Coinbase just released an excellent analysis of Zero Transfer Phishing. I'm encouraged to see these incidents being addressed in a disciplined way.
However, I was disappointed with the very first recommendation and I'd like to explain why. Blockchain UX today is basicly a blender with diamonds at the bottom. Just reach in and grab them... if you can.
Seriously, it's really bad - and part of why that is so frustrating is because of how much real value is trapped behind a brutally unforgiving experience.
So when Coinbase's Unit 0x says "verify the entirety of the address before sending", they aren't technically wrong: "Make sure you only reach for a diamond after the sharp blade has passed" 😐
Yes, that is indeed correct, but also not helpful. This is like the advice security teams gave about passwords in the 90s: "when your password is impossible for you to remember, it is good enough". Not surprisingly, account breaches increased.
Sometimes security issues are really UX problems: it needs to be easier to do the right thing. The blog does try to tackle this from the wallet / explorer side, but with a largely reactive posture: how to catch a bad address before a user can copy it, or after they've pasted it.
Why are users copying and pasting to begin with? Because cryptographic keys are for computers, not humans.
I think there are more proactive solutions, like Ethereum Name Service (ENS). ENS turns computer-friendly addresses into human-friendly addresses, and it is all on-chain. My personal goal is for all Ethereum addresses I manage on a recurring basis to be mapped to an ENS domain or subdomain. It is a little extra work up front, like setting up a password manager, but it works just about everywhere and is easy to maintain.
To be clear, Unit 0x presented valuable mitigations. In fact, I would like to see the security approach used to mitigate ZTP in Coinbase Wallet generalized to an open source extension (akin to joinfire.xyz).
But the endgame must address the root UX challenges that make blockchains so perilous to begin with, while still ensuring the user is in control.