Fire Transaction Simulator with Jeff Krantz and Josh Breite
31 January 2023Summary
Today on the show Iām joined by Jeff Krantz and Josh Breite, cofounders of Fire. Fire is a consumer oriented EVM transaction simulator designed to keep blockchain transactors from losing their NFTs and fungibles to malicious transaction requests. In its current form, Fire is a Chromium browser extension. When a dapp requests a Metamask wallet signature, a Fire window pops up next to Metamask, providing human readable context on what this transaction will do. Requests for NFT transfer permissions and fungible token transfers are displayed in clear language, with a picture of any NFTs that will be affected.
In this conversation, Jeff and Josh share the origins of Fire, its mission, and how the extension works on a technical level, including aspects of its tech stack. We discuss a variety of common attack patterns that users should watch out for, and some signature request types that are generally innocuous. We also discuss what trust implications prospective Fire users should consider before installing the extension in their browser, and whether or not remote simulation of transactions is a privacy concern.
It was great chatting with Jeff and Josh about the ins-and-outs of Fire, especially in light of the recent swath of OG wallet hacks these past few weeks. I hope you enjoy the show.
Transcript
Nicholas: Welcome to Web3 Galaxy Brain. My name is Nicholas. Each week I sit down with some of the brightest people building Web3 to talk about what they're working on right now. Today on the show, I'm joined by Jeff Krantz and Josh Bright, co-founders of FHIR. FHIR is a consumer-oriented EVM transaction simulator designed to keep blockchain transactors from losing their NFTs and fungibles to malicious transaction requests. In its current form, FHIR is a Chromium browser extension. When a DApp requests a Metamask wallet signature, a FHIR window pops up next to Metamask, providing human-readable context on what this transaction will do. Requests for NFT transfer permissions and fungible token transfers are displayed in clear language, with a picture of any NFTs that will be affected. In this conversation, Jeff and Josh share the origins of FHIR, its mission, and how the extension works on a technical level, including aspects of its tech stack. We discuss a variety of common attack patterns that users should watch out for, and some signature request types that are generally innocuous. We also discuss what trust implications prospective FHIR users should consider before installing the extension in their browser, and whether or not remote simulation of transactions is a privacy concern. It was great chatting with Jeff and Josh about the ins and outs of FHIR, especially in light of the recent swath of OG wallet hacks these past few weeks. I hope you enjoy the show. Hey Jeff, how's it going?
Jeff Krantz: Hey Nicholas, it's good. How about you?
Nicholas: Good. Must be a busy time of year for you.
Jeff Krantz: Yeah, it's been an extremely busy week and I'm trying to peel myself away from Twitter, but the notifications keep pulling me back in.
Nicholas: What's the hottest one? The Kevin Rose tweets or something else?
Jeff Krantz: Yeah, it's all been, for the most part, Kevin Rose stuff. And just when it seemed like it was kind of trailing off today, then we saw the Yuzuki Twitter hack, which, you know, I think it's a pretty big deal. I think the whole team at FHIR is just like ready for these notifications and the dopamine to kind of trail off at this point and get back to work. But it's been a good week.
Nicholas: Good week for some. Good week for FHIR. Bad week for others. Yes.
Jeff Krantz: Good week for FHIR. Yes, exactly. But I think, but at the same time, I think, you know, Kevin's definitely taken it in stride and it's been amazing. I think it's been amazing the onboarding opportunity it's been for security tools in general for Web3. It made it top of mind for everybody. No one wants to think about security until it's too late. And of course, unfortunately for Kevin, he had to experience the loss, but I think it kind of put everybody in his chair a little bit for the week and made them seriously start thinking about, at least a little bit about their security in Web3.
Nicholas: I guess we should, well, first of all, welcome, Jeff. Welcome, Josh. Co-founders of FHIR, which is an extension that adds context to transaction requests commonly used with MetaMask, but it works with any wallet I imagine. And we're talking a little bit about the. Kevin Rose, I guess, is hack the appropriate word. He was tricked into signing a malicious message transaction. Not I guess a message more than a, he didn't communicate the transaction on chain himself from what I understand, but it resulted in him losing a bunch of squiggles and an auto glyph and some other things. Maybe Jeff or Josh, you could explain a little bit more context on that before we jump into what FHIR does and how it works.
Jeff Krantz: Yeah, sure. I'll start with, I guess the hack slash attack slash scam slash what's the word? Deep herb error between user and keyboard error between brain and keyboard, something like that. I'm definitely, I'm definitely more of like a hack slash attack maxi than a like user error maxi, which I guess makes sense given the products that we're building. Some context on what happened there. Basically the best way to think of it is Kevin had his squiggles and his auto glyphs and a variety of other NFTs listed on OpenSea. And how listing on OpenSea works, you may have noticed when you list an item on OpenSea, it doesn't leave your wallet. It actually stays in your wallet. And then when it sells, it gets transferred to the buyer. Have you ever wondered how that works? The way that it works is by a piece of technology called basically set approval for all. And what set approval for a lot, all allows you to do is to delegate another address, usually or hopefully a contract that is allowed to transfer those assets on your behalf. Typically the way that works 99% of the time is you set approval for all to the exchange. And then when the item sells, the exchange is able to pull that asset out of your wallet and send it to the buyer and send you the funds that the buyer paid. Okay. So that's how OpenSea is supposed to work. But what happened this week was basically a attacker, scammer, hacker, whatever you want to call them, put together an offer to buy all of Kevin Rose's assets that had a set approval for all on OpenSea for them for, I don't know, a penny, something like that. And the way that this appears, basically the way that this offer is presented is a signature to Kevin Rose. that is, it's what's called JSON, which is a format of the signature that needs to be signed. But it's basically code. It's an unreadable piece of, an unreadable, trying to think of a different word than string, but an unreadable set of text.
