Consensys Software Inc. respectfully submits this letter in response to the U.S. Department of the Treasury’s request for comment on the responsible development of digital assets, dated September 19, 2022. Below, we discuss how certain technological innovations are anticipated to mitigate the risk of financial crime pertaining to digital assets, specifically the theft of private keys through phishing, malicious smart contracts, and compromised front-end user interfaces. As the Treasury Department works on legislative and regulatory proposals, we encourage policymakers across government to pay attention to the innovation in the programmable blockchain ecosystem, especially with respect to how developers are working towards technical solutions to financial crime risks.
We view this comment letter as an invitation to converse further regarding the ongoing development of Ethereum and other programmable blockchain ecosystems. We hope to engage with you in greater depth on the summarized points set forth below. We appreciate the opportunity to collaborate with you on the important task of bolstering innovation while mitigating the risks that new technologies may present.
1. Background on Consensys Software Inc. and its flagship offering, MetaMask
Consensys was founded in 2016 after the launch of the Ethereum protocol with the goal of facilitating decentralization through the development of blockchain-based computing platforms. We believe that, through decentralized networks like Ethereum, we can innovate and achieve like never before. We have dedicated our people, products, and resources to help drive this evolution.
Consensys is the leading Ethereum software company. Ethereum is the largest programmable blockchain in the world, leading in developer community, user activity, and business adoption. Consensys enables developers, enterprises, and people worldwide to build and use next-generation applications, launch modern financial infrastructure, and access the decentralized web. Our software suite, composed of MetaMask, Infura, Quorum, Truffle, Codefi, and Diligence, is used by millions and supports billions of blockchain calls.
MetaMask specifically is one of the most broadly used unhosted wallets in the world by both Web3 developers and users. It is open source software that can be downloaded from the Apple or Google app stores and run locally as either a mobile application or a browser extension. The software is maintained by a development team at Consensys and also supported by a global community of developers and designers who wish to democratize access to the decentralized web.
Security is critical for MetaMask to be a powerful and reliable tool for both developers and users. Its code has been audited by security experts and independent researchers, and the audit reports are publicly available. The MetaMask team at Consensys sponsors a bug bounty program that rewards volunteers who report vulnerabilities so they may be patched. We are also investing in novel research and development into new security technologies with applications far beyond our ecosystem, such as LavaMoat. Further, the MetaMask team has extensive educational materials and FAQs drafted to guide MetaMask users through smart and safe use of the wallet. Consensys has also partnered with Phishfort, a third party anti-phishing solution, so that phishing threats against MetaMask users are identified and taken down.
Despite our ongoing commitment to the security of MetaMask users, scammers and other online criminals continue to target users through a variety of schemes. MetaMask developers and Ethereum developers more broadly recognize these threats and believe it is important to mitigate them not only through vigorous law enforcement but also through technology. Below, we briefly explain one way in which the community is addressing financial crime risk through innovation.
2. Accounts on Ethereum
Blockchain allows someone to participate in peer-to-peer transactions or a digital community with no central authority acting as gatekeeper. But that system requires such users to take responsibility for themselves in all respects. The private key is the technical representation of that self-responsibility, and from that private key arises a meaningful degree of financial crime risk.
Ethereum was designed with two types of accounts: externally owned accounts (“EOAs”) and smart contract accounts. EOAs are what one controls with unhosted wallet software, which is best understood as a user interface that permits you to access and execute transactions using your account. Smart contracts are software programs that exist on the blockchain data structure and function according to their programming. Both types of accounts can receive, hold, and send Ethereum tokens (“ETH”) and both can interact with smart contract accounts. Currently, all transitions on today’s Ethereum must commence from an EOA, in part because only EOAs can pay transaction fees (referred to as “gas”).
It is the EOA which presents most financial crime risks. Each EOA can hold tokens and has an address that is recognized by the Ethereum network and determined by a unique public-private key pair. That key pair is how an account holder signs and sends cryptographically secure transactions which move tokens from that account to others. What allows the account holder and only the account holder to send the ETH in their account is possession of the account’s private key. It is that private key that signs transactions, and the network can use the account’s public address to confirm that it was indeed the account holder who authorized the transaction.
