Risk Warning: Beware of illegal fundraising in the name of 'virtual currency' and 'blockchain'. — Five departments including the Banking and Insurance Regulatory Commission
Information
Discover
Search
Login
简中
繁中
English
日本語
한국어
ภาษาไทย
Tiếng Việt
BTC
ETH
HTX
SOL
BNB
View Market
XMTP, promoted by Coinbase, was exploited by attackers. How far are we from truly realizing cross-application communication?
区块律动BlockBeats
特邀专栏作者
2023-09-21 11:00
This article is about 1517 words, reading the full article takes about 3 minutes
Behind the phishing links and spam emails, the privacy and security of users in the encryption industry deserve more attention.

Original author: Sharon, Luccy, BlockBeats

Original editor: Jack, BlockBeats

On September 20, Slow Mist MistTrack posted on social media that Coinbase Wallet has recently integrated with the Web3 messaging network protocol XMTP. As long as the users wallet address opens the messaging network, any information sent by the messaging protocol may be received. SlowMist found that many attackers used this feature to send messages with phishing links to wallet users.

Now, just over 2 months after being integrated with Coinbase Wallet, XMTP is already being questioned by users about its security. How far are we from truly being able to use social software in the Web3 space with confidence?

Attackers exploit vulnerabilities to send phishing links

In this incident, some users posted messages on social media platforms questioning XMTP officials, saying that they were receiving spam push emails every day.

This kind of doubt arose more than 2 months ago, when the Coinbase Wallet official Twitter released a video announcing its integration with the open source communication network XMTP and cooperation to enable instant communication between wallet addresses. Many encryption enthusiasts have raised questions about this: Is the chat content encrypted? How will Coinbase Wallets technology stand out, and what is the guarantee of message security?

Although Lens Profile officials have stated that all messages are end-to-end encrypted and can only be decrypted through the wallet address, and the messages are sent off-chain and will not incur any Gas fees; however, it can be seen from this incident that Users in the encryption industry are still uncertain about the underlying protocol of XMTP.

The XMTP that was questioned by users in this incident is actually the underlying protocol of Coinbase Wallet. At present, XMTP has penetrated into the wider industry ecosystem, because in addition to Coinbase Wallet, the Web3 social graph protocol Lens Protocol officially announced its integration with XMTP in November last year to provide secure and private private messages between profiles for its entire Lens ecosystem. Serve. Since its launch in early 2022, more than 1 million XMTP inboxes have been generated in the XMTP network, and more than 300,000 DMs have been sent. The addition of Lens and Coinbase Wallet has also attracted a large number of early seed users.

If this problem cannot be solved in time, these risky phishing links and meaningless spam emails may appear in the lives of tens of thousands of users anytime and anywhere.

How far is it to truly achieve cross-application real-time chat?

In fact, the Web3 industry has been lacking native, potential, and unified social tools. If WeChat, Telegram, etc. are the core social software in the Web2 era, then the social battlefield in the Web3 era has not yet been finalized. From the perspective of the architecture and functions of the underlying protocol of XMTP, the core difference between Web3 social software and the Web2 era is most intuitively reflected in the fact that people can chat across applications in real time. This is like chatting with Alipay merchants on WeChat or asking for prices from Ctrip sellers.

At present, this function cannot be truly realized in the Web2 era. Users are scattered across multiple different App-based interfaces, and their experience is very fragmented. It is precisely because of its potential to solve these pain points that XMTP has attracted a large amount of investment. On September 1, 2021, XMTP announced the completion of a US$20 million Series A financing, led by a16z, with participation from funds such as Coinbase Ventures, Not Boring Capial and angel investors.

So can XMTP be the first to open up infrastructure construction in the social field of Web3?

Specifically, XMTP is a universal Web3 communication protocol and network that supports end-to-end encrypted communication between addresses on the chain. Developers can integrate the XMTP SDK into Dapps without permission to implement in-app DM and notification functions. In the XMTP protocol, the message inbox (DM) is bound to the users Ethereum address, which means that the user can send and receive his own notifications through multiple different front-end applications, carry them with him (so-called portable) and All interactive data (including following, posting content and DM) can be migrated to other applications at any time, provided that these applications also integrate the XMTP protocol. For example, the scenario where Coinbase Wallet and Lens Protocol users communicate in real time and chat mentioned above is Implemented by the XMTP protocol.

Of course, front-end users cannot directly perceive the existence of XMTP, because XMTP is aimed at developer users. However, its developer users, such as Coinbase Wallet and Lens Protocol, have extremely large user bases, so the users of these two can basically be equated to the users of XMTP. So far, the user experience has been generally good, with relatively smooth and good timeliness in sending and receiving information across applications. But on the other side of the coin, someone once conducted an experiment and found that the subjects of the experiment were randomly selected, and they could chat directly without the consent of the other party. Is this lack of consideration for privacy (how is it different from harassing text messages)? But it is more convenient and precise for implementers.

Therefore, in the current SocialFi field of Web3, developers need to think more about how to plug defects and loopholes, protect user account security and privacy, and at the same time expand the ecosystem as much as possible to avoid the original intention of decentralization from being used by criminals, thus Causes even greater trouble. From this point of view, although XMTPs social narrative in Web3 has made a good start, it is still far from reaching the end.


Safety
Coinbase
Welcome to Join Odaily Official Community