Blog
Exploring the Secrets of Wallet Connection in the Blockchain Ecosystem
Wallet is not just a tool to create accounts and manage private keys, it has one more important function - connection.
When a wallet is connected to a decentralized application (DApp), users gain a convenient gateway to freely navigate the Web3 world. When a wallet is connected to another wallet (e.g. connecting hot wallet with cold wallet ), users can manage their digital assets more securely and flexibly.
This connectivity empowers wallets beyond being a mere entrance to the blockchain world; it becomes a powerful passport leading users to a more immersive and enriching blockchain ecosystem.
Two Types of Wallet Connections
Wallet-to-DApp Connection
When entering any DApp’s frontpage, you can usually see a “Connect” button, which connects the DApp to a blockchain wallet. When users click on “Connect” they can find a variety of options, such as WalletConnect, imToken, OKX Wallet, MetaMask, etc. Just choose one of them to connect to, and as long as the connection is successful, the user can log in to the DApp and use it smoothly.
The connection options offered by Lido
Among the many options, WalletConnect is the most common connectivity protocol that allows DApps to request users to sign transactions and verify ownership of a wallet with signature request and supports various chains. Notably, WalletConnect allows easy login via QR code scanning.
In addition to WalletConnect, there are other well-known protocols that can realize Wallet-to-DApp Connection, such as EIP-1193. Both MetaMask and imToken employ EIP-1193, so when accessing a DApp within imToken to establish a wallet connection, even if you opt for MetaMask, imToken can successfully connect to the DApp.
Wallet-to-Wallet Connection
As more and more users tend to use offline wallets (e.g., hardware wallets, cold wallets) to securely manage private keys, this has given rise to a new wallet connection scenario - connecting an offline wallet to a watch-only wallet.
Note: A watch-only wallet, whether in the form of a mobile wallet, PC wallet, or extension wallet, is the gateway for users of offline wallets to transfer assets or conduct asset transactions on the blockchain. The watch-only Wallet does not manage or record any private key or keystore information.
The watch-only wallet sends unsigned transaction data to the offline wallet, which signs it and returns the signed data. Upon receiving the signed data, the watch-only wallet can then broadcast the transaction.
Three Ways of Data Transmission: USB, Bluetooth, QR code
The data transfer between offline wallets and watch-only wallets can be done through USB, Bluetooth, and QR code. For example, when using a hardware wallet, you can connect to a PC wallet via USB, or you can connect to a software wallet such as imToken via Bluetooth.
It is worth noting that compared to USB and Bluetooth, QR-based connection has easier data decoding and stronger compatibility, and can be connected to more types of watch-only wallets, and is not subject to differences in operating systems or application versions. As a result, this connection method has gradually become mainstream and is widely used in various protocols, especially in the "wallet connection" scenario.
In this type of connection, the public key and signature data are transmitted through the QR code.
Choose the Wallet Connection Method that Suits You
Usage Scenarios
Wallet Type
Use case
Storing large amounts of digital assets only
Offline wallet
Assets can be managed securely by using imKey hardware wallets or imToken cold wallets.
Storing large amounts of assets and planning to make transfer, exchanges and so on
Offline wallet and watch-only wallet
Using imKey Hardware Wallet / imToken Cold Wallet to connect to imToken Software Wallet to securely store private keys, transfer, and transact.
Storing small amounts of assets
Software wallet
Assets can be managed by using imToken.
Storing small amounts of assets and planning to make transfer, exchanges and so on
Software wallet and extension wallet
Using imToken directly, or scan the QR code to connect to other extension wallets to transfer, transact assets on the web side.
In the management of digital assets, choosing the right connection for your needs is key to achieving a balance between security and convenience. Such a choice allows you to better manage your assets and enjoy an even better experience. It is worth mentioning that the latest version of imToken provides more choices, supporting the connection of extension wallets and hardware wallets via QR code, bringing users more flexible operation possibilities. This not only ensures the security of transactions, but also provides great convenience.
The flexibility allows you to choose the most suitable connection method based on your needs, whether safeguarding large assets or transacting smaller amounts. ImToken provides a full range of options, freeing you from traditional constraints and enabling easy switching and management of digital assets. This convenience in the digital age enhances comfort on the path of asset management.
2023-12-01imToken 2.14.0: Support for connection with other hardware / extension wallets for enhanced security
imToken 2.14.0 supports ERC-4527, enabling QR-based connections with other wallets, enhancing the security and convenience of transactions. Additionally, imToken's built-in swap feature now supports Polygon, offering users a more diverse digital asset exchange experience.
This update further strengthens the security risk control system, adds account permission verification when importing Tron wallets, and provides comprehensive security guidelines for imKey usage.
This update is as follows 👇👇👇
Support for connection with other hardware / extension wallets for enhanced security
Built-in swap feature supporting exchanges on Polygon
Enhanced security risk control system
Added account permission verification when importing Tron wallets
Comprehensive imKey security usage guidelines
Support for connection with other hardware / extension wallets for enhanced security
imToken 2.14.0 now supports ERC-4527, allowing you to connect with other wallet products via QR codes. This method facilitates secure and convenient transaction experiences across different wallets. The update primarily provides two connection methods:
1. Connect imToken to extension wallets
Keep your imToken offline, click ">" on the ETH wallet page and choose "Connect with other wallets" to present the QR code.