Nicholas: Yeah, it says I can read it out. You shared it. And actually maybe somebody can post it on the space here, but it says salt colon, and then I don't know about 60 numbers and then conduit key and another 60, 70 numbers and then counter zero. There's really no, and then, you know, MetaMask asking you to sign. There's really no way that a human, maybe a skilled developer who is also patient and has time could maybe figure out what it is that they're signing. But even then it's almost no developer is going to go to the effort. So it's no context for what you're signing, which I think is frankly terrible, terrible, terrible.
Jeff Krantz: Exactly. And the issue is compounded because as users, we've been conditioned to basically sign anything that's put in front of us without even thinking about it. Almost every web-free site or dApp you've gone to, the second you get to this site, it pops up. a thing that's just like makes you sign with your wallet for some reason. Or even OpenSea, every time you list an item or change the price on an item, like this exact pop-up pops up, it's the same exact signature. So you're used to signing that and it doesn't really set off any alarm bells. And that's what makes it so dangerous is, you know, he was tricked into thinking he was, I think, claiming a 6529 meme and this signature popped up and just, you know, I think he said he was busy on a phone call or something and he just clicked it. And the really scary part about it, and I think the thing that a lot of users didn't realize is that with one click, you can do a lot more harm than just losing, you know, one individual NFT or maybe one collection. You can lose everything that you have ever approved on OpenSea with just one misclick.
Nicholas: Right. So to summarize, if you're listing tokens on OpenSea, you are giving them, you're giving the OpenSea contract permission. You're communicating with the NFT contract, let's say Artblocks. If you want to sell Artblocks on OpenSea, you first have to sign a transaction that gives OpenSea's contract permission to move your Artblocks tokens. That's a permission that's set on the Artblocks contract. And then OpenSea will only use that permission. normally if you're making a sale, if someone is fulfilling, you know, making a purchase of a listing that you already created or fulfilling the requirements of an auction that you've set up on OpenSea. But in this case, because he was tricked into signing something that he didn't, you know, a website pretending to be another website tricked him into signing something relevant to OpenSea that would use that affordance, that ability to move his squiggles and other NFTs that had been, you know, given permission to be moved around by the OpenSea contract. This malicious website was able to, to whoever created it, was able to extract those NFTs from his wallet in one signature. As you say, the problem is compounding because as we move into a world of increasing sign in with Ethereum or social networks like Lens, where you're encouraged to sign messages corresponding to posting or signing into a website for the first time. OpenSea, we talked about a little bit. We didn't even talk about the first step when you connect to OpenSea, which is you sign a message. that is their terms of service. You're using your wallet to agree to their terms of service. And often those messages, you know, I think overall those messages are not dangerous, but they create a dangerous habit of yeah, whatever, whatever. Let me get to the next step so I can actually see what's in my wallet using the OpenSea interface. And that speedy habit forming is not great. Does that feel like a fair summary of the increasing problem of the situation?
Jeff Krantz: Yes, really well put. And another factor that these hackers almost always use is like a factor of time. A lot of them will have, you know, the mint, the total number of items minted is 490 of the 500 and it's counting up. It's like, you know, whatever the floor price is rising and it's about this is your moment and that's how they get you to speed it up and go through with that. So that adds another complication. And on the OpenSea, you know, maybe we've maybe we've gone over the OpenSea piece a little bit. But I also like to think of smart contracts just as, you know, ordinary IRL contracts. Basically, the hacker puts a deal in front of you to sign and says, OK, I'm going to buy all of your assets for one cent. They get you to sign the paper at the bottom because you can't understand contracts written in Chinese or the offers written in Chinese. And then they take that offer and they go to OpenSea, who is the broker, and they say, hey, here, look, Jeff agreed to sell me all his NFTs for one cent. And the smart contract goes ahead and executes it. So what I like to say that we're doing at Fyre is, you know, we're making that signature request human readable. We're making Web3 simple. We're taking those contracts from Chinese and translating them into English for you.
Nicholas: Yeah. And this is a crazy thing. Before we get into Fyre directly, I wanted to and Josh, I'll throw to you in a second. But this is actually something I've been griping about for a long time. You know, Metamask, I think, is probably the most popular hot wallet out there, at least anecdotally, it seems evidently the most popular. And they have started to do better with their data tab, showing at least somewhat human readable. It used to be just the whole of the transaction data in the hex tab. When you go to sign a Metamask transaction, which is really unreadable, not even divided according to this salt conduit key counter thing we mentioned earlier, but just a whole jumble of characters. Now the data tab separates things a little bit better. But still, it's not clear. if you don't know sort of the principles of blockchain, it's not clear what you're giving permission to to happen. And oftentimes if there are, let's say you're making an offer or a listing and you're doing so in ETH or WETH or USDC or DAI, you'll have dozens of zeros at the end of the number, making it very difficult to know. as a regular person, even a developer, the way that we would do it is to highlight from the end of the number and count in groups of three or something like that to figure out. And then we'd have to think, OK, is it how many zeros am I actually supposed to have based on the amount of ETH or whatever token it is that I'm offering or WETH, I guess in that case. Although the wallets are getting a little bit better, they're really not sufficient. The one that I rail against most often, because it's the only other one that I have serious experience with, is Rainbow. Love the people at Rainbow and the product is very interesting. However, if you're executing a transaction in Rainbow that is not one of the handful of transactions that they have interface built for, such as transferring an NFT, transferring an ERC20 fungible or doing some kind of swap on a known exchange, maybe Uniswap. I think they have UI for that. If you're doing anything other than those, they don't even present to you the transaction data in that jumbled format that's difficult to parse. They don't even show it to you at all. So very popular wallets that are known as highly usable, safe, approachable, every person kind of wallets are actually practicing really, really scary interface design patterns that I think we should be much more critical of. It's not a popular thing to do because people don't like to criticize products in the space. But the truth is that it's really, really objectionable that a wallet would ever encourage you to sign a transaction without letting you know what that transaction is doing. No way to find it. And that's the current state of Rainbow.
