QR Codes can be evil, Web3 emailing and more!

Sept 6, 2022 min read
QR Codes can be evil, Web3 emailing and more!

gm 👋

Thank you for being a part of the Cypherock family. Come rain, hail or storm, we are heads-down building the best possible product to keep your digital assets safe.

Over the next 8-10 minutes, we will be talking about hacks that caught our eye, DApps that we found interesting and our picks from Twitter and Reddit that we enjoyed.

If you loved the newsletter, message us! If you hated the newsletter, message us! We’re always looking for fresh perspective on things to cover and feedback to make your experience better!

Have an awesome week ahead!

Team Cypherock

What we’re covering this week

  • How can QR Codes be used as an attack vector 🗡
  • Email on the blockchain 📧
  • How not to get rekt with putting funds into a liquidity pool 🫡
  • Reddit’s very own crypto portfolio 🐕

Security Digest

QR Codes: The silent killer


Scanning QR codes has become an almost daily behaviour in our day-to-day lives. However, with something as ubiquitous as a QR Code, we must be aware of the potential dangers of scanning these codes. But before all the grim stuff, what is a QR code? A QR code is a two dimensional barcode that that can store 7,089 digits or 4,296 characters. QR code scanners essentially decipher the information that has been encoded onto the QR code. QR codes make our lives easier, but there are risks associated with its usage.

Overlaid QR codes: An overlaid QR code is when a malicious actor places a QR code over genuine QR codes that may be available in public spaces. An example would be public transport methods such as bike sharing where a user would need to scan a code and pay for the access to the bike.

QR code based phishing: A phishing scam was carried out in 2021 that targeted German e-banking users where the scammers drafted a curated email with banking logos, as well as a companion portal that was accessed using a QR code which was used to steal banking information.

QR code used to gain access of Discord accounts: Scammers have been posting QR codes promising free Nitro - Discord’s platform currency - which inadvertently gives the scammer access of the Discord account of the user that is scanning the QR code. This could have adverse implications as many web3 servers have prominent individuals who accounts can be used to scam other individuals.

QR codes and web3: Scammers may make individuals download counterfeit wallets with the promise of tokens, or reduction in fees. QR codes could also be used to take over Metamask accounts of users to send transactions that were unintended.

From a crypto wallet perspective, Cypherock utilizes a USB infrastructure which interfaces with the desktop application. Given the fact that QR codes can be manipulated, Cypherock allows users to verify the address of the receiver on the X1 device screen itself - a standard practice for hardware wallets. Since Cypherock is not connected to the internet, the address verification process on the X1 device avoids the problem of sending digital assets to a malicious address, keeping you safe from the QR code attack vector.

So, what are some additional steps that you can take to keep yourself safe? Enable multi-factor security on your accounts. If you are going to scan QR codes related to banking accounts, it’s important to be able to add the most layers of security. When interacting with a merchant in person, make sure the code you are scanning does not have another QR code sticker pasted. When re-directed to a URL, double-check the spelling of the URL. Often times, checking for the right spelling is the easiest way to gauge authenticity of the website.

Dapp News

You've got MetaMail


Emailing doesn’t suck completely, and for the most part, does everything that a user would want it to do. But, that doesn’t mean there can’t be improvements made to the status quo. For one, Metamail makes the adoption of encryption in emailing a lot simpler. Here’s how.

Under the current PGP infrastructure, users need to maintain both their private and public key, and also verify that the recipient’s public key actually belongs to the recipient. In the case of Metamail, wallet addresses are public keys with users having to maintain and control their private key. The friction in the adoption and implementation of encryption in email is reduced dramatically.

So, how does it work?

Fire up metamail.ink and connect your wallet. You will end up receiving your own email address in the format yourwalletaddress@mmail.ink. If you have an ENS, the suffix of the email will resolve to xyz.eth@mmail.ink. The experience of sending and receiving emails is the exact same, with the only difference being that for every email sent, you will need to sign a transaction - which is free of cost. Now, you can email anyone with your very own web3 email address.

To utilize the encryption feature, the user creates a a random symmetric key locally, encrypts the contents of the message with this key, and encrypts this key with the recipient’s public key. When receiving an encrypted email, the user needs to use the wallet to decrypt the key to the email, and use the decrypted key to access the contents of the email. If this passage had too many mentions of keys in it, try out the feature and send an encrypted email saying hi to 0xe992e4cdab8bfb68ee7c232349ccb2636784d4b5@mmail.ink

Welcome to the future.

Twitter Tales

Considering putting your funds into a liquidity pool? Here’s a method to avoid impermanent loss.

Check out the thread here.

Reddit Reads

Web3 has many factions. There are blockchain maxis and there are folks who believe in the interoperability of blockchains. If you’re a part of the latter, this discussion thread is for you.

Reddit’s crypto portfolio from r/CryptoCurrency

Updates from Cypherock

We announced our partnership with Buidlers Tribe. The goal here is to help grow the web3 ecosystem with a security first mindset. Buidlers Tribe recently announced a Cypherock wallet giveaway that you can participate in, check out the tweet here.

Cypherock’s Co-Founder & CEO, Rohan was featured in a Bitinning session alongside Kashif Raza to talk about all things crypto security, and how Cypherock is building the safest web3 infrastructure.

We will be hosting a Twitter Space on 6th September, 7 PM IST. We will be talking about all the product updates, marketing efforts and all things Cypherock. Don’t be shy, come say hi.

Is Your Crypto Safe? Take the Cypherock Quiz and find out!

Is your crypto safe

Will your crypto get hacked? Are you going to lose your crypto? Cypherock has come up with a detailed quiz that will help you understand the pros and cons of your security model. Upon completion, you will get a detailed analysis mailed to you. Take the quiz now!

Here’s some alpha 🚀

Security is our utmost concern. We want to keep your crypto safe and give you the best possible experience interacting with the web3 ecosystem. Because we like you, we want you to make money too!

Cypherock recently launched an affiliate program. You receive a unique code by either signing up on our website, or by purchasing a Cypherock X1. Through your code, your referrals receive 25% off on their purchase and you make $50 per sale!

Sign up to become a Cypherock Affiliate!

Have questions regarding our product, or the affiliate program? Our Growth Lead loves chatting with people, hit him up here.