Late on Sunday, Jan. 9, DeSo founder Nader Al-Naji announced that his “decentralized social media” service would update its login flow, which had been widely criticized. But experts almost uniformly argued that the update would make DeSo’s user security vastly worse – and even undermine security across the entirety of the emerging “Web 3″ landscape.
DeSo (which formerly operated as BitClout) is in principle an exemplar of what Web 3 could become. The system is built around token economics intended to help content creators get paid for their work, and users manage their DeSo assets using digital wallets analogous to MetaMask or Samourai. Other “creator token” systems, particularly Roll and Rally, have pursued related models.
But critics previously noted that DeSo was cuing users to engage in a very odd and dangerous behavior: inputting their wallet’s “seed phrase” through a web interface to log in to their DeSo web accounts. A seed phrase, sometimes referred to as a “recovery phrase,” gives complete access to a wallet’s contents to anyone who knows it, and is impossible to neatly replace or reset once it’s compromised.
Because they’re so sensitive, the widely accepted best practice for handling seed phrases is to literally never input them into any internet-connected interface, with a website being perhaps the single worst possible choice. Individual responsibility for wallet management is key to the Web 3 concept, and teaching users good security will be fundamental to the overall initiative’s success.
But instead of addressing this fundamental problem with using a seed phrase as a web login, DeSo appears to have doubled down: The new feature would encourage users to hand over their seed phrase to Google Drive, instead.
“This can’t be real.”
This supposed fix was met with incandescent scorn from high-profile crypto executives, engineers and investors – scorn leavened with sardonic disbelief that, yes, a purported Web 3 operation with $200 million in investment from Andreessen Horowitz and other blue-chip Web 3 advocates actually did that.
Major figures including Sino Global Capital CEO Matthew Graham seemed to agree: using the cloud to store seed phrases controlling potentially hundreds of thousands of dollars’ worth of crypto assets is, on its face, about as stupid as it gets.
just as a thought experiment in some alternate universe where starting today everyone's bitcoin private keys had to be stored on Google Drive because reasons [just accept the premise] how long would it be before Google Drive would completely compromised in every possible way https://t.co/iyzfzmY8PN
— Matthew Graham (@mattysino) January 10, 2022
Raised $200m from VCs and now prompt users to enter their seed phrases into web extensions 😂
NGMI 🤣🤣 https://t.co/iC7KrkdTTu
— Dovey “Rug The Fiat” Wan🪐🦖 (@DoveyWan) January 10, 2022
gonna kick this issue again
1.) wtf said asking someone for a seed phrase was acceptable to begin with.
2.) wtf said putting it on a risk surface as wide as google drive was a good idea.
screw you bitclout rebrand. https://t.co/UJINKcDoQf
— IamNomad (@IamNomad) January 10, 2022
Perhaps the most energetic rant in response to DeSo’s new “feature” came from Taylor Monahan, cybersecurity expert and CEO of wallet developer MyCrypto.
DO NOT FUCKING TELL PEOPLE TO ENTER THEIR SEEDS ANYWHERE ESP. NOT A FUCKING WEBSITE
DO NOT FUCKING ENCOURAGE DAPP DEVS TO TELL PEOPLE TO ENTER THEIR SEEDS ON A WEBSITE
DO NOT FUCKING CALL THEM SEEDS THEY ARE SECRET RECOVERY PHRASES
DIE IN A FIRE YOU ARE MOVING BACKWARDS
— Tay (@tayvano_) January 9, 2022
What’s a seed phrase?
Why exactly is it so unspeakably bad to ask users to input the seed phrase from a crypto wallet into a web extension? For software wallets like Exodus or Electrum, a seed phrase is fairly analogous to the “private key” that grants direct control of a single on-chain Bitcoin account. It is generated by an automatic system, and unlike, say, a Google password, even the wallet’s developer can’t see the phrase – or reset or recover it if it’s lost.
And once someone has a wallet’s seed phrase, they can simply steal its contents – which Al-Naji on Sunday admitted was exactly what happened to a staggering 10% of early DeSo users.
As a matter of cybersecurity, then, a seed phrase is almost as sensitive as biometric data. Biometrics form the security backbone of another profoundly misguided pseudo-crypto project, Sam Altman’s WorldCoin, which faced withering criticism for its model from experts including Edward Snowden. As Snowden pointed out, biometric data is dangerous because it’s impossible to replace once it has been compromised. A crypto seed phrase can in some sense be replaced once it has been leaked, but it’s an onerous process involving setting up entirely fresh wallets – and by the time you get that done, your compromised wallet might already have been emptied.