Josh Breite: Yeah, just to piggyback on that. and sort of what Jeff was saying and sort of the lack of transparency. I think a lot of people treat sort of signing things like terms and conditions on your phone. Like I get an update from Apple. Like I'll press agree. Like what else am I really supposed to do when that's just like not the state of things on the blockchain and probably never will be. And so like that sort of condition to be like, oh, I'm not going to read this. I don't know what it means. And I don't know what's moving forward is a lot of the reason we built Buyer and sort of moving forward. Let's make Web3 simple. Let's make it fun and accessible to everybody who isn't a dev, who's going to be able to be reading contracts, sorting through all this stuff and not scared to lose all their funds all the time.
Nicholas: So we'll get into a little bit, Fire, before we do, just let's introduce yourselves. Josh, maybe you want to go first. Can you tell the people a little bit what you were doing before you started working on Fire and what your role is at the company now?
Josh Breite: Yeah, for sure. I'm one of the co-founders of Fire with Jeff. I work on mostly product. Before I actually was at Northwestern and then started working at Adventure Studio where I met Jeff and we started working at Fire itself. And it all just sort of clicked when we were thinking about Web3 usability. I got into Web3 about two and a half, three years ago by now. I was working on a FinTech and just got really interested in the technology itself. And then I was trying to show it to all my friends, be like, look how cool all my NFTs are, look how cool everything is. And they're like, I have no idea what's going on and why this is important at all. So from there, Fire came out of that. as we were working, Jeff and I were working together and working through different ideas.
Nicholas: Cool. And Jeff, what was your background before working on Fire?
Jeff Krantz: Yeah, I'm a software developer by trade. Excuse me. I've been in crypto for about 10 years now. About 10 years ago, the developer sitting next to me at Groupon, where I was working at the time, looked at me and said, hey, Jeff, have you ever heard of Bitcoin? And I said no. And he said, you should look it up. That's my crypto rabbit hole story. I went home and bought some Bitcoin on eBay and I've been in the space ever since. I was a hodler for about the first five years. And then I realized I could work in the space sometime in 2016 when it started to kind of, I wouldn't say go mainstream, but more early adopters were coming on board. I worked in trading for about four years in the crypto space, but then come like DeFi summer, left the trading industry to go, as they say, Web3 full time, where I kind of worked as a contractor in the Web3 space for two years. Which brings us to the spring of this year, where a good friend of mine had his 4-day hacked in one of these phishing attacks, I guess before they were kind of as widely known as they are now. And when a 4-day was worth about a half a million dollars and reached out to me to figure out, you know, hey, Jeff, you're a crypto guy. What can I do to get it back? And it sucks to have to tell him there's nothing we can do at this point. And so that's what kind of set the scene for me on what we can do to help make Web3 safer and simpler as possible.
Nicholas: That's a great origin story. And is that person a user now of Fyre?
Jeff Krantz: That's a great question. I think he last I saw, last I heard he'd rage quit Web3. I need to follow up with him and see if he's back. Yeah, I mean, it was pretty, it's pretty rough. I mean, I think it was mostly paper gains. Luckily, that's not like. he bought a $500,000 board ape. I think he was early into it, if not a mentor, but still half a million bucks is a half a million bucks.
Nicholas: Totally. So how does Fyre work? How does it work on a technological level?
Jeff Krantz: Yeah, should I jump straight to that or should we give a quick intro on what it is?
Nicholas: Yeah, I guess, I guess. Yeah, might as well.
Jeff Krantz: Great. Yeah. So just a quick two minute explanation is our mission at Fyre is to make Web3 simple. Today we do that via a Chrome extension that pops up next to your wallet. So MetaMask, Coinbase, whatever it is you're using, which still controls your keys. And we show you in a human readable format what is going to happen if you sign that transaction in your wallet. How does it work behind the scenes? Great question. So basically what we do is we take the current state of the fork of the blockchain. We fork it into basically you could think of it as a practice blockchain or a sandbox. And we take your transaction and we basically include it in the block and take a look at what happened inside of that block from that transaction. And then we boil it down to what is relevant to the user. And we return that and show it in a human readable format to the user so they can decide, hey, do they like the general outcome of this transaction and do they want to proceed?
Nicholas: Very cool. And for people who haven't seen the product yet, essentially it pops up a little window that looks exactly like MetaMask right next to MetaMask. if you are using MetaMask. I guess if you're using a Wallet Connect wallet on a different device, it would or in another tab, it would just pop up in the same aesthetic looking like a MetaMask pop up. But you'd have the signature request on your phone, for instance.