In MetaMask, select "QR-based" for scanning. After successful connection, you can perform transfers, receive funds, and explore various DApps in MetaMask. This method ensures the offline storage of private keys and seamless connection with extension wallets.
It is recommended to keep your imToken offline throughout the whole process.
2. Connect imToken to hardware wallets
You can connect imToken to hardware wallets (e.g., Keystone) and use imToken as a watch-only wallet. Open the wallet page, click the menu bar in the top-left corner, click "+", then "Connect with other wallets," and select the wallet you want to connect to. After successful connection, you can initiate transfer with imToken, confirming transactions by signing on the hardware wallet.
For hardware wallet owners, using imToken as a watch-only wallet facilitates convenient asset management.
Built-in Swap Feature Supporting Exchanges on Polygon
imToken's built-in swap feature now supports token exchange on Polygon, enhancing the digital asset trading experience. Switch networks by clicking the top-left button on the market page to begin your exchange journey on the Polygon network.
Additionally, to enhance exchange security on the Ethereum network, we have introduced swap protection, ensuring each transaction is MEV guarded.
Note: Swap protection is currently available only on Ethereum.
Enhanced Security Risk Control System
Added account permission verification when importing Tron wallets
The latest imToken version supports account permission verification when importing Tron wallets. If any changes in account permissions are detected, the import process will pause, prompting you to confirm its safety before proceeding. For more information, please refer to this blog: Beware of TRX wallet account permission change scams.
Increased imKey Security Usage Guidelines
imToken 2.14.0 automatically checks the status of the imKey hardware wallet during the binding process and provides security usage guidelines. This ensures a user-friendly and secure hardware wallet experience, making it easy and safe to manage digital assets using imKey.
How to download
For Android users
New users: Go to the imToken official website (https://token.im) and download.
Existing users: Update directly in the app.
For iOS users: Go to App Store and download.Note: imToken is not listed in App Store in Mainland China.
You can also send "Download" to [email protected] to get the link of the latest version of imToken.
Finally, please always remember
Make sure that all wallets are properly backed up before upgrading
Never disclose your private key, seed phrase, or keystore
Learn more: https://token.im
2023-12-04Revamped imToken signature for safer and more intuitive transactions
For most users, the "digital signature" full of cryptography is always elusive.In the context of cryptocurrency, where daily trading volume exceeds 10 million, and transaction volume reach billions of dollars, the significance of digital signatures becomes increasingly evident. It is not only a key role in cryptocurrency transactions, but also an important shield to protect assets.
However, as the signing landscape expands, so do the associated risks. Take the NFT theft incidents that emerged from OpenSea in 2022 as an example. Behind these incidents are often users who were hacked and phished after authorization, resulting in signature theft.
In blockchain transactions, it is not uncommon for authorization to be done inadvertently, resulting in signatures being stolen. In response to such risks, imToken launched a newly designed "signature experience" and enhanced the security risk control system, allowing users to achieve "what you see is what you sign" while ensuring security.
Brand new signing experience. What you see is what you‘re signing for.
"What you see is what you sign" means that what the user signs should be exactly the same as what he sees and expects. In order to implement this principle, imToken has carried out a comprehensive upgrade in every link involving signature, such as DApp login, transfers, token exchange or authorization, etc., so that users can easily understand every transaction. The following are optimization points for different scenarios:
1. Login: When logging in to a DApp, a message signature is required to verify identity or agree to the terms of service. imToken will clearly display all signature information, including login information, original data, wallet address, login website and its URL, and the DApp details.
2. Transfer: During the transfer process, imToken has added details to display, and a reminder will pop up when transferring money to a new address for the first time, prompting the user to verify the accuracy of the address. At the same time, a new payment address details page is added to view the historical interaction records with the address to help users better understand the usage of the address.
3. Authorization:When interacting with platforms such as Uniswap, it is often necessary to authorize the token transfer authority to the contract in order to automatically complete the transaction. imToken supports displaying details of two authorization methods, approve and permit, including authorization amount, time, token and contract details, etc. In addition, it also supports modifying the authorization amount and time directly by clicking "Edit"。
4. Contract interaction: On the interactive pages of platforms such as Uniswap, Tokenlon, OpenSea, and cross-chain bridges, imToken now shows the detailed changes in token quantities and contract details to help users judge whether the interaction meets expectations and is safe.
Enhanced risk control system for added security.
In the face of increasingly fierce malicious signatures in the market, imToken has upgraded and improved various signature scenarios and potential risk points in an all-round way, greatly strengthening the protection ability of the risk control system.
1. Professional targeted measures
Unparseable signatures such as eth_sign: Set risk reminders while retaining the user's operational autonomy;
Non-standard EIP-712 Type signature: if the format changes, set a clear reminder;
ENS security risk control: Set clear reminders for possible zero-width characters.
2. Active security protection
Mark risky tokens, ban risky addresses and DApps;
When transferring funds to the contract address, a reminder will pop up to ensure that misoperation is avoided;
When authorizing an ordinary account, a reminder pops up to reduce the risk of wrong authorization;
In the token exchange process, a warning alert pops up if slippage is too high.
Be Cautious with Risky and Contract Addresses
Finally
We sincerely invite users to provide valuable suggestions and feedback to help us further optimize and improve, and provide a more intuitive and secure signature experience in the encryption ecosystem. At the same time, imToken will continue to explore and continue to bring you more new functions and scenarios in the future, so as to provide you with more comprehensive and safer services.
