Intro to DERP
As part of our Hop on Board event, HOPR is (dubiously) proud to present DERP, the Dumb Ethereum RPC Provider.
DERP replicates the functionality of a standard RPC (remote procedure call) provider, making it painfully transparent how careless today’s crypto services are with your metadata. In real time, you’ll see exactly what and how much information is requested from third parties every time you use a crypto service. DERP will not share or store any of your data. But it easily could! And the whole point of crypto is you shouldn’t have to trust third parties like this.
Just visit the site and follow the easy setup instructions to start playing around with DERP. We’ll also be releasing three showcases over the course of the week to highlight the scale of the privacy issue, and show just how far we still have to go to make a privacy-respecting and decentralized web3 a reality.
What You’ll Need
You don’t need much to get started, just:
- The HOPR DERP tool, found at https://derp.hoprnet.org
- A crypto wallet like Metamask
We’re working on automatically parsing some of the DERP output to make things clearer, but for now it would be useful to have access to.
- A block explorer like etherscan.io, so you can look up the addresses requests are sent to.
- A tool like 4byte.directory, for interpreting the signatures at the start of each request.
- A hexadecimal converter, for example this one.
So What Does DERP Show?
DERP shows what really happens when you connect to today’s crypto services. Those streamlined UIs hide some behaviour which, while probably not malicious, is definitely pretty damn derpy.
The first thing you’ll notice is that DERP knows your IP address. This is no surprise — it’s how the Internet works. But the point is that the RPC provider now knows your IP address AND pretty much everything about your connected wallet and the crypto service you’re using. Or even just planning to use, because this all happens even if you don’t end up making a transaction!
Just think about that for a minute. Even if you just connect your wallet to browse trades on Uniswap, you’re exposing enormous amounts of potentially revealing metadata.
Now you might be thinking: why does any of this IP address stuff matter? I use a VPN which hides my IP address! That’s great, but there’s bad news:
- Unless you’re cycling your IP address regularly, you’re still exposing linkable metadata. If you visit several crypto services in the same session, you’re still providing tons of linkable information.
- You still have to trust your VPN provider not to be storing and sharing exactly the same information that your RPC provider has access to.
- Worst of all, all of the examples we’ll share for DERP are also problems separate from the underlying IP issue. The IP address leak is just the sour cherry on top of the already terrible cake.
This last point was the real shock for us at HOPR. We’re a fully incentivized mixnet designed to provide full metadata privacy. One of the most useful things HOPR can do is obscure your IP Address more privately than any VPN. When we started this project, we were expecting to focus on all the ways your exposed IP address could cause issues, and then promote HOPR as a solution.
But what we found was much worse. The way most crypto services are currently set up create huge privacy issues even before we get to the IP address issue (which, to be clear, is also a huge deal).
We don’t think this is malicious. It’s just an artefact of how Ethereum infrastructure currently works and the speed with which crypto has exploded. In the rush to get dApps built, developers have relied on processes and shortcuts from Web 2.0.
All this adds up to the unavoidable conclusion that web3 services need to take privacy much more seriously. Importing approaches wholesale from web2 and slapping a blockchain underneath doesn’t work. You need to put privacy first.
Wagmi, but only if we take this stuff seriously. And that includes owning up to when things just aren’t working.
Over the next few articles, we’ll be showcasing specific problems which DERP has revealed. We expect there are many more, so please experiment and share your findings.
At the end of our Privacy Week, we’ll be sharing some thoughts about what the solution could be.
Sebastian Bürgel,
HOPR Founder
Website: https://www.hoprnet.org
Testnet: https://network.hoprnet.org
Twitter: https://twitter.com/hoprnet
Telegram: https://t.me/hoprnet
Discord: https://discord.gg/dEAWC4G
LinkedIn: https://www.linkedin.com/company/hoprnet
Forum: https://forum.hoprnet.org
Github: https://github.com/hoprnet