Jeff Krantz: We don't support Wallet Connect today. We haven't had a lot of requests for it. And they do some tricky things where they encrypt the transaction between the phone and the desktop where it's just like it's a heavy lift and we just haven't had a lot of requests for it. Mobile in general, we've had a good amount of requests for, so we're evaluating that and maybe that would be a place where we might hook into Wallet Connect or something like that.
Nicholas: Got it. So this like mainnet fork and simulated execution of the proposed transaction signature, is that happening all inside of the extension or is the forking happening on a server somewhere and there's communication? How does that work?
Jeff Krantz: Yeah, good question. So basically having the, it'd be amazing if we could run it all client side and maybe even more amazing, I would love it. I've heard Ledger supposedly might be releasing this where they could run a simulation somehow. They're saying they're going to release a simulation ledger. I don't know if it's on their hardware device or in Ledger Live. The tricky part about doing it on the hardware device, once again, is it's not connected to the internet. So you don't have the state of the blockchain, which makes it tricky. You might be able to surface a little bit more information, but we want to be able to give you a pretty good idea. if you're swapping, for example, in Uniswap, what the return you're going to get for the token that you're swapping for is. So we are sending it off to a server where we can use basically the current state of the blockchain to run the simulation.
Nicholas: I know that developers use Tenderly sometimes to simulate transactions. Anyone who's interacted with formerly Gnosis Safe has seen the simulate button in that interface where you can test out a transaction and see if it'll succeed and what the consequences will be. Although, frankly, not at all as clearly as FHIR does. Do you use Tenderly in your stack or is that just something else that's out there in the world?
Jeff Krantz: Yeah, great question. We use Tenderly as part of our stack. From a build-versus-buy perspective, we just wanted to get this product out as quickly as possible. So we built the simulator with them and they basically, they give us the high level or maybe the low level details of what happened in the transaction. And then we take it and kind of parse it to the relevant pieces to the user and then kind of preview it up a little bit and show it to the user. We're also working internally on our own simulator as well. Now we've kind of beefed up the team a little bit. But as of today, yes, we are using Tenderly.
Nicholas: Cool. I guess people might want to know, is there any kind of privacy or security risk to communicating these requests for transactions to your servers and then whatever third parties you rely on just to get it done?
Jeff Krantz: I mean, my opinion is no, because it's just the transaction data that is going to end up on chain anyway. Right. That's kind of our stance. So, you know, it's I guess something for people to understand that it's being sent up to the servers. But from my perspective, and you know, I'm a kind of privacy nut myself, it's just the transaction details that are being sent up.
Nicholas: So I suppose if you were like a MEV trader type and you were really trying to keep your transaction secret until execution, you might not want to use FHIR. But for the vast majority of people, the transaction, as soon as they click sign, is going to be in the public mempool anyway. And so it's not really not really a concern. If you're really hyped up on not sharing your transactions until they are included in blocks by using things like flashbots, maybe then there would be some reason to be concerned. But it sounds like for other people, not so much.
Jeff Krantz: Yep, that's a perfect way to put it.
Nicholas: It makes sense that you're going to eventually maybe in-house some of that simulation technology. Part of this thinking makes me wonder, like, why don't wallets just do this themselves? Is there a clear reason why MetaMask doesn't include this directly with the same level of quality that FHIR can?
Jeff Krantz: Yes, great question. And when we started building this, the feedback we got from our early prototypes that we showed to users was like, oh, my God, I need this right now. And we just knew that there was a lot of excitement about it. And the first question that came to our mind was, why didn't MetaMask do this in 2016? You know, I think they say about startups, like if nobody's building something, there's a reason why. And so we're like, what are we missing here? But it's actually interesting. Tay from MetaMask actually commented a little bit this week, I think for the first time on why they haven't done a simulation. And her response was basically just, we've got tens of millions of users and billions of dollars, if not more, under the control of MetaMask. And moving quickly, it's just too dangerous for us. You know, we've got to make sure we evaluate all edge cases before we release something like that. And, you know, we encourage, I think she even said, we encourage the startups that are working in this space to let this happen and kind of develop from there. But it's just something we can't do on a whim.
Nicholas: Yeah, I spoke a little bit with Dan Finley, one of the co-founders of MetaMask about this some months ago, because it seemed to me, well, actually at the time, this data tab they'd introduced was doing a certain amount of human readable translation of the contents of the data of a transaction request. However, 70 or 80 percent of the time it would simply not work. And I asked him, why is this so difficult to do? It's, you know, Tenderly does it, other people do it. And his response to me was partly about the burden of API requests in order to do this for every transaction request passing through MetaMask, because it really is a huge number that are being surfaced and it's a non-trivial thing to solve. And also some concerns around centralization of that simulation. So I think their data tab that they have currently, it mentions truffle in the thing. And I think that some amount of the work is done locally on the device. It has become more reliable, but frankly, it's no replacement for what FHIR is proposing. It doesn't give you the visual representation of the NFTs moving around or the tokens, the amount of token that you'll be spending and the amount that you'll be spending on gas and swap transactions and things like that. So there does seem to be some reticence around developing that UI in-house. So it seems like while there may not be a clear reason why there's a moat, aside from scale, it does seem like it's not something they're addressing. Also beyond that, it seems like MetaMask and in particular is moving toward pushing UI development towards snaps where third-party developers build on top of MetaMask rather than MetaMask doing everything in-house first party. I wonder if you've thought at all about FHIR being a MetaMask snap in the future.