If you have more suggestions, feel free to share them with us.
2023-11-18Discover the New Trading Solution on Your Wallet|ETHKL
Speaker:Tokenlon Product Manager Randy
Hello everyone, I'm Randy, the Product Manager at Tokenlon. I'm a tech enthusiast and an avid DeFi user. I'm also a pet lover and have a Dachshund. If you want to get in touch with me, you can find me on Twitter at @Randylien.
Before we get started, let me give you a brief introduction to Tokenlon and imToken.
Tokenlon is a decentralized trading and payment settlement protocol built on the blockchain, incubated by imToken in 2019 and now offering instant swaps and limit order.
The latest version of imToken brings a brand new signing experience called "You Sign What You See." Now, you can preview your transactions before confirming them to ensure that the transaction details match your expectations. Furthermore, imToken has updated its risk control system to provide better security and protection, guarding against phishing and scams.
This article will provide an overview of DeFi, including its usage, challenges, and the origins of the concept.
As we can see, the current DeFi space offers numerous remarkable solutions, including Swap, Staking, LP, Perpetual, Options, LSD, and RWA , among others. However, despite these rich options, there are still some challenges for the average user.
The first challenge in DeFi is the complexity of transactions, as these products tend to be intricate and require a higher level of risk management expertise. Additionally, trading is a specialized skill that requires an understanding of market trends, the ability to control emotions, and the timing of sales.
I believe that spot trading is the most common method. It's relatively easy to get started with, but it requires users to handle their own transactions, make judgments about market trends, and avoid buying high and selling low.
The second challenge in DeFi is the uncertainty of timing, particularly when making buying decisions. If you're unsure about the best time to purchase, there are two primary approaches to consider:
1. Lump Sum Investment: This approach is suitable for entering the market quickly, especially during bullish market conditions. It involves investing a significant amount of capital all at once. The advantage is that it can be more effective in a bull market, where asset prices are generally on the rise. However, it carries the risk of buying at the peak of a price rally.
2. Dollar-Cost Averaging (DCA): DCA is ideal for those who want to invest consistently over time. It performs well during bear markets and provides peace of mind because you continue to purchase assets at regular intervals, regardless of whether the market is up or down. This strategy helps to average out the cost of your investments, reducing the impact of market volatility. DCA also makes it easier to accumulate assets, especially during market downturns when prices are lower.
Looking ahead to the future of DeFi trading, we can anticipate several key developments:
1. Simplifying and improving the user experience will be a key focus of future DeFi, allowing users to easily concentrate on factors such as price, budget, and duration, making it more accessible for new users..
2. Collaborating with professional market makers to ensure more competitive prices, thus enhancing the overall DeFi trading experience..
3. Transactions will become more flexible and secure, with users maintaining control of their funds in their wallets. Strong risk control measures will be in place to safeguard user investments and assets, enhancing overall safety.
Going forward, the focus will be on optimizing prices and performance, reducing costs and increasing the efficiency of DeFi transactions to provide an enhanced user experience that meets market demands. User engagement, feedback, and testing will remain critical in refining and improving products.
Continuous efforts will be made to provide stable and efficient services, meeting the evolving needs of users. While the DeFi space presents opportunities and challenges, streamlining processes and offering more automation tools will enable more individuals to participate, mitigate risks, and increase returns in the ecosystem.
2023-11-29Ethereum Staking: A Way to Store Assets Across Investment Cycles
This article is compiled based on the presentation by imToken Product Manager Yuan at ETHKL.
Ethereum's transition to proof-of-stake has allowed ETH holders to participate in securing the network by staking their coins. In return, stakers earn attractive rewards in the form of newly minted ETH. The average APY is about 4.51% and the medium APY is roughly 3.57%.
At first glance, the APY for Ethereum staking does not seem particularly high. However, this system is quickly gaining adoption, with over 27 million ETH worth $4.2 billion now staked. That represents 22.91% of the total ETH supply.
So why do so many people choose to stake their ETH? To understand the appeal of staking, we first need to take a step back and examine what Ethereum staking actually involves.
What is Ethereum Staking?
Ethereum staking involves depositing ETH into smart contracts to become a validator on the network. As validators, users are responsible for:
Storing network data
Validating transactions
Proposing and verifying new blocks
In essence, validators provide critical infrastructure to keep Ethereum secure and add new blocks to the blockchain.
In return for providing these services, the Ethereum protocol rewards validators by issuing new ETH as incentives. Validators can earn greater rewards for staking more ETH, aligning their interests with securing the network.
Validator rewards originate from two main sources:
Staking Rewards: New ETH minted by the protocol to incentivize participation. This makes up 73.4% of all rewards.
Block Rewards: A portion of fees from transactions included in each block. Fees account for 17.7% of rewards. There's also extra revenue called MEV (Maximum Extractable Value) which validators can capture, making up the remaining 8.9% of rewards.
However, validators who act dishonestly or improperly will be slashed and lose a portion of their staked ETH as punishment.
Ethereum Staking is Data Validation, Not Investment
It's important to clarify how ETH staking differs from traditional investing. Stakers are not "investing" their ETH in hopes of earning unsustainably high returns. The rewards come from real economic activity on Ethereum in the form of fees and protocol-issued incentives.
Stakers are providing valuable services and getting paid for it. They help decentralize the network and share in the upside as Ethereum grows. It is a sustainable system that discourages manipulation and properly incentivizes good behavior from validators.
