# Starknet case study - Security as first class citizen Phishing and scams are extremely common in the crypto space. It's the fate of permissionless networks to be the target of such attacks. But then, what can we do to mitigate the risks and protect users ? To me the answer is: Security best practices enshrined in the protocol + Social layer + Good UX. Let's expand a bit, with a concrete example that happened today, illustrating how it works in practise. The story in 4 acts has been shared on [X](https://twitter.com/dimahledba/status/1786362785527435484) if you want to follow the story on how it happened in real time. ## Security best practises enshrined in the protocol You need to have a protocol designed with Security as a core principle. Every single technical choice must be done in accordance to security. Some existing standards are flawed by design, this is the case of the ERC-20 and the allowance mechanism. That's why on Starknet we designed multicall feature by default, so that you don't have to choose between good user experience or security. You can do in one transaction: approve with exactly the amount needed + transfer / swap of the amount needed. No unlimited approval. But it's not sufficient, you need builders to adopt those safer practices, and for this you need education and a social layer safeguarding them. Good thing we have both on Starknet. ![image](https://hackmd.io/_uploads/SkQZoLffR.png) ## Social layer to the rescue ![image](https://hackmd.io/_uploads/HyLVjUMG0.png) You need to have people monitoring, advocating for security, warning others etc. Today, there was a phishing attempt going on, by some scammers faking the governance hub of Starket with a malicious website, and pretending fake rewards for people interacting with it. To make people come to the malicious website, the hackers are sending some transactions with a fake governance token. People then can see those tokens on their wallet, and if they go to the details on the token they will see the malicious URL. Then if they click and are not vigilent they will be drained. Example of the contaminated transactions: ![Screenshot 2024-05-03 at 13.49.38](https://hackmd.io/_uploads/BJdhDIfM0.png) Example of the malicious website: ![Screenshot 2024-05-03 at 13.50.01](https://hackmd.io/_uploads/SJnuv8Mz0.png) Luckily, one person of the Starknet community did a great watchdog job and alerted less than 10 minutes after the start of the attack. Message sent by the ecosystem builder on telegram: ![Screenshot 2024-05-03 at 13.49.22](https://hackmd.io/_uploads/HkK0v8zM0.png) Thank you sir Koi! You contributed to protect many potential victims with your reflex. Then, what happened was a beautiful coordination across the ecosystem, including StarkWare doing some alerts and working with [Chain Patrol](https://chainpatrol.io/) to take actions to shutdown the malicious website, and [Argent Wallet](https://www.argent.xyz/) team immediatly flagging the malicious website as dangerous, directly in the wallet. ![telegram-cloud-photo-size-4-5884021160646132103-x](https://hackmd.io/_uploads/HJei_LzMR.jpg) Gg Argent team! ## Good UX Now let see how a great UX can literally save users from being drained. ![image](https://hackmd.io/_uploads/S1coqIzMA.png) Let's take an example of someone trying to sign a transaction from the malicious website. What he would see is the following: ![telegram-cloud-photo-size-4-5884100875239145423-y](https://hackmd.io/_uploads/rkgktIMfA.jpg) On this, the user would immediatly see that this transaction is trying to drain ETH, USDC, STRK tokens. It would be a huge indication that something is going wrong here and hopefully the user would not continue the process. Conclusion: Gud tech + Gud people + Gud UX = User peace of mind!