Jeff Krantz: Yeah, I think it's a move that makes sense for them because for one, it's opt-in by the user and the user will kind of have to go out and search for these snaps and install them into their MetaMask instance, which I think allows MetaMask to kind of be a little bit hands-off and take a stance of like use at your own risk, which I think is a big reason for them kind of moving slowly here as well. And yeah, in terms of us building a snap, we have already built a snap that uses FHIR. I think snaps are slotted to come out like early Q2, something like that. But we're not very excited for it because, you know, I guess understandably the controls that they give a developer are extremely limited. It's basically you can make an API call with a transaction and then like display a, I believe it's Markdown is the formatting language that they use where we can basically show like in bold and unbolded characters what the simulation does. But it just doesn't give us anywhere near the level of control that we have in our own UI. And I think it's going to be tough from an adoption standpoint. It might help a little bit, but I think we're going to have to wait for further iterations for that to be something that we'll be able to kind of completely shut down our UI that lives on the side.
Nicholas: Yeah, I think it's taking this kind of wait and see approach with snaps. It will be interesting to see if it becomes a flourishing app ecosystem on top of MetaMask, which has a. MetaMask is great in terms of especially safe execution of JavaScript, which I think they've done a lot of research on. Kumavis, the other co-founder of MetaMask, has spent the last few years really deeply focused on supply chain attacks in the JavaScript that is executed inside of MetaMask, which most other people are not nearly as focused on. So I think there is some logic to MetaMask really focusing on being a secure place to store a private key or connect to a hardware wallet. But and then, you know, not outsourcing, but enabling others to develop the front ends. But it seems like most people are so far not entirely convinced about doing it, that work up front themselves until they see some examples. So it makes sense. So all this talk of security and stuff leads to the natural other question, which is, is it not scary for people to be installing an extension from the Chrome store that has access to these transaction requests? I know we talked a little bit about the security of sending the transaction data to servers. That seems to be more or less OK for most users. But is it not scary just to be installing the extension in the first place in your browser?
Jeff Krantz: Yeah, I think it's interesting. Maybe you're familiar with the BoringSecDAO, basically a group of security researchers that work in the space that for a long time did not recommend the various Chrome extension simulators for basically the exact reason that you're saying, which is it could potentially open up a security vulnerability. But they actually, I don't know if it was this week they came out and changed their stance, but this week I did see a tweet from them that said at some point they've changed their stance to the point where, you know, of this subset of Chrome extension developers, you know, the founders are well known and public facing and the security upsides for most users outweighs the security downsides. And therefore, they've kind of come out and said they recommend them at this point. At FHIR, we are currently working on open sourcing our, like literally this week in our sprint, open sourcing our extension as well. So a user who is capable would be able to install it from source if they'd like to. And it'll also give the community an opportunity to audit our product as well.
Nicholas: Very cool. Have you thought about doing any kind of formal auditing or I don't know if it makes sense to do like a C4 or something like that for code that is not blockchain code specifically? Yeah, absolutely.
Jeff Krantz: Absolutely want to do an audit as well. Once again, something that we're working on as of this week, getting kind of everything, getting our code buttoned up a little bit to get it ready for a place where both the public can audit it and then exploring. Like you said, I'd rather not pay for, you know, like a Solidity auditor to come in and pay their rates, but there's a firm that will offer kind of a front end audit for our products that we'll be looking into.
Nicholas: I know for me personally, I, and this is maybe a suggestion worth taking up for some members of the audience. I segregate my web browsing, the majority of my web browsing from a separate browser or browser profile with my wallets in it. Even hardware wallets connected to Metamask are in a separate browser where I don't visit Notion pages and random links on Twitter. So I wish I recognized that it's not so easy because the signature request happens in the browser profile or separate browser that has the wallets in it. But I do kind of wish I could have fire in the other browser with my web browsing so that there is segregation. But I guess that's impossible given that you need access to the data of the signature request.
Jeff Krantz: We've seen users that have been concerned up front spin up a new profile with their hot wallet and only use fire over there, which I think is a good solution. If you just want to test it out and test the waters and feel safe that way, I think that's a good solution.
Nicholas: So what are the most common types of malicious transaction requests? What are the things people should be watching out for? Basically, we talked a little bit about a sort of scam website that presents itself as something else. And in that case, maybe you could expand a little bit again on what type of transaction request that was or signature request that was and what other ones people should be mindful of.