Global Distribution of Validators
As of 2023, there are over 860,000 validator nodes on Ethereum which have staked ETH and are participating in block production and transaction validation. This provides a high level of decentralization.
Importantly, these validators are distributed across many different countries rather than concentrated in one region. The United States accounts for around 34% of validators, the most of any single country. And Germany follows with roughly 13% of the validator base. Other major participants include the UK, France and Canada each account for 3-6% of validators.
This worldwide distribution helps make Ethereum highly decentralized and censorship-resistant. If validators were concentrated primarily in a single country or region, it would raise concerns over centralization and aligned interests. But with validators dispersed globally, no single entity can control the network. All participants have incentives aligned around securing Ethereum and supporting its continued growth and adoption.
Evaluating the Different Staking Options
There are several ways ETH holders can get involved in staking:
Solo Staking: Running your own validator node requires 32 ETH and high technical competence. The most secure and permissionless option but lacks liquidity.
Staking Services: Also need 32 ETH. A provider maintains infrastructure and operations for you. Non-custodial so you retain ownership.
Pooled Staking: Requires small amounts like 0.01 ETH. Providers aggregate funds from many users. Easy to use but introduces counterparty risk.
Centralized Exchanges: Can stake any amount but relinquish control of assets. Highest trust requirements.
Each approach involves tradeoffs around factors like minimums, liquidity, trust, and technical needs. For many, pooled staking strikes the right balance by enabling easy access for smaller amounts while maintaining wallet custody.
Related reading: The Pros and Cons of Different ETH Staking Solutions
Why So Much ETH is Staked
The sheer amount of ETH migrating to staking, representing over 20% of total supply, demonstrates the appeal of this system. There are several driving factors:
Attractive Rewards: While the APY around 4-5% doesn't seem very high but is still an enticing yield in the current macro environment. This provides a steady stream of income for long-term holders.
Convenient Participation: Options like pooled staking open up staking to smaller holders and make the process easy.
Secure the Network: Stakers help decentralize Ethereum and secure its future. Many are eager to actively support the ecosystem.
Long-term Potential: Staking ETH now builds your position for the long run as Ethereum scales and adoption grows.
Conclusion
Ethereum staking allows ETH holders of all sizes to earn yields on their assets while helping to secure the blockchain's future. The incentives encourage participation, with over 20% of the total ETH supply already migrated to staking.
As more user-friendly options emerge, staking will become accessible to more people and strengthen Ethereum's network effects. Whether you are a whale with a large ETH balance or hold a smaller amount, you can participate in staking.
Major holders can leverage their ETH power to shape Ethereum's future through non-custodial staking services provided by imToken. At the same time, imToken also makes staking easy for smaller ETH holders through pooled staking features.
Moreover, you’ll be a supported staker because with imToken, you get staking tutorials and our customer support is on standby 24/7 in case you ever get stuck
Related readings:
How to Participate in Non-Custodial ETH Staking with imToken
How to Stake ETH with RocketPool in imToken
How to Stake ETH with Lido in imToken
2023-11-29Wallet Security Newsletter #19: Permit Signature Security Challenges and Solutions
Permit Signature Risk Disclosure
Recently, we received feedback from multiple users who were directed to phishing sites after Google ad searches, and carried out unknown malicious signatures on these sites, resulting in asset losses. One user lost about 2500 ARB tokens, and it was found that the user's ARB tokens were infinitely authorized to the malicious contract address 0x00005cA8824899d3f6c10522D9cc1b04E05A0000.
Upon investigation, this malicious contract address belongs to the Inferno Drainer scam group. According to Scam Sniffer monitoring data, this scam group has defrauded $41.88 million to date, with a victim count of 89484. They have created over 689 phishing sites, targeting over 220 brands, including recent popular projects like zkSync, Arbitrum, Optimism, and Blur.
The analysis indicates that this was caused by users executing off-chain signatures (Permit authorization signatures) on a phishing site. This is a mechanism that allows users to authorize transactions without directly interacting with the blockchain, thus saving on gas fees. However, as the above user cases illustrate, this signature mechanism also provides an opportunity for phishing attacks. Once the phishers obtain the user's permit, they can transfer the user's authorized assets without the user's knowledge.
Note: Avoid signing anything if you do not understand the purpose of the signature, as it could very likely be a scam!
Learn More:Revamped imToken signature for safer and more intuitive transactions
Important
Token authorization is a common operation in blockchain transactions, but it also carries certain risks. We need to exercise caution when reviewing each authorization request, and regularly manage them to safeguard assets.
Before Authorizing:
Conduct thorough research: Do solid research before using a new DApp. Understand its background, reputation, and development team to ensure its credibility.
Verify contract addresses: When using a DApp, verify the accuracy of contract addresses. Avoid clicking on unclear links or obtaining addresses from unverified sources.
Use official channels: Always download apps from official websites,or app stores to prevent malware infection.
Guard against phishing attacks: Be cautious of phishing attacks, avoid clicking on unfamiliar links, and refrain from providing personal information or private keys.
After Authorizing:
We recommend users to regularly use security check tools to check and revoke unknown off-chain signature authorizations, and set suitable limits when authorizing.
Steps to check authorization: Open the ETH wallet, slide the function bar to the left and click 'Revoke'. You can see the authorization status by scrolling down the Revoke page.
