Comparing Pocket Universe, Fire, and Wallet Guard

We here at Boring Security were hesitant to recommend wallet security extensions at first. We felt it might breed complacency, and spread the bad advice of “Well, just download a wallet extension, get a hardware wallet, and you’ll be safe!” After much investigation and their proven utility of protecting people, we now believe these tools should be part of every web3 user’s ritual for wallet transactions. Despite our recommendation, they are a long way from being bullet-proof, and should only be one PART of your personal security arsenal! 

In this article we’ll examine what Wallet Security Extensions do, how they protect users, and how they can still be circumvented via a comparative approach of the three major solutions on the market. We still believe education is the number one thing folks can do, and that every person in web3 is still responsible for their own security, but Wallet Security Extensions can make the process a lot easier. Let’s dive in!

Wallet extensions operate in between a protocol/website and the user’s wallet, in order to intercept transactions, simulate them, and assess the resulting changes for a user’s wallet. This is a sensible approach, because users care about understanding the change in value or permissions in their wallet as the result of a transaction. For example, if I’m minting an NFT or swapping a token, knowing what tokens are leaving my wallet vs. coming into my wallet, or what permissions are changing as a result of an approval or signature, are of paramount importance to every web3 user.

But providing extra security is no easy task; for users doing more than casually buying and minting NFTs, Wallet Security Extensions won’t substitute for a solid foundation of web3 security knowledge. Luckily, Boring Security has free classes to help you up your security game! 

As you’ll see in this article, Wallet Security extensions still have a long way to go before we can get complacent and rely on them 100%. Below, we will take a look at 5 transaction/signature types that scammers could use in order to scam you. We will check the major extensions against each type and see how they compare! 

Increase Allowance ERC-20

In late 2021, I was one of the victims of the BadgerDAO front-end compromise. Scammers installed a malicious package that prompted an ‘Increase Allowance’ on user’s tokens that stole all my wrapped bitcoin in the protocol, which I wrote about last year. A painful lesson that I received very little compensation from to this day, except that it was one of the motivating factors that led me to start Boring Security a few months later. If me, a security veteran and professional by trade, could be a victim to this stuff, then for most, it was only a matter of time before they made a similar mistake! 

IncreaseAllowance or IncreaseApproval is a common function found in many ERC-20 contracts that essentially functions like the “Approve” function, though with its less common usage. With its different name, it might not set off the same alarm bells as seeing ‘Approve’ across their screen! So, let’s try calling this function on the ApeCoin contract for 1000 ApeCoin and see what each extension gives us.

Figure 1-1 Increase Allowance of 1000 ApeCoin via Etherscan

Did it catch it??

• Pocket Universe: Yes! Threw some extra warnings at me too!
• Fire: Yes, although I couldn’t get Metamask to pop up. I don’t know if this was a protection mechanism of Fire or an issue on my side, but it’s something worth noting.
• Wallet Guard: Yes! No issues!

Withdraw Staked ERC-20 Tokens to Another Address

If the ApeCoin staking website ever gets compromised (a doomsday scenario for ApeCoin, to be sure), this would be the most likely transaction the scammer would use. Although uncommon, exploits like PinkDrainer and Monkeydrainer do have the ability to assess a user’s staked asset balance for many major tokens and craft a malicious “drainer” transaction accordingly. 

It would stand to reason that these wallet extensions should be able to detect these scams too! For consistency, we will  stick to testing a major token’s staking contract: ApeCoin.

Figure 1-2 Withdrawing 1000 ApeCoin to another address with the ‘WithdrawApe’ method.

Did it catch it??

• Pocket Universe: Yes - but not on our Multisig Safe - knocking off a half point for this!
• Fire: No - although the option to review the raw data might be nice, for the more advanced users, might save the extra curious folks.
• Wallet Guard: No

My intention here is not to pick on any particular wallet extension, but you can see the problem when two major providers of this service can miss something so simple. The technical issue is that your Staked ApeCoin doesn’t have a token in your wallet that contains a value, and as such isn’t detected when you “unstake” to a different wallet address. The issue gets even worse when using more complicated smart contract wallets like SAFE, a popular multisig wallet, where ALL of the wallet security extensions failed. 

Not only did they fail to catch the scam, but also Safe’s built-in application, DeFirewall, failed to detect it as well. The only ways I found to see what the transaction really did was by reading the bytecode or by simulating the transaction on Tenderly.

Multisig Token Transfer

Smart contract wallets make simulating transactions much more complex for wallet extensions but they are becoming increasingly common. Smart contract wallets enable functions like requiring multiple signatures in order to execute (multisig), allowing users to recover their wallet from a trusted friend (social recovery), limiting certain actions, and more. SAFE multisigs are used by DAOs everywhere already and are only going to become more common.

Again, sticking with the same theme, we will try to send some ApeCoin from the Boring Security multisig, and see which extensions catch it!