Jeff Krantz: Yeah, so the scam that hit Kevin Rose was a C port signature request, gasless signature request, which in case anyone wasn't here earlier, basically allowed the hacker to buy all of Kevin Rose's assets that were listed on OpenSea for something like a penny. So that's one type of signature that you want to be wary of. If you're on a website that is not OpenSea and you see in Metamask, it will tell you that it is a C port signature. There are other sites that can utilize the C port contract. So it is possible that it is legitimate. But if you're not on OpenSea and you see a C port signature request, double, triple, quadruple check the domain that you're on and really think about it before you hit that signature button. Coinbase wallet, I believe, actually will pop up a little red warning when you're not on OpenSea and say, hey, you're not on OpenSea. This is a C port signature request. Do you want to think about this? Which I think is a good move. So that's one. Another, you know, it used to be, I don't know, three months ago. It seems like all of the attacks were, I guess I'll say simply a set approval for all attack, which would. it's very similar, except for it'll pop up. And rather than asking you to sign a C port transaction, it'll ask you to set approval for all, which we went over a little bit at the top of this call as well on your most valuable collection. Something interesting that we've seen as we evaluate these different scams, you know, basically I've opened up my Discord DMs just to let all of the scammers in so I can hopefully get early access to some new scams. And what I've found that's really interesting is how, you know, I use, I either use like a hot wallet with like very little assets in it, or I'll use Frame, which allows you to basically mock your address as anyone on the blockchain and take a look at what might happen. And something that's really interesting, it makes sense, of course, but how strategic they are at looking at your wallet, figuring out what's the most valuable, and then start by asking you for that most valuable item and then kind of working their way down the list. And so, for example, if you have a board AP in your wallet, you might go to a malicious website, they'll pop up a set approval for all transaction on your board AP and hope that you go ahead and sign that, which would give them access to all of your board APs. Those are the two most common. I also see, you know, if in my wallets where I don't have any NFTs, they just ask me to they just ask you to just transfer your ETH to them and basically hope that you don't notice, which is actually pretty sneaky because, as you mentioned, MetaMask has started surfacing like set approval for all and at least like giving you some red text or something. But if you just transfer ETH, it doesn't, I think you can transfer like a million ETH and it wouldn't show you. It would look pretty similar to if you were just signing a transaction. So it's actually pretty sneaky. And then there's also ETH sign, which is basically, basically allows, it'll sign basically any transaction. So the hacker can basically request that you make this signature, which once again, if you're just looking at the text of the signature, it's just a hex string. It doesn't look very intimidating. This one, MetaMask is very good at catching. It's like bright red letters. Like there's really no reason you should be signing this ever unless you're a developer or something. Are you sure you want to do this? They'll also try that one as well. But I usually don't see that because it's pretty obvious from the wallets that they do that. What you'd see in Finder in that case is we even put another message in front of it that once again says like, do basically do not continue. And we give you a small little button that lets you keep going if you want to. But strongly advise against signing that. I think those are the kind of four major requests that we typically see. You know, I guess I saw one last week that was a little bit interesting that I hadn't seen at least recently where they did a fake pop up of MetaMask. So it was a pop up window in your browser. It looks like MetaMask. I recognize it wasn't MetaMask, but it could be tough to potentially catch. And basically it says you're not logged in and asks you to type in your password. You type in your password, it says password invalid. You type in your password again, it says password invalid. And then it brings you straight to, you know, whatever. You've been locked out of your account. Unfortunately, you need to reenter your seed phrase, which I thought I guess was kind of a clever, a kind of clever attack as well. And then I always joke back to. I miss the days of like 2020 and before when it was just, you know, Elon Musk saying, oh, we just had our first successful, you know, rocket ship launch to celebrate. Yes. Send me one Bitcoin and I'll send you two back. Or, you know, that's that was one type of thing or just generally going to some website and they ask you just enter your seed phrase or whatever to set up a bot or claim something. I miss those days. I generally do not feel for people who fall for those types of scams in general. What I really do feel for the users who are falling for these more modern scams that are any, I think anyone could fall for them. We're seeing, you know, crypto OGs and noobs alike fall for these types of scams. So that's why we built FIRE.
Nicholas: Yeah. Your examples remind me also of the scam where they send you a bunch of ERC20s in a pool that looks for a token in a pool that looks like a familiar token or looks like just some airdrop. And they load up, they break the transfer function on the ERC20 so you can't swap out. But they load up so that nobody can trade the token except for the owner of the contract. And they load up a liquidity pool on Uniswap, which other sites and services like Rainbow and CoinGecko and others potentially source for their estimated value of the token. So it looks in your rainbow like, oh, I just got $40,000 of the newest Optimism airdrop. Great. And then when you go to transfer it, you can't. If you look at the token name, it includes a URL to a scam website which will introduce one of these malicious transactions and attempt to get you to sign it. So there's all kinds of sophisticated scams and certainly more coming. Another one you mentioned that I was reminded of with your Discord experimentation is be careful about who you add as a friend, because anybody who you don't really know who you add as a friend might modify their Discord account to look like someone you do know and trick you in the future. That kind of DM scam where they ask you for a favor or what have you is lower five, but also a serious problem that a lot of people have fallen prey to when a friend or acquaintance asks them for a loan or something like that, especially people who do OTC, NFT trading can fall prey to things like that. So it's a it's a it's a dangerous world. Before we jump on to I want to ask you about blurs, opaque signatures and blind signing. Before we get to that, we're doing a little experiment here at Web3 Galaxy Brain. I'm selling ad spot NFTs, five second ads on the juice box page for Web3 Galaxy Brain. There's a link in the tweet that's pinned right now. If you're interested in purchasing one today, we have a sponsor. I haven't done a great deal of diligence on this, so please be careful. But I'm going to read out the text that was provided in the purchase of this five second ad spot. Liver donors needed. Visit sharemyliver.com, save a life, become a living donor. Again, I haven't done diligence on that, but I doubt someone is trying to rug you on your liver. So check out sharemyliver.com if you're interested. And if you're interested in purchasing an ad spot NFT for a future episode, you can check it out on juicebox.money slash at symbol Web3 Galaxy Brain. So I want to ask you that. You like that?
Jeff Krantz: That's very cool.
Nicholas: You should get one for next episode. And that's coming from Kmac, who I think is in the audience today. So thank you, Kmac. That's our second ad ever on the show. I want to ask you about Blur's opaque signatures. I've gone back and forth with some devs who have a great deal of concern over the signature requests, the blur issues, which are really not parsable. Is Fyre able to parse those and give you some insight or are they not even exposing enough information for you to be able to simulate?
