits of regular banking without the drawbacks.

[inkblotuniverse]

Unless you want to send money to truckers

[s5300]

Where have you heard anything about having issues sending money to truckers?

The only thing I can imagine you’re talking about is when some wannabe domestic terrorists rightfully had their funding declined.

[inkblotuniverse]

MLK would've had his bank account frozen. If I want to send somebody money, I want to send them money; no matter what you call them.

Crypto seems like a convenient way to do this, and the more repressive governments get, the more of a use-case there'll be!

[djbusby]

Maybe was poke at the "Freedom Convoy"?

[zeven7]

It depends on the website and the wallet, but either way the wallet app tells you what permissions it's giving the website. My guess is people don't pay attention or think about it. But it's not as parent described "the way the crypto community designed it". It's actually the opposite. The crypto community designed wallets that give you control over what third parties are allowed to do with your accounts. It's a lot more than what debit cards offer (I say debit cards because credit cards do of course offer a good rollback system).

[sdenton4]

Last year I had about $6k stolen via a compromised debit card and spent on some fly-by-night crypto exchange. The money was rolled back to me by the bank; no idea what happened on the crypto exchange side.

[zeven7]

Maybe you have a good bank. Or maybe I've just received incorrect information about the differences between a credit and debit card.

[cstejerean]

The difference is with a debit card you are out the money until it gets resolved. With a credit card you aren’t. But most banks will extend the same fraud protections regardless.

[dlubarov]

To be clear though, if the issuer doesn't impose its own limitations on cardholders' liability, there are still limitations based on Federal laws, and these are different for credit and debit cards. For credit cards it's a simple "liability shall not exceed $50" rule. For debit cards it depends; it can be unlimited in the case of "failure of the consumer to report within sixty days".

So it's safest to just avoid debit cards, unless you know that the issuer has their own legally-binding limits on cardholder liability.

[OJFord]

I think debit cards are more variable with bank and perhaps jurisdiction - credit cards somewhat naturally come with such protection since as a user your agreement is with the issuer (and hand wave, hand wave, ability to authorise payments) not the vendor.

[leesalminen]

I think it depends on whether the PIN was entered if not.

If entered, the transaction happens on the Maestro et. al. network and you can’t do chargebacks.

If no PIN was entered, the transaction happens on Visa/MC systems and you can chargeback.

[threeseed]

Fraud events are different from chargebacks.

Your bank irrespective of whether it's a savings account, credit card etc will almost always insure you against fraud provided you didn't do anything reckless e.g. write your PIN on the card.

[api]

> My guess is people don't pay attention or think about it.

This is a well known fact in secure system design. Most people just click through dialogs. If you must get their attention you have to make the dialog huge and scary but then people will usually just turn back instead of reading. Scary dialogs make it seem like you should never say OK.

[a4isms]

And not just secure system design.

“Undo” is powerful in any app, not just because it can roll a change back with a single click, but because scary dialog boxes (“Really, really REALLY delete this file? It can not be recovered once deleted, so check this box saying you know what you’re doing before clicking OK”) don’t work for regular apps, either.

[worksonmine]

How would you undo a crypto transfer, and is that a feature that fits in that system?

[zeven7]

There are ways it could be built into the contract. But most don't support that operation today.

[worksonmine]

On whose authority and why? In this case the customer was promised a product they didn't get. And with traditional banking usually it's the other way around, businesses have to live with chargebacks for products they sell to people with stolen card info.

Always someone getting burned, but in this case it's the "idiots" for lack of better word. Don't try to make cryptocurrencies work like fiat, that's exactly the kind of problems they're trying to solve.

And let's say someone implements your solution, years later you will read how a bad actor did a chargeback for all the coins in those contracts and you will claim it was a retarded feature from the start.

[xwolfi]

But debit cards are protected and cant be used without several factors authentication. At least mine is.