Read more: Nader Al-Naji – Web 3 Social Media Needs Dedicated Blockchains
In the narrowest sense, this means DeSo’s seed-phrase login is an immense and constant risk for users of the system itself. In particular, phishing attacks that closely mimic official login pages to capture crypto credentials have become extremely widespread. These have led to major compromises of users on platforms like OpenSea and Coinbase. But self-hosted wallets are much harder to undermine, when used correctly. Al-Naji, critics argue, is going an extra mile to make his own users’ wallets vulnerable. (Questions to the DeSo team about the specific role of seed phrases on the DeSo platform were directed back to Al-Naji’s Sunday thread.)
Al-Naji’s narcissistic framing of the issue undoubtedly riled people up even further. His announcement tweets set up a completely false choice between “yelling at users to do better” or offering a fundamentally inferior security flow. But the initial problem was entirely DeSo’s design, not user laziness. The new “solution” seems to have been chosen for appearances rather than effectiveness: Al-Naji and his team don’t want to bother users with downloading a secure software wallet, but they also can’t admit error by reversing their own earlier bad design decision. Instead, we got a classic double-down.
UX is a security issue
As much as DeSo itself is dancing with the devil here, the much larger issue for critics seems to be that their seed-phrase login flow will train users in poor security practices. That could lead to even more misunderstanding and tragedy across the entire nascent Web 3 ecosystem.
“DeSo infuriates me because they acknowledge the responsibility of the wallet while simultaneously willfully disregarding every basic best practice in the book,” Monahan told me when I reached out for more insight. “It’s not just that they store secrets in an insecure way in the browser or that they are training users that it’s okay to enter secrets onto any ol’ website, it’s the lengths they go to defend their malicious actions.
“This begs the question: if serving users is not a priority, what is DeSo’s actual motivation within the Web 3 ecosystem?”
That’s a particularly biting critique because DeSo is so entwined with the very entities focused on taking “Web 3″ mainstream (or at least making money in the effort). In its early incarnation, when it operated and sold tokens as BitClout, DeSo raised funds from at least 19 sources, including Blockchain.com Capital, Arrington XRP Capital, Winklevoss Capital, and, most notably of all, Andreessen Horowitz. Andreessen Horowitz has taken point on advocating for Web 3, including during Jack Dorsey’s recent anti-Web 3 blowup.
Of course, these funds don’t directly control the choices of founders or companies they invest in. But this isn’t the first time DeSo has threatened to become an embarrassment for its backers.
A ‘dark pattern’
The Google Drive debacle comes after other moves by DeSo that have been widely viewed with skepticism or suspicion. Close to the top of the list is the questionable design of DeSo’s initial fundraising, conducted as BitClout. The early sale of CLOUT tokens used what’s known as a “bonding curve” that, according to critics, amounted to an unusually generous giveaway to private presale investors (even by crypto standards).
BitClout also triggered rage for what some saw as cavalier disregard for individual property rights and privacy. To build profiles on the first version of the product, BitClout scraped Twitter for users’ profile pics and other assets. Then it encouraged users to pay for the privilege of taking control of BitClout accounts created, without their permission, using their own intellectual property.
As part of the rebrand to DeSo, the CLOUT token has since been swapped for deso. BitClout itself is now billed as a single app built on top of the DeSo blockchain. But there is significant reason to believe this was a rebrand of convenience, given the broad backlash against BitClout over these and other issues. Also notable is that, as described by Protos Media, the rebrand was in some cases misreported as DeSo raising new funding, when it carried forward the same $200 million raised under the BitClout name.
In a positive development, Al-Naji does seem to have been somewhat humbled by the backlash to his Sunday announcement. He has since taken to Twitter to, with something that almost seems like sincerity, ask for better options for “a full self-custody login that is totally private (no PII), low-friction, mobile-friendly, and doesn’t require an extension”.
Personally, I find the insistence on avoiding an extension or another clearly firewalled security layer to be misguided. Al-Naji rightly points out that downloading and installing an extension is a barrier for some users – but so is downloading a streaming app to your Roku, and Netflix seems to be doing fine. Some compromises may be necessary to add new users, but key management is an inherent feature of Web 3, not an irksome bug. At this stage in the game, it’s the responsibility of startups to train future Web 3 users to do things the right way.
Choosing instead to give users a way to lazily circumvent the basic architecture of Web 3 might benefit the growth of individual operations like DeSo in the short run. But by teaching the wrong lessons, such practices are increasing user risk and, in turn, weakening the foundations for every other project in the ecosystem. That helps explain exactly why so many people are hopping mad: DeSo’s security misstep, ironically, amounts to a kind of theft from the larger Web 3 effort.