After you install the TrustCheck browser extension for Chrome, TrustCheck is always on, protecting you from a variety of threats.

When you purchase NFTs, transacting with smart contracts, TrustCheck works by placing your transaction on a brief hold and does a few things:

• First, it conducts a transaction simulation to determine what will happen if your transaction is completed (e.g. where will assets end up after the transaction). Smart contracts are complicated, and its sometimes impossible to determine what will actually happen in a transaction without running simulations like this.
• Second, TrustCheck will analyze the nature of the transaction to determine if they will use dangerous functions or compromise permissions to assets. This is a common scam technique.
• Third, TrustCheck will leverage a variety of on-chain and off-chain data sources to search for suspicious wallets, URLs, or activity, including static analysis of web and smart contract code.  Chances are you don’t want to be interacting with a wallet or contract that’s been part of known scams or contains known scam techniques.
• Finally, TrustCheck runs its machine learning engine to predict scams before they occur.

Based on all of these “checks”, TrustCheck quickly provides either a warning, or an explanation of the transaction you are about to confirm. You can then press “Stop” to cancel the transaction or “Proceed” to continue forward with it.

Yes! If you're doing a bunch of transactions on a site you trust, you may want to temporarily pause TrustCheck so you can skip our checks and go right to approving your transactions in your wallet. To do this, simply click the extension icon and hit pause for 30 minutes. If you want to pause the extension indefinitely, right click on the extension icon, hit “manage extension”, and toggle the switch in the top right corner to “off”. You can always restart the extension by turning that back on.

At a high level, TrustCheck activates in two ways to keep users safe: 1) while browsing; and 2) upon triggering potential transactions to a wallet.

While browsing, TrustCheck will warn users if they visit known scam-sites.

At transaction time, TrustCheck will analyze the potential transaction prior to triggering the wallet for approval, and check for a variety of red flags before prompting the user to decide whether or not to proceed.

For the real-time transaction analysis, TrustCheck works by fully-executing potential transactions on an offline fork of the blockchain on Web3 Builders’ backend servers, and then analyzing the entire call trace to show the user all effects the transaction would have on their assets.

Each of the checks involved at these two levels are described in more detail below.

Asset transfers

The extension will flag any transaction that would result in sending assets out without receiving anything back in return.

Note: Since TrustCheck is only currently analyzing ethereum mainnet transactions, it is not aware of assets being received on other chains or layer 2’s.  Thus most bridge transactions will appear as flagged for transferring out, so users should proceed with these transactions only if they understand what they’re doing on a bridge.  Even in these cases TrustCheck can still assist the user, as all other checks will still apply (website checks, address risks, etc).

Approvals

The extension will flag any transaction that would result in granting new approvals to access the user’s assets.  This displays in the extension as "Does not use a safe function" for one of the reasons for throwing the flag.  If however the entity gaining access is on a list of trusted entities (as curated by the Web3 Builders ScamOps team), such as a well-established marketplace or exchange, this warning will instead appear as informational only.

Metadata for verification

Since one of the main mechanisms of asset loss in common scams are users approving transactions that do things they didn’t expect, TrustCheck aims to parse the technical details and clearly display as much as possible about pending transactions.  To do this, TrustCheck aggregates multiple sources of metadata for addresses and projects to show:

• Human-readable names for addresses and contracts, projects, and websites
• Images/Icons for tokens and NFTs
• Contract verification - “Contract verified” indicates that the compiled/deployed version of the contract on chain matches a publicly-accessible open codebase
• OpenSea blue checkmark - When present, the contract for the collection involved in the transaction has undergone OpenSea’s verification

In addition, for those that want to see it, TrustCheck displays the full decoded function parameters for the pending transaction on the transaction details tab.

Dangerous signing requests

TrustCheck will throw a flag when an older style of signature is requested.  These typically contain only a hash such that the transaction itself cannot be decoded (meaning the action it would approve is obscured).  These are flagged since they are often used by scam sites, and there are almost no legitimate use-cases where it should be expected (there are several newer, safer signature methods have been standardized and more widely adopted). See the metamask documentation for more information about signatures.