Steps to revoke authorization: If you want to revoke authorization, click the menu bar in the upper right corner after entering the Revoke DApp page. Select 'Connect Wallet' and click 'WalletConnect' - 'imToken' to connect your wallet. After connecting your wallet successfully, scroll down to find the authorization you wish to cancel in the list, click the 🖊️ button to edit the 'Approved Amount,' and then click 'Update' to sign and complete the process.
Steps to edit authorization: imToken supports displaying details of two authorization methods, approve and permit, including authorization amount, time, token and contract details, etc. You can click "Edit" to modify the authorization amount and time.
Learn More
Besides Permit, in previous Wallet Security Newsletter, we have disclosed other scams such as fake website scams, SMS scams, mnemonic phrase scams, and authorization scams that also need to be guarded against.
#1: Fake websites and wallets
#8: My wallet was drained but my password was not compromised
#10: Beware of "Zero-Dollar Purchase" NFT Phishing Scams!
#12:Two major questions about the new scam
imToken Is Always Protecting Your Asset Security
Brand New Signing Experience. You Sign What You See.
In blockchain transactions, it is not uncommon for authorization to be done inadvertently, resulting in signatures being stolen. To address this, imToken has carried out a comprehensive upgrade so that users can easily understand every transaction and the meaning of their signatures. The following are optimization points for different scenarios:
Active Security Protection
To combat the growing threat of malicious signatures, imToken has comprehensively upgraded and improved signature processes and potential vulnerabilities across all areas:
Mark risky tokens, ban risky addresses and DApps;
When transferring funds to the contract address, a reminder will pop up to ensure that misoperation is avoided;
When authorizing an ordinary account, a reminder pops up to reduce the risk of wrong authorization;
In the token exchange process, a warning alert pops up if slippage is too high.
Be Cautious with Risky and Contract Addresses
End
imToken places a high priority on the safety of its users' assets and, in addition to implementing security measures, flagged 511 risky tokens, 608 risky DApp sites, and 2965 risky addresses in September to assist users in identifying risky tokens and avoiding scams.
If you suspect that a token or DApp is risky, please inform us promptly at [email protected].
2023-11-30imToken 2.13.5 Enhances Signing Protection and Simplifies Asset Management
imToken 2.13.5 extends Ethereum's "You sign what you see" and risk control features to 11 more chains, enabling seamless signing across wallets. Additionally, we've added a "Transfer with cross-chain bridge" option for getting tokens within the wallet, giving users more flexibility when topping up their accounts.
Furthermore, we've enhanced our non-custodial ETH staking service with batch validator management and address-based grouping for improved efficiency and convenience.
The update is as follows 👇👇👇
Optimized signing experience and risk control system for 11 chains
Getting tokens is now more convenient with cross-chain bridge transfers
Batch management of ETH validators enabled for improved efficiency
Upgraded WalletConnect 2.0 for a smoother desktop experience
Supported Scroll, the native zkEVM Layer 2 solution
Extended "You Sign What You see" and Risk Control Features to 11 More Chains
The previous imToken update brought the "You Sign What You See" feature to Ethereum. This new release extends this intuitive signing experience to 11 more chains - Bitcoin, Cosmos, Tron, Nervos, BCH, Litecoin, Polkadot, Kusama, Filecoin, Tezos and EOS.
We've also upgraded the risk control system of these chains. Users will receive alerts for triggered risks, like compromised account permissions when accessing risky DApps.
Security alert when accessing risky DApps
Learn more: Sign What You See for Safer Transactions
Get Tokens with Cross-Chain Bridge Transfers
To make it easier for users to obtain digital assets, imToken has provided a "Get tokens" entry that supports easily acquiring tokens through purchases, withdrawals from exchanges, and transfers from other wallets.
In this update, we have added “Transfer with cross-chain bridge" under the "Get Tokens" entry for Layer 2 networks. Users on Arbitrum and Optimism can now click "Get tokens" - "Transfer with cross-chain bridge", choose a bridge and transfer in assets from other networks to start their Layer 2 journey.
Note: “Deposit" and "Withdraw" are now consolidated under "Bridge". If you want to make cross-chain deposits and withdrawals on Layer 2 networks, click "Bridge."
Learn more: Easily Get Tokens with imToken and Dive into Web3
Batch Operations of ETH Validators
No matter how much ETH you hold, you can easily participate in a staking pool or non-custodial staking through imToken to enjoy stable returns.
imToken 2.13.5 enhances staking services with validator batch management, streamlining batch exit and withdrawal setup. Validators are now categorized by associated wallets for simplified management and improved staking experience.
WalletConnect 2.0 Optimization for Smoother Desktop Experience
To deliver a more stable and secure DApp interaction, we’ve fully supported WalletConnect 2.0 since June, enabling imToken users to scan QR codes and connect with desktop DApps across multiple chains. This allows seamless DApp engagement across networks.
imToken 2.13.5 improves WalletConnect 2.0 functionality with clearer connection prompts and operation guides, further strengthening stability and security when accessing DApps via WalletConnect 2.0.
Supported Scroll, the Native zkEVM Layer 2 Solution
This zkEVM-powered Layer 2 solution natively supports EVM and provides scalability. Major protocols like Sushi and Aave have already joined its thriving ecosystem.
Want to get a head start and tap into potential opportunities? imToken offers direct access to DApps on Scroll. Simply tap the central button at the top of the Asset page, switch to the Scroll network, and hit "DApp" in the toolbar. You are one click away from the hottest DApps on Scroll.