The important takeaway is that Ethereum was designed for a user's account and a user’s private key to be the same thing. In other words, what holds a user’s tokens is practically indistinguishable from the user’s password. The obvious implication of that choice is that whoever holds the private key, whether the account holder, another person, or even multiple people, can control the account itself. This has given rise to various problems, including making account holders the targets of financial crime.
3. Financial Crime Targeting Ethereum Users
Because knowing someone’s private key means being able to access anything held in their account, private keys have been a major target of criminals and other bad actors. Their schemes take a few common forms, discussed below.
As the owner and operator of MetaMask, Consensys receives reports of phishing attempts. MetaMask users are targeted on social media and via email by phishers looking to defraud the users into sharing their private keys or their secret recovery phrases (the 12 or 24 word-long recovery passwords that are derivations of the alphanumeric private key). Currently, around 80% of all customer complaint tickets that MetaMask receives through its customer support channel are users reporting phishers.
While the technical innovations discussed below are expected to meaningfully mitigate these types of attacks, several other approaches to this problem are worth pursuing. First, social media platforms that are feeding grounds for predatory phishers should invest more time and attention to eliminating this type of predatory behavior, particularly where these scams are being launched through paid advertising campaigns to the benefit of these platforms. If you are capable and willing to police the content of speech on your website, you can be rightfully expected to take seriously the explicitly illegal scams that use your platform to target your users. Second, regulators and law enforcement could collaborate more closely with the industry to facilitate the reporting, investigation of, and disruption of large, organized phishing scams. Third, the blockchain ecosystem should create off-chain tools that push back against the tide of online predators. Indeed, this approach is already being taken in a number of forms, including the project “MobyMask”, which is the brainchild of a MetaMask developer. This platform would allow users to report Twitter phishing bots by Twitter handle to create a shared database that would be updated in an accountable and transparent way. The database would serve as a peer-to-peer anti-phishing database that could be integrated into Web3 user interfaces for the purpose of warning users, or could be relied upon by law enforcement. While the project is still in proof-of-concept phase, it is an example of the initiative of the blockchain developer community to tackle and solve problems facing the space through innovation.
These schemes include spoofed communications from the “MetaMask Security Team” warning the account holder that, without verifying his account by inputting his secret recovery phrase into a spoofed MetaMask website, his account will be frozen. Others involve a user allowing a hacker to access their device under the guise of providing customer support, which gives the hacker the opportunity to steal a private key or other password. The result of these schemes is the criminal gaining control of the user’s private key or secret recovery phrase, which allows the criminal to access that account through a different user interface and transfer any account holdings to an account that only the criminal controls. Because of the nature of blockchain transactions, such transfers cannot be reversed unless the criminal decides to transfer the tokens back or gives up the private key to his account.
While it might sound ridiculous for a hacker to return stolen proceeds, there are a growing number of instances in which, after a hack has been noticed and the movement of the stolen funds is under surveillance, a hacker has decided to turn “white hat” and return some or even all of the stolen funds. This is because surveillance of transactions on the public blockchain has become so reliable and accessible due to current blockchain analytics software that completely absconding with funds stolen on-chain is incredibly difficult, even when a hacker uses mixing and tumbling smart contracts.
Malicious Smart Contracts
Sophisticated criminals can deploy malicious smart contracts that will result in a user losing his tokens after interacting with it. They come in two general varieties. First, certain contracts require the user to grant the authority to move tokens sitting in the user’s account. This is a risk to users because, while some contracts require the user to grant narrowly tailored approvals to leverage their functionality, some smart contracts require broad approval, up to and including control over all tokens in their wallet for whatever purpose. While some of these contracts are simply irresponsibly written, some are purposefully malicious.
The criminal who deploys a malicious contract often socially engineers user interaction through email or social media. In one example from February 2022, a criminal sent a phishing email to users of the NFT website OpenSea. Spoofing a “community update” notice, the email instructed the user to move his NFTs to a new OpenSea smart contract. If a user clicked on the “Get Started” link in the phishing email, linked his wallet to the scam website, and approved the requisite transaction, the user would soon discover that the contract was actually programmed to send all of his NFTs to the scammer’s wallet instead of a OpenSea address.
The second general type of malicious contract involves depositing tokens into a contract. A malicious deposit contract either ultimately restricts your ability to withdraw your original tokens, or it immediately sends the tokens to the scammer’s wallet. In either instance, the scammer generally entices users to deposit tokens in exchange for a reward or service that never materializes.
