.bit (“the Company”), an open-source Web3 identity portocal that provides permissionless decentralized identifier, recently found and analyzed severe risks involved in using decentralized identifiers for asset transaction. Upon recognizing and studying these serious threats, the company published its findings in order to warn the blockchain industry and to recommend they avoid sending or exchanging assets using DIDs.
Web3 enthusiasts will know that a decentralized identifier (DID) is used to uniquely represent assets owners’ address on a blockchain, allowing for asset transfers without the need for inserting long and complicated address. A DID can be used to send a token or asset to a wallet or exchange, which will then use that identifier to verify the data of the token or asset and send back a response. The risk .bit discovered arises in the application programming interface (API) that the wallet or exchanges use.
An API enables simple data transfer across various platforms and provides the necessary information a wallet needs from the DID. In an ideal, fully secure exchange using a DID, the asset holder will input their DID name, the wallet will ask the API for the name’s blockchain address, the API will return the corresponding address, the wallet sets up the transaction for user approval, and finally, the wallet sends the transaction to the public network to finish the transfer. In reality, as .bit’s analysis shows, there are five possible points where potential risks could arise with DIDs.
- Hackers break into the server for the API service and tamper with the data returned to the query.
- API service staff tamper with the data returned by the query.
- An API service internal error occurs that returns incorrect data to the query.
- The API service’s server has outdated nodes for synchronization with the blockchain network that results in data not being up to date, therefore resulting in incorrect data being sent for the query.
- The DID expired and was registered by a different user without the knowledge of the previous owner.
There have not yet been any public reports of assets being lost due to risk 1 or 2, but .bit believes they are bound to happen once users get in the habit of sending assets via .bit or other DIDs. Risks 3, 4, and 5 are non-subjective risks that are completely unavoidable. Similar to risks 1 and 2, when the habit of sending assets using .bit or other DIDs becomes established, it’s only a matter of time before non-subjective factors cause asset losses. Therefore, it is important that users of DIDs, and in particular .bit, be aware of this warning and the risks involved. Currently, the use of DIDs for wallets or exchanges is in a nascent stage. In order to avoid the risk of losing an asset through faulty technology or illegal actions, .bit recommends not using DIDs for wallet or exchange transactions at this time.
Despite these risks, there is plenty to be excited about with DIDs and .bit. The risks are caused by misuse, not the DIDs themselves. The company will be sharing more about how DIDs can be utilized, including security steps that should be taken as well as the future security measures they plan on implementing in their protocol, at Hong Kong Web3 Festival 2023 April 12-15.