Harpie review: Can this on-chain firewall solve Web3’s security problem?

Harpie’s on-chain firewall allows crypto users to connect their Web3 wallets and create a secure transaction environment and protect against crypto’s most common attack vectors.

Crypto’s security issue

As crypto and decentralized finance have grown in popularity over the past couple of years, cryptocurrency-related attacks, including targeted user theft and protocol exploitation, have also increased. According to Chainalysis’ mid-year cryptocrime reportover $1.9 billion had been stolen in hacking users and services from January to July 2022, up from just under $1.2 billion in the first seven months of 2021. And while most of the exploits have been protocol-related , many users have had their wallets drained in part thanks to the risks associated with using Web3 today.

For users who regularly interact with DeFi protocols and NFT marketplaces, transactions in Web3 can almost feel like playing Minesweeper in real life. Every transaction approval and chain interaction with a third-party application can potentially lead to wallet compromise and loss of funds. Unfortunately, there has not been an easy or effective solution to this problem so far. The most popular Web3 wallets, such as MetaMask or Trust Wallet, do a poor job of communicating the nature of each chain interaction to users. Instead of making each transaction clear, the default descriptions of most transaction confirmations in the wallet read like gibberish to most unsophisticated users, effectively blinding them to even the most basic security threats.

Beyond the usual protocol hacks, perhaps the most dangerous type of attack affecting crypto users are so-called “authorize spend” exploits that trick users into approving malicious transactions that allow the hackers to drain users’ wallets. Another common way Web3 users lose their money is by having their private keys compromised, which usually involves users installing malware like keyloggers, saving their seed phrases in plain text on unsecured devices, or falling for phishing scams.

Protection against all these attack vectors has always been possible, but it requires significant technical knowledge, sophistication and sacrifices in the user experience. Harpie hopes to solve this problem.

What is Harpie?

Harpie is the first on-chain firewall solution that allows Ethereum users to create a secure transaction environment by whitelisting a set of addresses and Web3 applications they deem safe. The service monitors connected wallets for pending suspicious or unauthorized transactions to stop them when they appear. When it detects a suspicious transaction, it immediately moves the user’s funds out of the wallet and into a safe, non-custodial vault, protecting the funds from potential theft.

Harpie does this by driving malicious transactions to the front by paying a higher gas fee. For example, suppose a hacker somehow obtained a user’s private keys or tricked them into authorizing a malicious spending transaction and attempted to transfer money from the victim’s wallet to his address. In that case, Harpie will detect the outgoing transaction from the victim’s wallet to an unapproved address, and automatically broadcast another transaction with a higher gas fee to move the target’s funds into a safe vault before confirming the outgoing transaction.

Ethereum validators prioritize transactions with the highest gas fees, meaning they can pick up and verify Harpie’s benevolent transactions before any attackers, saving users from theft.

After Harpie intervenes and moves the assets to a safe place, the user can withdraw them to a new uncompromised wallet for a fixed fee of 0.01 ETH, regardless of the amount saved in the procedure.

How to use Harpie

Users must connect their existing Web3 wallet to Harpie to use the service. They can do this by clicking the “Enter App” button at the top right of Harpie’s home page and then clicking “Connect” inside the application. Users must also confirm the connection in the wallet separately to give Harpie permission to monitor the wallet and move money from them in the event of an incident.

After connecting, users are asked to set up their “Trusted Network” of applications and addresses. These are applications and addresses users consider safe and want to exclude from the firewall, meaning that Harpie does not automatically block transactions with them.

To do this, users can choose whether to use DeFi applications, NFT marketplaces or both and select their trusted network of applications from a pre-selected list of established protocols. All of the protocols Harpie recommends by default have been extensively audited, stood the test of time, and are generally considered secure, meaning users should feel confident whitelisting them all. After selecting the trusted set of applications, users must press “Continue” at the bottom right and sign the transaction in the wallet.

Upon signing, Harpie will begin integrating its firewall system with the user’s wallet, and after that completes, users will be directed to their dashboard. There, they can navigate to the “My Trusted Network” tab and add all the addresses they regularly interact with under the “Friends” section. These can include their own personal wallets, their friends’ wallets and the deposit addresses of the centralized exchanges they use.

Users must also allow Harpie to access their wallet’s funds in order to move them to a secure vault in the event of an attack. They can do this by clicking “Protect” for each asset in the dashboard’s “Protected Assets” section. If they can’t see all the assets they have in their wallet, they can import them manually from the same dashboard section.

Clicking “Protect” for each resource is the most critical task for every user using Harpie. This is because whitelisting a trusted network of applications and addresses only tells Harpie what traffic to monitor, while allowing it to access your wallet’s funds is what actually allows it to intervene and move the assets to a safe location in the event of a attack.

Finally, users must set up a withdrawal address that will have the ability to retrieve the funds moved to the safe vault in the event that Harpie has intervened during a security breach. They can do this by clicking the “Setup” button in the “Setup Withdrawal Address” section, entering the address they want to use to withdraw money, clicking “Register” and then approving the action with their wallet.

It is important to clarify that Harpie can only protect users from losing assets they already have in their wallet. If users deposit or stake their assets on a third-party crypto protocol and the application is hacked, Harpie will not be able to do anything to protect users’ funds.

Final thoughts

While no single system or protocol can solve crypto’s security problem, Harpie’s firewall approach adds an important layer of security to the day-to-day operations of the more active Web3 users. Beyond protocol hacks and certain edge cases, Harpie can effectively protect users from almost common crypto exploits without seriously hindering their user experience.

That said, interacting with Web3 with Harpie’s firewall solution still introduces some unavoidable obstacles from a user experience standpoint. For example, users can forget to whitelist their friend’s address or their own account on a centralized exchange and have their assets automatically moved to Harpie’s non-custodial vault after they attempt to make an intentional transfer. Beyond that, Harpie also doesn’t provide users with an easy way to revoke firewall access. Once enabled, users must use a third-party application such as revoke.cash to revoke the access they have granted to Harpie if they wish to opt out.

All things considered, Harpie provides a much-needed layer of on-chain security that users can’t currently find anywhere else. Although Harpie is not perfect today, the solution is a clear step in the right direction towards making Web3 safer for ordinary users.

Disclosure: At the time of writing, the author of this article owned ETH and several other cryptocurrencies.