How to Download/Update
For Android users
New users: Download from the imToken official website (https://token.im).
Existing users: Update directly in the app.
For iOS users: Need to download from the App Store. Note: imToken is not available on Mainland China App Store.
You can also send "Download" to [email protected] to get the latest version of imToken.
Important
Make sure that all wallets are properly backed up before upgrading
Never disclose your private key, seed phrase, or Keystore
Learn more: https://token.im
2023-12-03Inventory of Common 'Address Phishing' Tactics
Preface
Since the beginning of this year, imToken has received numerous user reports of wallet addresses falling victim to "address phishing" attacks. In these attacks, scammers employ various tactics to deceive users into voluntarily transferring funds to them. Let's take a closer look at the tricks scammers use and work together to expose these scams!
Address Phishing Tactics
Transaction Phishing
"Address Phishing," in addition to what imToken previously disclosed as the "Same-Ending Digits Address Scam" involves sending small transactions to users' addresses using addresses with the same ending digits, creating confusion in transaction records and leading to mistaken transfers. Recently, the imToken security team has observed scammers increasing their investment in this tactic. As shown in the following image, the scammer invested 3 USDT to conduct a phishing attack and succeeded in the end.
imToken Security Team Reminder:
When making a transfer, please do not simply copy the address from your transaction history.
After entering the recipient's address, meticulously cross-check each character to ensure the address is entirely accurate.
Clipboard Phishing
Bob encountered a strange incident where he successfully made a transfer, but his friend on the other end didn't receive the funds for a long time. After careful examination with his friend, they discovered that the recipient's address was not actually his friend's address; it was only the last few digits that matched. What puzzled Bob even more was that this address was sent by his friend through a chat application just moments ago, so there shouldn't have been any issues. Perplexed, Bob contacted the imToken team.
During communication with the imToken security team, Bob mentioned that he had downloaded Telegram from a random source he found on Baidu. As it turns out, Bob was using a counterfeit chat application, and this app had invaded his phone's clipboard, granting the scammer access to read and modify the clipboard's contents. Anything copied by the user would be obtained by the scammer, who could also alter the clipboard's content.
When the user copied a wallet address, the scammer would replace it with their own wallet address, further enhancing their phishing success rate by employing the "same-ending digits strategy."
For example,if you copied the address
TRNvRJT2zvdRHzgvM2Rnrtr3ANaT8b2XEQ
However, when pasted, it turns out to be
TY7976avKs8EbdsqFMbNButNEwDcQp2XEQ
Scam Reenactment Video from CN User:https://tieba.baidu.com/p/8179666515
imToken Security Team Reminder:
Please be sure to download from official sources and avoid installing applications of unknown origin.
Manage your device's app permissions effectively by revoking unnecessary permissions in the device's app management settings.
When making transfers, it's essential to double-check critical information such as the recipient's address and the transfer amount.
OTC Scam Phishing
Scammers often use enticing phrases like "selling at a low price" or "buying at a high price" for digital assets to lure you into engaging in private transactions.
For example, let's say Bob was approached by a scammer on Telegram who offered to purchase ETH for $2,000, claiming an urgent need. Bob thought, "The current ETH price is only $1,600; this is a great opportunity to make some money!" He then contacted the scammer, expressing his willingness to sell ETH and provided his USDT deposit address on the exchange.
TRNvRJT2zvdRHzgvM2Rnrtr3ANaT8b2XEQ
The scammer initially sent a small amount of USDT to Bob's address to ensure its correctness.
After gaining Bob's trust, the scammer provided proof of the 2000 USDT transfer through screenshots and urged Bob to promptly send him the ETH. Although Bob didn't see the USDT credited to his account on the exchange for a while, the scammer provided transfer screenshots, and Bob, through Tronscan, found a 2000 U record under "his own address." Consequently, he mistakenly believed that the funds had arrived but were delayed in appearing on the exchange.
As a result, once the scammer received the ETH, they immediately cut off contact and disappeared, leaving Bob in a state of confusion.
But why did Bob see a 2000 U record under "his own address" on Tronscan yet not receive the assets?
Well, it turns out that when the scammer sent Bob the initial small amount of USDT, they conducted a total of 2 small USDT transfers.
One of the transfers was genuinely sent to Bob:TRNvRJT2zvdRHzgvM2Rnrtr3ANaT8b2XEQ
This transfer will be received by the exchange and credited.
The other one was sent to their own address:TY7976avKs8EbdsqFMbNButNEwDcQp2XEQ
This transfer was to the scammer's own address, intended to deceive Bob by having the same ending digits.
The subsequent transfer of 2000 USDT by the scammer did indeed occur, but it was merely a transfer from one of the scammer's own accounts to another and did not go to Bob's address. Due to Bob's lack of careful information verification during the transaction with the scammer, he mistakenly believed that these assets had entered his own wallet address.
imToken Security Team Reminder:
Do not engage in private transactions of digital assets with strangers; it's advisable to trade on reputable platforms like Binance, OKEx, and others.
Stay vigilant at all times, and if you encounter any issues, you can inquire with us by opening "My profile" - "Help & Feedback" within the imToken App.
Risk Control
In August, imToken identified a total of 7,144 risky tokens, banned 1,395 risky DApp websites, and marked 447 risky addresses.
Additionally, if you come across tokens or DApps that appear to be risky, please promptly provide feedback to us at [email protected] to help prevent asset losses for other users.