Blockchain developers and other service providers are currently grappling with how to address the problem of malicious contracts from an industry best practices perspective. MetaMask, for one, is considering solutions that can be integrated into the MetaMask interface to warn users whenever a smart contract is asking for unlimited authority over their wallet. In addition, the market integrity firm Solidus Labs recently announced a tool that assists with detection and avoidance of smart contract scams on Ethereum and other programmable blockchains. U.S. policymakers would do well to learn more about these efforts and how the federal government could support them.
Compromised User Interfaces
Criminals and other bad actors are also targeting private keys by deploying spoofed front-end user interfaces. These interfaces are designed to record an account holder’s password, private key, or secret recovery phrase, which the criminal will thereafter use to steal the account holder’s funds.
A prominent example of this technique was demonstrated by the North Korean group known as “BlueNoroff." That group penetrated a company’s computer system and used company user credentials to collect configuration files that pertained to, among other things, certain employees’ MetaMask wallets. When the hackers believed they found a high-value target, they monitored that target’s computer activity, including keystrokes, for days or weeks before taking action. That action involved tampering with the MetaMask Chrome extension code stored on the target’s local computer. That hacked MetaMask wallet allowed the hackers to change the recipient address and the amount sent in one of the target’s transactions, resulting in all of the target’s funds being sent to the hacker’s address.
In another scam, a phisher bought Google ads to entice Ethereum users to visit a fake MetaMask website where they could download a malicious Google Chrome extension. Once downloaded and installed, the extension prompted the user to create an Ethereum account or import an existing one using a secret recovery phrase. If the user chose to create a new account, the extension would direct the user to the real MetaMask website (metamask.io), but if the user chose to import an account, presumably one with tokens in it, the extension would direct the user to a fake website that prompted the user to enter the secret recovery phrase associated with the account. The scammer would use that phrase to move all the tokens from that account into the scammer’s account.
* * *
Given the growing and complex ecosystem of permissionless blockchains, composable smart contracts, and user-friendly web-based interfaces, end users today largely have to trust the contracts and web interfaces to be honest, secure, and reliable. There is a role for the government in undergirding this trust. First, public/private collaboration could help establish strong cyber security standards that better protect users from bad actors. Second, law enforcement could vigorously investigate and prosecute perpetrators of online scams like those summarized above. Third, for-profit software developers that materially misrepresent the functionality or security of their interfaces when marketing them to the public might receive more scrutiny from consumer protection authorities such as the Federal Trade Commission.
But meaningful mitigation measures need not come from regulation or envelope-pushing enforcement. Blockchain developers care deeply about these problems and understand that, if permissionless, programmable blockchains are going to improve the lives of billions of people, the technology itself needs to evolve. With respect to private key-targeting scams, the Ethereum community has already been formulating one possible technical solution.
4. Mitigating Financial Crime Through Account Abstraction
The scams we see today often successfully target Ethereum users in large part because an account and a private key are essentially one and the same. An account is fully compromised when someone steals the private key. Ethereum community developers have since 2016 considered ways to separate the account from the private key, whereby having the latter stolen did not necessarily mean that the former would be also. This concept has been referred to as account abstraction.
The goal of account abstraction is to move from having two types of accounts, EOA and contract, to a single account type. That account type not only would have the necessary elements to serve as a user’s wallet but also would be programmable like a smart contract, adding a new degree of transaction execution functionality. The effect of having “account contracts” would be to change the method in which a transaction is signed. Today, transactions must be signed using the private key tied to the account. With account contracts, the method of signature could be programmed to be anything, abandoning the one-size-fits all signature method of today. With the parallel protocol improvement of allowing contracts to pay Ethereum gas fees to validators (which they cannot currently do), users could introduce safeguards to ensure they do not immediately lose their account if they are phished or interact with a malicious contract. There are a number of safeguards which the community already recognizes as possible improvements.
First, one could program an account contract to only send transactions if a subset of a group of potential signers agreed to the transaction. This functionality is essentially the process of using a multi-signature (or “multi-sig”) contract today, but it would be more convenient because the process of each signer confirming the transaction would not require separate gas-requiring transactions. As any security-conscious blockchain user will tell you, multi-signature wallets are leaps and bounds more secure than single-signature wallets. If it is not already, it will in short order be professional malpractice to operate a company’s treasury, a fund, or another account holding considerable funds without that account requiring multiple signatures.
