Chapter 1: Security in Web3
Why is Security Important?
Nothing can discourage someone new to Web3 more than losing their crypto, savings, or assets. Currently, the biggest challenges in security in Web3 are hacks and scams. Users lost over $1.4 billion in 5 of the biggest hacks in 2022. According to a Chainalysis crime report in 2023, the DeFi sector accounted for 82% of all stolen crypto. Romance scams, followed by impersonation scams and giveaway scams were the most common types of crypto scams.
Chainplay's Crypto Crime Report 2023 found rugpull was the most common form of crypto crime with 287 cases reported and $9.3 billion lost. A few bad actors can severely damage the perception of the crypto industry. A lack of education, awareness and a nascent crypto industry are reasons why scammers and hackers take advantage of new (and experienced) investors.
dApps, Wallets, Private Keys and Smart Contracts
To better understand security in Web3, we need to understand its components which include dApps, wallets, private keys and smart contracts.
dApps are decentralized applications on the blockchain. dApps let you buy or sell crypto, participate in DeFi (staking, lending, borrowing, derivatives), play Web3 games, trade NFTs, and much more.
A digital wallet lets you navigate the decentralized Web. Think of your digital wallet as your entry to Web3 that lets you access dApps to play games, mint NFTs, trade crypto and more. It’s unique to you!
3. Private Key
To access your digital wallet, you need a password which is your private key (recovery phrase). Your recovery phrase is 12-24 unique words and grants you access to your wallet and crypto, so it’s essential to keep it safe. However, similar to hackers targeting your email password, bad actors also target your private keys. Hackers try to get a hold of your private keys through phishing scams, hacks, using fake dApps, etc.
4. Smart Contracts
Smart contracts are the stuff that makes Web3 possible. However, when you use your wallet to access a dApp or sign a smart contract, you are also exposed to potential smart contract security issues. Issues such as unverified ecosystems, flaws in the code, or lack of security updates could also lead to you losing your crypto.
How do you access Web3, dApps and crypto safely and securely?
- Use risk scanning tools to analyze smart contracts. The DappBay Risk Scanner and AvengerDao Meter API are two smart contract scanning tools that give you the risk rating of different smart contracts on BNB Chain.
- Use resources that track and notify you of risky dApps. DappBay’s Red Alarm updates you on the riskiest dApps on BNB Chain and Hashdit highlights in-time threat intelligence.
- Keep your private keys safe and stored offline.
- Keep your main crypto in a separate wallet from your Web3 hot wallet.
- Access up-to-date security audits from trusted providers such as Certik and Go+.
- Use blockchain intelligence platforms such as Arkham to unmask pseudonymous actors and see a complete view of their behavior.
Never trust anything and always verify for yourself!
Chapter 2: What is AvengerDAO
AvengerDAO is a community that protects users from possible exploits, scams and malicious actors on BNB chain.
What are smart contracts?
Smart contracts are programs or contracts on the blockchain. Smart contracts eliminate the need for centralized apps. For example, buyers and sellers can transact with each other directly with the help of smart contracts. Smart contracts also enable the ownership of in-game NFT assets.
A smart contract address is a unique address that helps a user identify smart contracts. Tokens and NFTs have smart contracts too! Token smart contracts, for example, serve to track the units, holders, and balances of the token on the blockchain.
Here is an example of a (Galxe’s) smart contract address: 0x91842B943A5cBBF520f3a72318FAf1aC967384Ca
If you want to play a game, mint an NFT, or buy or sell a token on the blockchain, you must interact with a smart contract. However, when you interact with smart contracts, you could interact with fake dApps, contracts with security flaws, unverified ecosystems, Ponzi schemes, rug pulls, honeypots, and more. Even airdrops you get for free could have risks.
Secondly, users have access to multiple risk rating tools, risk scanners, and security audits to check if a smart contract works as intended. However, multiple scoring systems from different producers could be difficult and confusing for an amateur Web3 user to access and navigate through.
Lastly, new Web3 users may not be familiar with understanding how smart contracts work. So even if a potential exploit is pointed out, a user may not understand what it means or the full implications of the exploit.
The Solution: Avenger DAO
Avenger DAO helps users assess the security level of any smart contract on BNB Chain with the Meter API. The Meter API is a free risk-scanning tool developed by AvengerDAO. Paste any BSC address in the AvengerDAO risk scanner and get a comprehensive evaluation of each address.
AvengerDAO established partnerships with key security providers to seamlessly integrate their API into the Meter API. The Meter API draws from the APIs of multiple leading security companies such as GoPlus and Hashdit. Instead of manually searching for each security evaluation, access all important smart contract security assessments in one place with the Meter API.