Jeff Krantz: I believe originally they were pretty opaque and their contract wasn't verified on Ether scan. So that's what was pretty tough. I think I remember a time where, you know, security researchers in the space, I think we're even recommending against or cautiously using blur, which was kind of wild. But, yeah, we've had blur signatures out for a couple of weeks now at this point where we are parsing those as well.
Nicholas: Oh, very cool. Because for people who haven't seen them, if I recall correctly, they just ask you to sign like a hex value. It's not, it's not so. it doesn't have all the parameters. Metamask can't parse it. So that's cool that you're able to do so with Fyre. Maybe it's only certain types of their listings that do that. I think it's if you're listing on blur specifically that it gives you that kind of signature request. And I think they, am I right that they can also do multiple listings in one signature as compared to Cport, which requires that you sign for each NFT that you're listing?
Jeff Krantz: So each NFT that you're listing, you can update the listing. Once again, Cport, you can update the listing for multiple contracts as well in one scoop, which is how Kevin Rose was taken advantage of. And I believe blur works the same way. And I also, as I mentioned, believe that the blur signature was JSON that we were able to parse versus trying to decompile some sort of hex code. X2, Y2, I know we do not support because it's simply a hex code that we can't basically decode.
Nicholas: Got it. This reminds me, you know, we talked a little bit earlier about sites that ask you to sign a message with some, you know, human readable text like, welcome to OpenSea. To use OpenSea, you have to sign our terms of service. Sometimes they include a nonce or some hex value. I suppose on their backend to make clear when it is that you confirmed, you know, as if you were signing a EULA agreement to use MSN Messenger or iTunes back in the day. Do you know if it's possible to include, my presumption is that if you're signing a message that includes human readable text, then it's impossible to include a hex value or any other kind of value inside of that string that you're signing that could then be used maliciously. in the same way, let's say that this Kevin Rose attack was executed. Do you have a sense if that's true? Is it possible to include a value inside a string and use it maliciously?
Jeff Krantz: Yeah. So, you know, my stance is it's impossible to, if you just see like, welcome to OpenSea, a string that you're signing, it's impossible for that to be malicious. Now, you know, I'm not going to say 100% impossible. I'll leave it at 99.99. And I think even Fubar might've tweeted something similar in the last couple of days with a little asterisk next to it. But our, you know, our UI. we're working on actually an update for this, where we'll basically say, you know, we, we feel whatever the wording is, this should be a safe signature. This is just a string of texts that you're signing. That's typically used for signing in, you know, double check the website, but you should be good to go. Something along those lines. And then something I wanted to mention, we're also working with ProTools. And I guess, I don't know if Dapps or Web2 Dapps specifically to parse their signatures and transactions beyond just handling tokens. So for example, like Collabland, it'd be great if when you're trying to join a discord, if you got a big green welcome message that said, Hey, you're joining the XYZ discord channel through Collabland and you can feel more comfortable with that. So that's something we're working on as well. Both for signatures and then for transactions. Right now, if you bid on a noun, a simulator, what it's going to show you is like minus 30 Ethereum, like going out of your wallet, which doesn't feel really good. Wouldn't it be great if it showed you you're bidding on noun 595. Here's what it looks like. Here's what, and you know, some other things like that. So those are some things we're working on right now.
Nicholas: Very cool. I have a bunch of other questions, but if there is anyone in the audience that has any specific questions, concerns, I think this is a great opportunity for folks to interact directly with you. No, it's not really your product directly, but maybe you have insights into people who have ledgers. I don't know if Trezor does the same thing, but Ledger asks in order to interact with certain dApps that you enable blind signing. Can you explain, I mean, no problem if you can't, but can you explain blind signing and what the dangers are about it and how it interacts with FHIR?
Jeff Krantz: No, actually I can't off the top of my head. That's something I'll have to look into a little bit myself.
Nicholas: Same, same. I am not an expert in blind signing, but I know that they, it's necessary in order to interact with many dApps. And I think it just shows you less information in the Ledger multi-step preview before you accept the transaction. But I guess we'll all have to do a little bit of research. What other questions did I have for you? I guess, I think we talked about it a little bit earlier, but I saw on the website with regards to the security of having this FHIR extension in the same browser where you have MetaMask, maybe a hot wallet. FHIR is read only, is that right? FHIR is not able to sign transactions on your behalf.
Jeff Krantz: That's right. But it's the number one request that we get from our users is like, why doesn't this live in MetaMask? or why can't this just be my wallet? It's clunky to have these two different pop-ups. Can't this just be one thing? So we know that that's the direction where this is going to head. And so we're working towards that.
Nicholas: Got it. What kinds of, so we talked about trusting the transactions being sent to your servers. Are there any other elements of trust? I suppose that you are accurately simulating the transactions. Are there any other elements of trust that you'd like the potential users of FHIR to know about before they install and start relying on the product?
Jeff Krantz: No, but you mentioned the centralization risk that MetaMask is concerned about. And to us, the Holy Grail and the question we ask ourselves weekly is how could we decentralize this thing and just make it an open and free protocol, a simulator in general? We haven't cracked that nuts, but shot in the dark to everybody else in the crowd. If there's anyone that has an idea of how potentially we could create a decentralized simulation protocol, I would be very interested in speaking with you.