Not only does the multi-sig process prevent a single threat actor from stealing a key that allows them access to funds, but it also supports fraud monitoring. Specifically, every signer has the opportunity to review the transaction to ensure it is safe, especially with respect to any account or contract the account intends to interact with. Impetuous or otherwise careless interactions with suspicious contracts may thereby be avoided more than they are with a single signer.
Second, account abstraction would allow users to move away from the one-size-fits-all application of the Elliptic Curve Digital Signature Algorithm for encrypting transactions. It would allow users to choose a simpler, less expensive signature scheme for certain low-value, low-risk transactions. Alternatively, it would allow users to change the scheme to one that is stronger, including those that are quantum resistant, if that ever becomes necessary. Because alternative cryptographic measures would be accommodated, it is believed to be possible to even leverage the encryption protecting the storage on a mobile device, allowing users to rely on their smartphones to serve as hardware wallets.
Third, account abstraction would actually allow someone who had their private key or secret recovery phrase stolen not only to prevent any of their tokens from being stolen as a result but also to replace that private key with an uncompromised one (referred to as “key rotation”). This is accomplished through “social recovery." An account wallet programmed with social recovery functionality could use a single key to approve a transaction, but it would also be associated with three or more “guardians” that could, when called upon, approve the changing of that key. Those guardians could be other people, like friends and family members, other devices like an alternative account that the account holder safeguards, or entities that offer guardianship for free or as a paid service.
Social recovery wallets would guard against theft in a couple of ways. First, they could include a separate address that would serve as a “vault” for the account holder’s tokens. The user’s tokens can be deposited into the vault quickly, but any transaction to remove them takes a period of time, for instance a week, to execute. Should the user get hacked and lose his private key, any transaction that the hacker would perform to steal the user’s funds would be delayed for one week. During that delay, the user and the guardians would be able to intervene by canceling the illicit transaction and rotating the private key. A second safeguard would be a daily limit on the amount of funds that could be removed from the wallet absent approval of the guardians. While a hacker could steal a portion of an account holder’s funds, the first illicit transfer would put the user and/or the guardians on notice, permitting them to prevent the theft from going any further.
5. Security and Blockchain Adoption Go Hand-in-Hand
The Ethereum community is working on account abstraction to improve user experience as much as it is a method to bolster security. It is widely recognized that the current system, which is entirely dependent on public-private key pairs and is thus highly vulnerable to user predation, faces a real challenge to achieving its aim of scaling to billions of people with ease. Aside from key compromise through financial crime, the risk of loss of funds due to losing a private key is simply too high. Further, the account holder user experience needs to improve to make it more intuitive and to pull a lot of the complicated technology behind the scenes where it would not confuse or intimidate the typical user.
The key point is that security and user experience go hand-in-hand, and this drives the Ethereum community to make the changes that ultimately will mitigate risks associated with financial crime. The innate incentive for the Ethereum community to improve security should give pause to any well meaning regulator who might otherwise think the sole solution lies with new statutes, federal rules, or administrative guidance.
6. Building and Implementing Account Abstraction
Between 2016 and today, there have been a number of Ethereum Improvement Proposals (“EIPs”) put forth by the Ethereum developer community that involve different strategic approaches to achieving a separation of account from signing method. These are still in the discussion phase, and there is no reliable way to estimate when a solution might be ready for implementation. Given the tremendous amount of preparation and care that went into the transition from proof of work to proof of stake consensus, it is reasonable to assume that any Ethereum improvement process relating to account abstraction could take years. Aside from the time it would take to implement such a change, current plans would not lower fees on Ethereum, which remain a limiting factor on ecosystem growth.
For these reasons, it has been argued that account abstraction will be a solution embraced more quickly and effectively by layer 2 protocols. These protocols, while young, already exist today, and operate as a technology that leverages the security that Ethereum provides while offering lower fees and higher transaction throughput. So-called “smart wallets” relating to two layer 2 protocols are already on the market. The most prominent of which is Argent, which offers a wealth of educational materials that discuss account abstraction in a comprehensive but accessible manner. A second major smart wallet is Loopring. These projects are among those at the forefront of this exciting and crucial wave of innovation that appears likely to revolutionize programmable blockchains and fundamentally change crypto’s financial crime landscape.
CONSENSYS SOFTWARE INC.
William C. Hughes