Transaction loops

In many cases, scam sites will attempt to retry dangerous transactions multiple times, popping up a new request any time a transaction is requested. TrustCheck detects these transaction loops, notifying the user when the site appears to be spamming transactions and offers an easy way to close the site to break out of the loop.

Website checks

Separate from blockchain transaction checking, TrustCheck performs several checks specific to the websites that originate transaction requests.  These include:

• Checking against aggregated allow lists of known trusted / verified entities
• Checking against aggregated deny lists of known bad-actor entities
• Analysis of website code for patterns of known scams (e.g. drainer logic)
• Machine-learning-based similarity scoring against models of known scam sites

Lists of known entities are aggregations of as many public and private reporting sources as possible, as well as scam reports submitted by users in the TrustCheck extension itself.

To prevent as many inaccuracies and spam as possible, all entries are curated and approved by members of the Web3 Builders’ team before inclusion on verified lists.

Website checks are applied while the user is browsing, as well as during transaction analysis.

When the check is triggered while browsing, navigation to the flagged site is gated by a warning, allowing the user to abort or proceed.

At transaction time, the extension displays the analysis of the site that originated the pending transaction:

• “Validated website” : indicates that the site is a known trusted entity
• "Website flagged" : indicates that the site is a known bad actor
• "Website not flagged" : indicates that the site is not definitively identified as trusted or nefarious, but otherwise does not throw red flags identified by the TrustCheck engine

Address / Contract Risk

Similarly to website checks, TrustCheck performs several checks on all addresses involved in a transaction at any point in the call stack (i.e. all contracts, all externally-owned accounts)  These include:

• Checking against aggregated allow lists of known trusted / verified entities
• Checking against aggregated deny lists of known bad-actor entities
• Machine-learning-based similarity scoring against models of known bad actors

Lists of known entities are aggregations of as many public and private reporting sources as possible, as well as scam reports submitted by users in the TrustCheck extension itself.

To prevent as many inaccuracies and spam as possible, all entries are curated and approved by human experts on the Web3 Builders’ ScamOps team before inclusion on verified lists.

On the TrustCheck transaction analysis screen, addresses are described as “high risk” if they meet the criteria for being flagged, or otherwise “not detected as high risk”.

The following is a quick reference list of what each phrase in the TrustCheck extension is referring to. Each of these is described in more detail in the preceding sections.

“Hold on there!”

The transaction is flagged as something that could potentially lead to financial loss.  It isn’t necessarily dangerous in every instance, but the user is recommended to look closely before proceeding.

“Dangerous signing request”

The transaction will ask for an older-style signature that could execute anything (and it’s not possible to decode what that is ahead of time).  Since this is a common method used in scams, the user is recommended to abort.

“Request loop detected”

The site is automatically popping up new transaction requests after previous ones were rejected by the user. Since this is a common method used in scams, the user is recommended to abort and navigate away from the site to break the loop.

“<address> is high risk” / “<address> is not detected as high risk”

Every address of the accounts or smart contracts involved in a potential transaction are analyzed for risk against aggregated allow/deny lists and a machine-learning-based scoring engine.  Note: an address where high risk is not detected does not necessarily mean there is low / no risk in interacting with that address: it only means that the TrustCheck engine did not flag any of the risks it screens for.