Closing Thoughts
With scams continually evolving, it is indeed challenging for average users to fully prevent them. imToken is committed to rapidly detecting issues and finding solutions, providing timely messages to the community, and educating users about various types of scams to protect them from losses.
We encourage you to read and share imToken Wallet Security Monthly Report and join hands with imToken to safeguard your asset security.
2023-11-01imToken’s Exploration of the Next-Gen Web3 Wallet UX and Product Framework
The cryptocurrency industry has seen rapid development in recent years and its application scenarios are expanding and gaining more public attention. However, decentralized wallets, which are a key means of interacting with the blockchain world, still present a high learning curve and usage barrier for the general public.
Unfamiliar technical terminology, a unique method for storing private keys, and the frequent occurrence of loss, theft, and fraudulent events has discouraged or intimidated people from engaging with it.
Moreover, user experience processes based on technical implementation have also imposed a significant learning curve on users. Therefore, helping the general public overcome these obstacles and building a user-friendly decentralized wallet experience has become the vision of imToken and many other industry players.
In the process of exploring the next generation of wallet experiences, imToken has started with user research, market segmentation, and user profiling. Beginning with user needs and pain points, we have constructed an information architecture based on usage scenarios and task priorities. The primary focus has been on novice users and newcomers, while also addressing the needs of expert users for decentralization, high security, and censorship resistance.
During the exploration of user experience optimization solutions, imToken has continually summarized corresponding design strategies. For example:
Onboarding: Onboarding is to assist users in understanding the new product model, product value, and exploring cryptocurrency. Creating an account and backing up private keys are not the final step. The exploration process without backup or even without an account is also the process of building trust in the product and closing the knowledge gap.
Token-Centric Information Model: Establishing an information model centered around tokens provides users with a comprehensive understanding when interacting with tokens.
Segmenting Asset Viewing and In-Depth Analysis: Segmenting the scenarios of daily asset viewing and periodic in-depth analysis, imToken uses smart asset analysis to integrate professional insights into specific scenarios. This makes it easier for users to make decisions by providing effective information to different user types.
Private Key Backup: Given the high threshold of private key backup, imToken is actively exploring biometric authentication, personal cloud backups, encrypted file backups, MPC, and smart contract-based backup methods. Each backup method comes with its advantages and challenges, and striking a balance between security, convenience, decentralization, and meeting the needs of different users is a critical consideration.
imToken will continue to explore the next generation of wallet products and collaborate with industry leaders to collectively optimize the user experiences of decentralized wallets.
Three Main Components of Wallets
Next, I’d like to share with you the product framework imToken has developed for next-generation Web3 wallets. I'll cover the issues that the current wallets are trying to solve, existing approaches, and their problems. Lastly, I'll share with you some future approaches that we have in mind.
I have 3.0 ETH and would like to stake the asset to earn profit
It actually covers three main components of a wallet.
Firstly, the ownership control, which represents who owns the crypto assets and how to easily and securely verify ownership and allow the owner to authorize assets when necessary.
Next, we also need to solve the account and asset management issues, determining the type of assets the owner has and displaying the information in an organized manner to provide insights to the users.
Lastly, the user will need to use the assets to engage in some blockchain use cases, so we would like to understand the objectives the user has in mind and help them achieve them.
Let's look at how the current wallets are addressing these three components.
At the bottom, we have an ownership control module (also known as key management service) that uses the EOA structure with one pair of private and public keys to manage ownership. For wallets like imToken that manage multi-chain assets, we use the HD structure, allowing users to use one pair of keys to manage wallets on different chains.
However, the assets are still managed separately on each chain, and when users try to engage in on-chain use cases, those experiences are inconsistent across chains. This approach has two main problems: firstly, we use only one pair of keys to manage the wallet, which is a new concept for Web2 users and introduces a steep learning curve. Additionally, this single pair of keys creates a single point of failure with very low fault tolerance.
At the top, assets are managed on individual chains, leading to different experiences for users across chains and restricted liquidity sharing. To address this, we propose the following future approach.
At the bottom, we are going to replace the EOA structure with a more generic ownership control module, which I will discuss later. The benefits of this include introducing more devices and accounts, allowing for risk to be spread across multiple accounts and devices, and making it more user-friendly by leveraging Web2 tools. At the top, we will introduce the idea of a universal account, which aims to provide a chain-agnostic experience to users. This includes multiple components, such as a universal identity portfolio and use case abstractions, which I will discuss later.
This is a side-by-side comparison of the two approaches, providing insights into the differences.
MPC TSS and AA
There are two popular approaches currently in the community: MPC TSS and AA. For MPC TSS, instead of using one key or pair of keys to manage ownership, the ownership is split into different pieces called shares. To claim ownership and sign transactions, the user may need to present multiple shares at the same time. While the concept seems straightforward, there are many more product implementation parameters to consider, such as the number of shares to generate and the relevant threshold setup.
A common approach is the 2-2 approach, where two shares are generated and users must present both at the same time to utilize assets. This is easy to understand but lacks redundancy, meaning if a user loses one share, they cannot recover their wallet.
To address this, some teams use the 2-3 approach, with three shares total and any two can be presented to claim ownership. This adds redundancy but increases complexity and requires user education. Theoretically, any M or N number can be chosen for flexibility, but managing more shares incurs overhead. Another key parameter is the shared storage solution. After deciding the shares and the threshold, where are you going to store the shares?
