
Sign up for TrustCheck beta
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed vitae velit id erat scelerisque iaculis. Nullam vehicula lacus ac ex ornare tincidunt.
TrustCheck is a free, zero-click browser extension that scans your ethereum-based web3 transactions for numerous threats, and stops them in their tracks. Instead of getting drained, don't be a victim: get TrustCheck.
Whether its flagging phishing sites, drainers, spam loops, risky approvals, dangerous signing requests, or something else, we make it easy to understand what's about to happen when you transact.
TrustCheck simulates transactions before they occur, uses its machine-learning engine to check for red flags, and analyzes data from over a dozen sources to detect threats. This results in a personalized, real-time security recommendation before you confirm your transaction.
Easy-to-use, zero setup
Hit "Add to Chrome", and the extension just works. No need to create an account or connect a wallet.
Powered by machine learning
Our ML-powered data engine works overtime to predict scams before they occur.
Data for the win
TrustCheck leverages data from over a dozen sources, and augments it with our real-time scam ops team.
Take "DYOR" to the next level
Get instant security recommendations and transaction analysis across the entire smart contract stack.
We'll explain a bit more about how our solution works.
After you install the TrustCheck browser extension for Chrome, TrustCheck is always on, protecting you from a variety of threats.
When you purchase NFTs, transacting with smart contracts, TrustCheck works by placing your transaction on a brief hold and does a few things:
Based on all of these “checks”, TrustCheck quickly provides either a warning, or an explanation of the transaction you are about to confirm. You can then press “Stop” to cancel the transaction or “Proceed” to continue forward with it.
Yes! If you're doing a bunch of transactions on a site you trust, you may want to temporarily pause TrustCheck so you can skip our checks and go right to approving your transactions in your wallet. To do this, simply click the extension icon and hit pause for 30 minutes. If you want to pause the extension indefinitely, right click on the extension icon, hit “manage extension”, and toggle the switch in the top right corner to “off”. You can always restart the extension by turning that back on.
At a high level, TrustCheck activates in two ways to keep users safe: 1) while browsing; and 2) upon triggering potential transactions to a wallet.
While browsing, TrustCheck will warn users if they visit known scam-sites.
At transaction time, TrustCheck will analyze the potential transaction prior to triggering the wallet for approval, and check for a variety of red flags before prompting the user to decide whether or not to proceed.
For the real-time transaction analysis, TrustCheck works by fully-executing potential transactions on an offline fork of the blockchain on Web3 Builders’ backend servers, and then analyzing the entire call trace to show the user all effects the transaction would have on their assets.
Each of the checks involved at these two levels are described in more detail below.
The extension will flag any transaction that would result in sending assets out without receiving anything back in return.
Note: Since TrustCheck is only currently analyzing ethereum mainnet transactions, it is not aware of assets being received on other chains or layer 2’s. Thus most bridge transactions will appear as flagged for transferring out, so users should proceed with these transactions only if they understand what they’re doing on a bridge. Even in these cases TrustCheck can still assist the user, as all other checks will still apply (website checks, address risks, etc).
The extension will flag any transaction that would result in granting new approvals to access the user’s assets. This displays in the extension as "Does not use a safe function" for one of the reasons for throwing the flag. If however the entity gaining access is on a list of trusted entities (as curated by the Web3 Builders ScamOps team), such as a well-established marketplace or exchange, this warning will instead appear as informational only.
Since one of the main mechanisms of asset loss in common scams are users approving transactions that do things they didn’t expect, TrustCheck aims to parse the technical details and clearly display as much as possible about pending transactions. To do this, TrustCheck aggregates multiple sources of metadata for addresses and projects to show:
In addition, for those that want to see it, TrustCheck displays the full decoded function parameters for the pending transaction on the transaction details tab.
TrustCheck will throw a flag when an older style of signature is requested. These typically contain only a hash such that the transaction itself cannot be decoded (meaning the action it would approve is obscured). These are flagged since they are often used by scam sites, and there are almost no legitimate use-cases where it should be expected (there are several newer, safer signature methods have been standardized and more widely adopted). See the metamask documentation for more information about signatures.
In many cases, scam sites will attempt to retry dangerous transactions multiple times, popping up a new request any time a transaction is requested. TrustCheck detects these transaction loops, notifying the user when the site appears to be spamming transactions and offers an easy way to close the site to break out of the loop.
Separate from blockchain transaction checking, TrustCheck performs several checks specific to the websites that originate transaction requests. These include:
Lists of known entities are aggregations of as many public and private reporting sources as possible, as well as scam reports submitted by users in the TrustCheck extension itself.
To prevent as many inaccuracies and spam as possible, all entries are curated and approved by members of the Web3 Builders’ team before inclusion on verified lists.
Website checks are applied while the user is browsing, as well as during transaction analysis.
When the check is triggered while browsing, navigation to the flagged site is gated by a warning, allowing the user to abort or proceed.
At transaction time, the extension displays the analysis of the site that originated the pending transaction:
Similarly to website checks, TrustCheck performs several checks on all addresses involved in a transaction at any point in the call stack (i.e. all contracts, all externally-owned accounts)Â These include:
Lists of known entities are aggregations of as many public and private reporting sources as possible, as well as scam reports submitted by users in the TrustCheck extension itself.
To prevent as many inaccuracies and spam as possible, all entries are curated and approved by human experts on the Web3 Builders’ ScamOps team before inclusion on verified lists.