<address> could be any of the following:

“Main smart contract”: The primary address the transaction is being made to

“A secondary contract”: Another smart contract that would be called somewhere in the call stack upon executing the main transaction

“Token smart contract”: The smart contract of a token (either fungible or non-fungible) being transacted with as part of the transaction (either a transfer or an approval)

“Counterparty”: Another externally-owned account involved in the transaction (i.e. not a smart contract) - relevant for direct transfers to other wallets

“Entity being approved”: An address that is being granted permissions to access the user’s assets

“OpenSea verified collection”

The contract for the collection involved in the transaction has undergone OpenSea’s verification

“Contract verified” / “Contract not verified”

The contract the transaction is being executed on has been verified as open source by means of third-party compilation and matching against the deployed binaries on chain.  Note: just because the code of a contract is open does not necessarily mean it is without risks, vulnerabilities, or malicious intent

“Uses a safe function” / “Does not use a safe function”

A transaction is marked as not using a safe function when it grants an approval for another entity to access a user’s assets (e.g. through a call to Approve or SetApprovalForAll). Note that for verified entities (e.g. OpenSea), this check is not shown.

“The site you were attempting to access appears to be a known scam”

The site a user navigated to is on a list of known scams, or very closely matches a signature for known scam sites (e.g. contains known drainer code)

“Website flagged” / “Website not flagged”

Whether or not the website that triggered a transaction request is on a list of known scams, or very closely matches a signature for known scam sites (e.g. contains known drainer code)

“Website verified”

A special designation for sites from known / trusted entities (like exchanges or marketplaces)

“trusted entity”

A special designation for addresses from known / trusted entities (like exchanges or marketplaces)

“Unable to analyze transaction”

Either something went wrong with the TrustCheck system, or the transaction is not something the engine supports

TrustCheck does not require you to sign-up, create an account, or connect your wallet. The only time we would receive your email is if you sign up for our newsletter (which is not required). We never have access to any of your crypto assets or other personal information.

TrustCheck supports EIP-1193-compliant browser-based wallets. These are the most common wallets in the crypto ecosystem. Examples include MetaMask and Coinbase wallet.

We support all ethereum-based tokens.

Yes! We support all ethereum-based NFTs.

Machine learning can sound like a buzzword these days, but weeding out crypto scams is the perfect use case for it. Without giving away our secret sauce, the more scams discovered and reported the better training our ML engine gets, and the more accurate our threat assessments become.

Well, but we’ll always work tirelessly to improve it every day. No security product can guarantee your safety, but as our data sets grow, we encounter more scams, and our machine learning engine gets smarter, we’ll continue to evolve our ability to protect crypto users. TrustCheck is new, but we look forward to publishing some of the results of our work as we hit various data and product usage milestones. You can sign up for our newsletter here.

Based on interviewing hundreds of users, the 2 most common types of scams are "permissions compromises" and "rug pulls". We have checks aimed at detecting both. Permissions compromises occur when you sign a transaction that grants permission to a counter-party to withdraw all of the crypto assets on a given smart contract within your wallet. Often, scammers will disguise the mechanics of these transactions using misleading UI on phishing sites. For example, you may think you are minting an NFT, but in fact you are giving the scammer permission to drain all the NFTs in your wallet. The term Rug Pull is loosely used in crypto, but in general, they involve creators who make promises of benefits to project investors, and then fail to fulfill them. This can happen with both fungible and non-fungible tokens. Rug Pulls are a notoriously difficult type of scam to catch because they often don't involve anything wrong mechanically on the blockchain. But…we do our best. TrustCheck maintains allow/deny lists that can protect you from rug pull scammers. These are continuously updated based on best-in-class data sets, an ever-improving machine learning engine, community members who report scams via the extension, and a team of in-house ScamOps sleuths who are always on the prowl. While perfect rug pull protection is impossible, we use the best tools we can, and have some exciting future products that will make it much harder for rug pulls scammers to operate. Stay tuned.

Our mission is to make Web3 safe for all. We firmly believe that end-user security is the biggest barrier to onboarding the next billion crypto users, and all the benefits that would entail. The time has never been better to build products towards this end. Our hope is that a whole ecosystem of companies will pop up to make this a reality. TrustCheck is the first of many products from Web3Builders, which was founded and backed by some of the smartest, technologically capable, and crypto-lovingest folks around. You can read more about the team and its mission here.