The risk level assigned is based on data accessed through auto-scan tools, algorithm models and the level of transparency and accuracy of the contract. A simple risk rating system between 1 to 5 ensures you understand the risk level at first glance with access to a more detailed risk assessment such as type of risk, risk providers, and more below.
Navigating Smart Contracts Safely for Dummies featuring AvengerDAO
Suppose you have an NFT contract address or a token contract address. How would you check if the contract is legitimate or not while staying safe from malicious actors? Or you got an airdrop of tokens and aren’t sure if it’s legitimate?
Step 1: Go to the AvengerDao risk scanner.
Step 2: Paste the smart contract address (token address or NFT address) in the box next Search and then click on ‘Search’.
Step 3: Get a risk rating between 1-5 (a high rating of 5 means low risk and vice versa).
Step 4: Scroll down for a detailed analysis of the smart contract risk scan.
Step 5: Use the risk level rating as a reference when you DYOR.
Chapter 3: 10 Types of Scams in Web3 and the Importance of Red Alarm
Bad actors tend to take advantage of Web3 users through different types of scams in Web3 including hacks, unverified ecosystems, phishing scams, Ponzi schemes, fake dApps, backdoor mechanisms, rug pulls, honeypots, security flaws and misleading statements.
High-risk BNB Chain dApps share one or multiple common themes associated with risky dApps. Some of the common themes associated with high-risk dApps include a lack of documentation and white papers, anonymous team members, most followers or users being bots, centralization in top holders, no legitimate audit report, unverified contracts, high fees, backdoor or potential backdoor methods, and more.
DappBay's Red Alarm has helped identify over 450 risky dApps in under a year with the Red Alarm list updated every week (on Friday). Learn more about 10 types of scams in Web3 in detail through the case of 50 high-risk BNB Chain dApps in Red Alarm.
Chapter 4: Topic 4: Analyzing dApp Risk Using Risk Scanner
dApps are decentralized applications built on the blockchain. dApps are similar to apps in providing services, convenience, accessibility, entertainment and more.
Today, Web3 users have access to thousands of dApps across different categories such as gaming, DeFi, marketplaces, social, tools and utility, metaverse, and more. However, not all dApps are legitimate, authentic, or reliable.
When you mint an NFT, play a game, participate in a quiz-to-earn contest, or access tokens airdropped to you, you are potentially at risk.
What are Risky dApps?
Risk is defined as any deviation from an expected outcome. Consider you decide to stake your tokens with a dApp to earn staking rewards. You decide to go with the highest returns and lock your tokens. After a few months, when you try to withdraw your staked tokens, you realize that you cannot withdraw your tokens or that your tokens are gone.
When you use a dApp to play a game, you expect to play a game. When you use a dApp to trade crypto, you expect to buy or sell crypto. However, if using a dApp leaves you potentially vulnerable and at risk of losing your crypto, then the dApp is risky.
What are the risks of using dApps?
Imagine you’re new to crypto and still figuring out which DeFi service you want to use to buy and sell your tokens. It can be hard to select the right dApp because a user has access to multiple options, not all options are legitimate, and a user may not know specifically what security risk to look for.
Some of the risks associated with using risky dApps include phishing attacks, rug pulls, fake dApps, honeypots, security flaws, backdoor functions, Ponzi schemes, unverified ecosystems and more.
How to Use dApps Safely?
The DappBay Risk Scanner helps you verify the safety of any BSC Smart Contract. It’s as simple as pasting the smart contract address, scanning, and viewing your scan results. Web3 users can access dApps safely in a matter of seconds or identify risky dApps to avoid using the DappBay Risk Scanner. DappBay’s Risk Scanner is powered by AvengerDAO through the APIs of multiple leading security companies such as GoPlus and Hashdit.
How to use DappBay Risk Scanner?
Step 1: Paste any BSC smart contract address in the ‘input BSC contract address’ field.
Step 2: Click on ‘Scan Now’ below.
Step 3: Give the scanner a few seconds to analyze the risk and give you a risk rating.
Step 4: Get a rating from very-low risk to very-high risk.
Step 5: Access a more detailed risk description below the risk rating.
Step 6: Access your past scanning history and results or scan a new contract all in one place.
Follow us to stay updated on everything BNB Chain!
Disclaimer: DappBay is an open platform for all developers building on BNB Chain to display their projects. Description and information on dApps listed on DappBay are directly provided by the developers of the respective project. Projects featured on DappBay are not recommended, vetted or endorsed by BNB Chain Labs, BNB Foundation or any other affiliated entity. Do your own research - you are solely responsible for your investment decisions and your use of any project featured on DappBay is at your own risk. The material available in DappBay should not be construed as financial advice.