A simple answer is to store it with a platform operator such as imToken. So as a wallet operator, we are typically more professional in managing this critical information and therefore can provide a more secure service and users wouldn't have to worry about any other tasks.
However, there are platform dependencies with operators and migrating wallets across platforms lacks interoperability. Engaging with social logins is a good choice for Web2-like experiences and user-friendliness, but relying on centralized Web2 services may not be comfortable for Web3 users.
Other options include storing on hardware wallets and using social recoveries, which have minimal dependencies on centralized services. However, these concepts are complex to explain and to educate users, and social recoveries also have barriers due to the need for widespread blockchain adoption.
Overall, the situation becomes complex as there is a mix and match of different parameters, and businesses may need to consider the best combinations to suit their needs.
imToken is actively exploring different combinations to find the most optimal approach for our business context and target customers. Another approach is the AA wallet, where all wallet logic is written on chain within a smart contract, specifically ERC-4337. The benefits include a programmable ownership control module written on chain, allowing for the introduction of devices, web2 accounts, and more complex logics such as rules, thresholds, and weights design.
Additionally, more programmable use cases can be built, including having someone else authorize transactions or pay gas fees, and social recovery on chain, among other possibilities.
The question here is not about the powerfulness of AA. It's actually more about how we strategize our product to find out the killer features for our business. And therefore imToken is also exploring this approach.
Let’s take a side by side comparison between MPC TSS and AA. MPC has a flexible setup for different business contexts with most of the things happening off chain, resulting in low cost and multi-chain support due to inheriting the HD structure from EOA.
However, teaching users about multiple shares and redundancies can be complex, and each device and account must engage in signing abilities, limiting the types of servers and devices that can be used.
AA is powerful and can support many use cases, with high transparency in implementation logic and minimal dependence on off-chain infrastructure. However, there is additional cost to wallet users due to information being stored on-chain, and compatibility challenges arise when it comes to multi-chain support since each chain may implement AA differently.
There is no one-size-fits-all solution, as it depends on the use case being served. Changwu, our chief scientist, has proposed combining MPC and AA to maximize their benefits. This is also one of the directions that we are exploring.
Universal Account
The next concept is universal account, which includes universal identity, universal portfolio, and use case abstraction.
For identity, people want to use ENS, a more readable domain name, to manage wallet addresses. We plan to expand ENS capabilities by introducing different formats, such as prefixes, to manage multichain wallet addresses and Web2 identities. However, the cost of ENS domains on mainnet, currently around $5-600 per year, is too high for most users.
We are considering using the secure off-chain data retrieval EIP, where platform operators like imToken purchase a main domain, such as .imToken on ENS, and allow users to register subdomains under it. If it's Alice, she will be assigned the subdomain alice.imToken, and everything else will follow the same format.
This structure benefits both the platform operator and users, as the cost is constant for the operator regardless of the number of users and users pay nothing. We hope to use this structure to scale our products and serve our customers better.
Additionally, people want to see their universal portfolios across all their wallets, but currently asset information is stored at the chain level and is most accurate there.
We can manipulate the information at the display layer. On the right-hand side, the individual, when users choose an individual wallet view, we can present that information at the information layer. On the left-hand side, if people want to see the universal portfolio view, we can aggregate the information by token assets, so they don't have to worry about which wallet is holding the assets.
We are thinking of keeping both views and allowing users to switch between them because they have different benefits. The benefits of a universal portfolio are straightforward and work well with portfolio analytics. For the individual wallet view, experienced users may prefer it because it presents information more accurately, allowing for more accurate actions. The display layer not only presents information but also affects user interactions.
Performing actions at an individual wallet view results in use cases that are specific to that wallet. For a universal portfolio, a new way of interacting with users is needed to focus on the use case rather than execution details. This is called use case abstraction. For example, Alice is using her universal account .alice.imToken to transfer 2 ETH to Bob, who specifies his mainnet address to receive the funds.
The question is how Alice can transfer the money to Bob. There are many ways to do this, and our idea is to introduce the imToken transaction routing module, which presents only the most necessary and critical information to the user for decision-making, while handling the rest of the execution. The user can choose from typical options such as fastest or cheapest in terms of cost, or customized logic, such as paying with BTC first. Each option has details on how the assets will be executed at the bottom.
But as a user you don't have to worry about it. You can just choose the option that is most appealing to you based on your priority and your deciding criteria. And we will handle the rest of the execution for you.
Bob may not want to worry about the receiver address for this transaction, so if he chooses to use the universal account to receive the funds, the situation becomes more complex. However, the logic remains the same. Our transaction routing module is going to find out the best transaction in terms of different criterias and present it to both parties so that they can make a selection.
We are doing this because most wallet features today focus a lot on executions, helping users complete tasks. However, users today face difficulties in making decisions because they need someone to facilitate them and also present them with insightful information.
We want to delve deeper into the needs of the user and ultimately understand the key rationale behind their actions. For instance, when staking, the primary goal is to find a way to generate investment profits based on one's wealth and risk tolerance. By shielding users from the details and hassles of the execution, we can better strategize our product to fulfill their deeper needs.
The wallet framework, ownership control model, and universal account model that I have shared are the direction that imToken is exploring. The wallet is the entry point for users to the Web3 world, and we look forward to participating in this revolution and bringing a more user-friendly product experience to users.
2023-09-22