Many people worldwide have been victims of crypto rug pulls and phishing hacks. At GRVT, we are also no strangers to these. That’s why we are integrating standard Web2 protections on our hybrid exchange, in addition to Web3 self-custody trading. 

On top of the typical security model found on most DeFi projects, we are building an additional Web2 security layer that is familiar and easy to use. 

In Part 2 of our GRVT Security Series, we take a look at what traditional security controls are integrated into the platform. 

If you missed Part 1 of our Security Architecture Overview, check it out here. 

Incorporating Web2 Security

GRVT’s hybrid exchange model merges the best of not only CeFi and DeFi, but also Web2 and Web3.

In particular, our Web2 security controls involve these key elements:

1. User Login & 2FA
2. Wallet Whitelisting

This second layer of Web2 security has been effective at protecting centralized exchanges (CEXs). Even if attackers detect a potential smart contract vulnerability on our fully private Layer 2 Chain, they will also have to compromise our backend network in order to exploit the potential vulnerability.

So what’s the importance of this Web2 security layer?

Scenario: User Private Key Compromises

The most common form of compromise in crypto is the user private key, or user signature.

Phishing for user signatures typically operate as such:

1. Attacker creates a fake site, e.g. grvt.exchange
2. Attacker posts an alert about upcoming downtime, urging users to withdraw their funds
3. User signs a withdrawal signature, unknowingly sending funds to the attacker’s wallet 
4. Attacker uses the signature on the actual site to steal user’s funds

This attack angle works across all DeFi applications. In contrast, GRVT applies two additional protective controls on top of our security infrastructure to mitigate such risks. 

User Login & Two-factor authentication (2FA)

To submit a transaction signature on GRVT, users need to log in with an email and password. While 2FA is optional, it greatly reduces the risk of compromise. 

If your signatures are compromised, attackers face a more challenging task. To submit a phished signature, they would need both your login credentials (easy to phish), plus 2FA (harder to phish).

Wallet Whitelisting

Our system enhances fund withdrawal security by restricting transfers to pre-approved or ‘whitelisted’ wallets. 

Whitelisting, or allowlist, is a cybersecurity strategy that approves specific entities, such as email addresses, IP addresses, domain names or applications, while denying all others. IT teams use a whitelist as a quick and easy way to help safeguard networks from potentially harmful threats. When a destination or application is put on a whitelist, it is considered safe. Access to the approved destination or application will be granted. 

For individual traders on GRVT, the process to whitelist your wallet and withdraw your funds is simple:

1. Complete your 2FA
2. Sign off on the whitelisting transaction

This serves as an extra security measure to prevent attacks on your account. If an attacker gains access to your GRVT account, your funds can only be transferred to your wallet. Unauthorized transfers elsewhere are prevented. Most decentralized exchanges (DEXs) do not incorporate such mechanism as they are not designed to work with arbitrary restrictions. 

What’s next

As the crypto space continues to grapple with threats of rug pulls and phishing hacks, GRVT has taken a proactive and holistic approach to safeguard our users. The integration of standard Web2 protections on our hybrid exchange marks a significant step forward, setting us apart from other CEXs and DEXs. 

In the next part of our GRVT Security series, we will explore the elements included in our Web3 security layer.