Figure 1-3 A token transfer of 1000 ApeCoin using a Safe Multisig.

Did it catch it??

• Pocket Universe: Yes
• Fire: Yes
• Wallet Guard: No - Currently Unsupported - but awarding half a point for not showing us incorrect data at least.

Although I was surprised that Wallet Guard doesn’t support SAFE, it stands to reason since they are much more focused on the NFT world, and less-so on DeFi, where usage of multisigs are more common. The upside is that Wallet Guard knew that it was interacting with SAFE, and that it was unsupported and gave out an error rather than a false reading.

Permit2 Batch Signatures

Permit2 is a cool protocol developed by Uniswap that allows you to give approval to it, and then other protocols can essentially request your approval via a signature. Permit2 saves a lot of gas across the whole ethereum ecosystem, but can be used maliciously to drain users’ wallets if they don’t understand how it works! To learn more about Permit2, check out the Uniswap blog about it. For this test, we will  use a ‘Permit2Batch’ signature, commonly deployed by wallet drainers in the wild.

Figure 1-4 Using RevokeCash transaction-type test site to simulate a Permit2Batch tx

Did it catch it??

• Pocket Universe: Yes
• Fire: Yes
• Wallet Guard: Yes

I would have been very concerned if any wallet extension missed this! Each provider passed the test with flying colors. This check is super important, as Permit2 is being incorporated into more and more protocols and I imagine that it will spillover into the NFT world even more over time. Special shoutout to RevokeCash for allowing us to use their transaction-type extension tester for this one!

X2Y2 Listing Signatures

X2Y2 is one of the less popular NFT exchanges and still utilizes an outdated signature type. Boring Security’s Safe Signing 101 article discusses Hex and/or blind signatures in depth. For blind signatures, there really is nothing a wallet extension can do to protect you beyond showing a warning. Blind signature transactions cannot be simulated, as often, they are giving instructions to systems that may reside off-chain; they could do anything! 

Figure 1-5 Listing my BAPEVERSE NFT for 0.01 ETH on X2Y2 after I approved it

Did it catch it?

• Pocket Universe: Yes
• Fire: No - BUT IT TOLD THE USER: “this type of signature cannot approve or transfer your funds” - which is blatantly false. Terrible!
• Wallet Guard: No - We would have expected some type of warning at least.
   

Pocket Universe kindly lets us know that listing signatures on X2Y2 will show up like this, so we can expect this result. I was actually surprised that Wallet Guard gave an output with foreign characters and no real info, but what shocked me the most was Fire’s output which said, “This type of signature cannot approve or transfer your funds.” That REALLY threw me for a loop because that second part is CATEGORICALLY untrue, there have been many cases of drainers that have relied on these types of signatures. This could have been a listing signature for 0ETH to a scammer address, which would result in the loss of your NFT immediately. 

Conclusion

So how did each of the extensions stack up? 

Figure 1-6 wrap-up post of these 3 major extensions compared in these 5 tests

Well, as we can see from this small test, Pocket Universe did the best, but even it wasn’t perfect. That multisig failure could have been a large loss for someone who wasn’t skeptical. 

Despite that, the other two extensions slipped up on a couple of the curveballs we threw at it. I assumed that all the extensions would have some trouble with staked tokens, but Pocket Universe surprised me by being able to decode that one.

Also, although Pocket Universe performed best in this individual test, it isn’t a bad idea to have another installed if you ever need to double check a suspicious or critical transaction. And even though Fire did better in raw points, where Fire failed has me more worried than where Wallet Guard failed, therefore, I would still prefer Wallet Guard out of the two.

You can have one disabled by default and only have it enabled when you click on it, by right clicking on the extension, and selecting the “This can read and change site data -> When you click the extension” option like so:

Figure 1-7 Changing web3 wallet extension settings

Do I really need Wallet Security Extensions?

Folks wonder why can’t the wallets just do this themselves? As you’ve seen, understanding the resultant state and risks a wallet opens up for every signature and transaction it makes is a complicated issue. It is very difficult to keep up with all the different types of function calls, state changes, staked tokens, derivative tokens, and complex off-chain signatures within an ever-increasing number of protocols; it is likely not something a wallet provider will be able to keep up with. Dedicated tools like Pocket Universe, Fire, and Wallet Guard will likely become more necessary over time, not less. So despite their shortcomings today, Boring Security still recommends using Wallet Security Extensions. Regardless of which one you use, any of the above are better than nothing!

Finally, at risk of being a broken record, wallet extensions are not a replacement for educating yourself on wallet hygiene and self-protection methods! As we've shown, even these dedicated security tools are not foolproof, so knowing what to avoid is paramount for staying safe in web3. Additionally, scammers are always trying to find ways to circumvent these extensions as well. 

We at Boring Security have written dozens of articles, created a plethora of free education classes, and have continued to launch unique learning experiences aimed at teaching you web3 security literacy from all angles. Join our discord to get started on your security journey today!