Lens Protocol Enhances Security With New Safety Layer
Lens Protocol, a decentralized platform for managing digital profiles, has announced the introduction of a new safety layer to enhance security in response to an increase in phishing attacks targeting Lens profiles. The safety measures aim to provide additional protection and prevent unauthorized access to user accounts.
NFT owners including Lens profiles have been recently targeted with phishing attempts. While its disheartening to see people lose their NFTs or profiles, we want to be proactive an innovate on the safety standards for NFTs.
— Lens Protocol (@LensProtocol) July 1, 2023
Mitigating Phishing Risks
The safety layer includes several specifications designed to mitigate the risks associated with phishing activities. Firstly, the asset meta-transaction (meta-tx) functions will be disabled in the Lens Profiles collection, specifically in the LensHub smart contract. This means that functions such as burnWithSig, permit, and permitForAll will no longer be available. Disabling these functions helps address the issue of users inadvertently signing transactions without proper attention, as meta-tx messages can remain valid until their expiration date or nonce usage. Additionally, the disabling of signature methods will prevent misuse of signed meta-tx messages in the future.
In addition to disabling asset meta-tx functions, Lens Protocol is implementing a 7-day Security Cooldown Period for externally owned account (EOA) wallets. This mechanism is address-based, meaning it applies to specific addresses and extends to all Lens profiles associated with those addresses. During the Security Cooldown Period, certain functions such as profile approval, transfer, and burning will revert if the Profile Guardian is enabled. Users can explicitly trigger the disabling of the safety layer by executing the DANGER__disableProfileGuardian transaction, after which they must wait for the 7-day cooldown period to expire before the Profile Guardian is effectively disabled. Once disabled, users can resume using the restricted functions without limitations.
Full Proposal: https://t.co/oaXNZ8KGdB
— Lens Protocol (@LensProtocol) July 1, 2023
Enhanced Security for Non-EOA Addresses
It is important to note that the Profile Guardian does not apply to non-EOA addresses to prevent any disruption to smart contracts or protocols that rely on standard ERC-721 behaviour. Non-EOA addresses, which include multisig wallets and DAOs, are assumed to have a higher level of user observation and are therefore considered less susceptible to unauthorized access.
To support the Lens ecosystem, various services and applications within the ecosystem, including the Lens API, are encouraged to track the Profile Guardian status. This will enable seamless communication with users regarding changes in their protection status and allow them to enable or disable the Profile Guardian as desired.
The introduction of this safety layer and the implementation of the Security Cooldown Period provide Lens Protocol users with an added layer of security and a reasonable timeframe to take necessary measures in response to potential threats. These measures aim to safeguard user accounts and prevent unauthorized access to valuable profiles within the Lens ecosystem.