Nicholas: Yeah, there are some great devs in the audience. Please, if anybody's interested, feel free to request and come up and ask a question or give a comment. I think we've more or less hit the end of my series of questions. Josh, I know we spoke mostly with Jeff. I don't know if Josh, you had other thoughts on any of the subjects we discussed or if you'd like to jump in on the product vision for the future in terms of user experience, etc.?
Josh Breite: Yeah, I would love to. I just really think we're, as Jeff covered a lot of technical aspects, but really just trying to make FHIR simple. What we noticed sort of at the beginning of the inception of the product, it wasn't really about scams or hacks. I think that was what sort of our intuition was at the beginning could help stop against. But just the idea of making Web3 readable and making accessible to users was actually what made us go viral first. It was just a simple staking LIDO transaction and people just really loved the UI and UX of it. And continuing to do that, one thing we're really looking forward to is building out more signatures and being more clear on those in the future and just sort of working off that and just trying to make everybody understand it so they can have fun on Web3.
Nicholas: Awesome. And on the subject of the decentralization of the execution of this simulation, etc., I take it FHIR is structured as a company today. If you were able to find a way to decentralize it, would you be interested in creating a DAO out of this product?
Jeff Krantz: Yeah, I mean, I see a cool world where basically the simulator becomes a DAO and becomes an open protocol that anybody could use. I think that'd be my dream for kind of at least the simulation part of the product. And then we could go work on other parts of making Web3 simple, of which we would tap into that simulator as a piece of the pie to solving that puzzle.
Nicholas: Makes sense. DeFi Alliance, did you have a question or a comment?
DeFiAlliance: Yeah, my question was basically I was one of your early users back when I was being me, not you, who you'd probably recognize me as. And basically when I was using it then, it would only work with Ethereum. So my question is now, have you updated it so it works with EVM, meaning that it can work with any EVM chain or is it still just Ethereum?
Jeff Krantz: Yeah, we work with Ethereum, Polygon, and as of yesterday, Optimism, as well as the Gurley testnet. And we are working on AlphaLeak, I guess, Arbitrum right now. And then we'll take it from there in terms of which other EVMs or other chains we want to add beyond that.
DeFiAlliance: And then my next question was, and going towards your decentralization thing, wouldn't it be better for, so I know you said you're going to open source some of it so people can help make stuff on top, but wouldn't it be one way to decentralize? it is kind of turn the organization into a DAO of sorts?
Jeff Krantz: Yeah, exactly. I think we talked about that for a moment, which is, yeah, I'd love it if the simulator itself, we could decentralize it and have it governed by a DAO and basically turn over the operations of that part of the stack to the DAO. I think that'd be kind of my dream state if there was a way we could figure out to crack that.
DeFiAlliance: Well, there's something that we're using for our DAO, which you might want to have a look into, which works on NFTs rather than tokens, rather than coins. And it's called SuperDAO. That might be something that might help you out, because the idea behind that one is you give away an NFT rather than coins. So no one has a complete stake. And you can also set it. so one vote equals one vote sort of thing. So there's just a suggestion for you. But yeah, no, I'm going to step down now. But thanks guys.
Jeff Krantz: Awesome. And yes, of course, I remember be it me, not you. And thank you for your support from the very early days.
Nicholas: Was that the name of the product prior?
DeFiAlliance: No, before my account was literally just a personal account. And now we're sort of turning into a DAO that wants to basically become a citizen's advice service for the DeFi community.
Nicholas: You've transcended from an individual into a DAO.
DeFiAlliance: Yes, yes. Yes.
Nicholas: Congratulations.
DeFiAlliance: Cheers. Thank you. I'll leave you guys to it now. Bye.
Nicholas: Thanks. Yeah. Are there any other topics that we haven't hit that you think are important for people to consider or if they want to stay in touch what they should do?
Jeff Krantz: No, it'd be great. If you want to stay in touch, follow our Twitter account, which is here up on stage as a speaker. If you're interested in learning more about the product, joinfire.xyz is our website, and I really appreciate everyone taking the time to listen to us today. And Nicholas for hosting. It's been awesome.
Nicholas: Absolutely. My pleasure. Actually, one question does occur to me. Is there anything developers who are writing smart contracts or DApps can do in order to make their transactions appear nicer or more available to you? Or is that something that's just automated on your end? And there's no need for developer participation.
Josh Breite: Something we've been really looking into is like this idea of making signatures more understandable. So any, like whenever we do partnerships with people, we go into the contract and we talk about like what it is and what it's doing. So maybe there's some way and something we're thinking about is like we can open source that and get everybody to contribute to it. We can make all signatures more understandable to everybody and just go right into the fire simulation with a pull request or something like that.
Nicholas: Great. Okay. Well, Jeff, Josh, thanks so much for coming and telling us about fire and this fiery week of attacks and hacks. That's been great talking to you. To anybody in the audience, if you are interested in purchasing an ad for the next episode, check out juicebox.money.com. slash at web3galaxybrain.com. They're very affordable and fun. Thanks. Thanks to you both for coming through.
Josh Breite: Thank you.
Nicholas: All right. See you next week. Same time, 5 PM Eastern time, Friday. Everybody. Thank you for listening and see you in seven days. Hey, thanks for listening to this episode of web3 Galaxy brain. to keep up with everything web three, follow me on Twitter at Nicholas with four leading ends. You can find links to the topics discussed on today's episode in the show notes. Podcast feed links are available at web3galaxybrain.com. Web3 Galaxy brain airs live most Friday afternoons at 5 PM Eastern time, 2200 UTC on Twitter spaces. I look forward to seeing you there.
Show less