On the TrustCheck transaction analysis screen, addresses are described as “high risk” if they meet the criteria for being flagged, or otherwise “not detected as high risk”.
The following is a quick reference list of what each phrase in the TrustCheck extension is referring to. Each of these is described in more detail in the preceding sections.
“Hold on there!”
The transaction is flagged as something that could potentially lead to financial loss. It isn’t necessarily dangerous in every instance, but the user is recommended to look closely before proceeding.
“Dangerous signing request”
The transaction will ask for an older-style signature that could execute anything (and it’s not possible to decode what that is ahead of time). Since this is a common method used in scams, the user is recommended to abort.
“Request loop detected”
The site is automatically popping up new transaction requests after previous ones were rejected by the user. Since this is a common method used in scams, the user is recommended to abort and navigate away from the site to break the loop.
“<address> is high risk” / “<address> is not detected as high risk”
Every address of the accounts or smart contracts involved in a potential transaction are analyzed for risk against aggregated allow/deny lists and a machine-learning-based scoring engine. Note: an address where high risk is not detected does not necessarily mean there is low / no risk in interacting with that address: it only means that the TrustCheck engine did not flag any of the risks it screens for.
<address> could be any of the following:
“Main smart contract”: The primary address the transaction is being made to
“A secondary contract”: Another smart contract that would be called somewhere in the call stack upon executing the main transaction
“Token smart contract”: The smart contract of a token (either fungible or non-fungible) being transacted with as part of the transaction (either a transfer or an approval)
“Counterparty”: Another externally-owned account involved in the transaction (i.e. not a smart contract) - relevant for direct transfers to other wallets
“Entity being approved”: An address that is being granted permissions to access the user’s assets
“OpenSea verified collection”
The contract for the collection involved in the transaction has undergone OpenSea’s verification
“Contract verified” / “Contract not verified”
The contract the transaction is being executed on has been verified as open source by means of third-party compilation and matching against the deployed binaries on chain. Note: just because the code of a contract is open does not necessarily mean it is without risks, vulnerabilities, or malicious intent
“Uses a safe function” / “Does not use a safe function”
A transaction is marked as not using a safe function when it grants an approval for another entity to access a user’s assets (e.g. through a call to Approve or SetApprovalForAll). Note that for verified entities (e.g. OpenSea), this check is not shown.
“The site you were attempting to access appears to be a known scam”
The site a user navigated to is on a list of known scams, or very closely matches a signature for known scam sites (e.g. contains known drainer code)
“Website flagged” / “Website not flagged”
Whether or not the website that triggered a transaction request is on a list of known scams, or very closely matches a signature for known scam sites (e.g. contains known drainer code)
“Website verified”
A special designation for sites from known / trusted entities (like exchanges or marketplaces)
“trusted entity”
A special designation for addresses from known / trusted entities (like exchanges or marketplaces)
“Unable to analyze transaction”
Either something went wrong with the TrustCheck system, or the transaction is not something the engine supports
TrustCheck does not require you to sign-up, create an account, or connect your wallet. The only time we would receive your email is if you sign up for our newsletter (which is not required). We never have access to any of your crypto assets or other personal information.
TrustCheck supports EIP-1193-compliant browser-based wallets. These are the most common wallets in the crypto ecosystem. Examples include MetaMask and Coinbase wallet.
We support all ethereum-based tokens.
Yes! We support all ethereum-based NFTs.
Machine learning can sound like a buzzword these days, but weeding out crypto scams is the perfect use case for it. Without giving away our secret sauce, the more scams discovered and reported the better training our ML engine gets, and the more accurate our threat assessments become.
Well, but we’ll always work tirelessly to improve it every day. No security product can guarantee your safety, but as our data sets grow, we encounter more scams, and our machine learning engine gets smarter, we’ll continue to evolve our ability to protect crypto users. TrustCheck is new, but we look forward to publishing some of the results of our work as we hit various data and product usage milestones. You can sign up for our newsletter here.
Based on interviewing hundreds of users, the 2 most common types of scams are "permissions compromises" and "rug pulls". We have checks aimed at detecting both. Permissions compromises occur when you sign a transaction that grants permission to a counter-party to withdraw all of the crypto assets on a given smart contract within your wallet. Often, scammers will disguise the mechanics of these transactions using misleading UI on phishing sites. For example, you may think you are minting an NFT, but in fact you are giving the scammer permission to drain all the NFTs in your wallet. The term Rug Pull is loosely used in crypto, but in general, they involve creators who make promises of benefits to project investors, and then fail to fulfill them. This can happen with both fungible and non-fungible tokens. Rug Pulls are a notoriously difficult type of scam to catch because they often don't involve anything wrong mechanically on the blockchain. But…we do our best. TrustCheck maintains allow/deny lists that can protect you from rug pull scammers. These are continuously updated based on best-in-class data sets, an ever-improving machine learning engine, community members who report scams via the extension, and a team of in-house ScamOps sleuths who are always on the prowl. While perfect rug pull protection is impossible, we use the best tools we can, and have some exciting future products that will make it much harder for rug pulls scammers to operate. Stay tuned.
Our mission is to make Web3 safe for all. We firmly believe that end-user security is the biggest barrier to onboarding the next billion crypto users, and all the benefits that would entail. The time has never been better to build products towards this end. Our hope is that a whole ecosystem of companies will pop up to make this a reality. TrustCheck is the first of many products from Web3Builders, which was founded and backed by some of the smartest, technologically capable, and crypto-lovingest folks around. You can read more about the team and its mission here.