DEV Community

TxDesk
TxDesk

Posted on

A protocol and its users are not having the same emergency

Sit in the protocol's seat during an incident. The job is clear and brutal: pause the contracts, trace where the funds went, pull in security firms, coordinate a response, get a statement out. Every one of those actions is about the protocol surviving. That is the right list. If you run a protocol mid-exploit, that is exactly what you should be doing.

Now sit in a user's seat at the same moment. The questions are completely different. Did this touch my wallet. Did I approve that contract at some point. Is my money still there. What do I do in the next ten minutes. None of those questions are answered by pausing a contract or tracing a treasury.

These two seats run on different clocks. The protocol's response plays out over hours and days, and that is appropriate for the protocol. The user's panic runs in minutes. What the user gets in those minutes is a pinned post and a link to a chat room. The clocks never line up, so the fast emergency ends up waiting on the slow one.

This is not the protocol being negligent. A protocol cannot field thousands of individualized "am I exposed" questions during an active incident, and answering them is not what saves the protocol. So it does not happen. The gap is built into the situation. Pointing at it is not blaming anyone. It is noticing that the person with the most at stake, the individual user, is the one person nobody is positioned to answer in real time.

Here is the part that bothered me enough to build around it. The information that would actually answer the user already exists. It is on-chain, public, and sitting there the whole time. Whether your wallet holds a live approval to a given contract is a fact you can read. What a specific transaction of yours actually did is a fact you can read. What has moved in your wallet is a fact you can read. The data is not missing. It is just not packaged for a frightened non-expert in the moment they need it.

That gap is what I build TxDesk for. It reads the chain and answers in plain language. It can pull a wallet's active token approvals and flag the dangerous ones: the unlimited allowances, and the ones granted to contracts that are unverified or only days old. It can take a single transaction and tell you what it did, in words. It can look at a contract and report what is actually knowable about it: whether it is verified, how old it is, whether it is a proxy. It is read-only. It does not hold your keys and it cannot move your money. It reads, and it explains.

I want to be precise about what that is and is not. It is not a button that says "you were in this hack, here is your refund." It is the ability to ask the chain the specific questions you actually have, the moment you have them, instead of waiting in a queue that was never built to answer you one at a time. "Do I have an approval to this contract." "What did my transaction with it actually do." Those are answerable right now, from public data, and almost nobody packages them for the person asking.

The two emergencies will keep being two emergencies. The protocol's clock is not going to speed up to match yours, and it should not have to. The fix is to give the user their own way to ask, grounded in the same on-chain reality everyone else is reading. That is the problem I work on now.

Top comments (8)

Collapse
 
hiren-kava profile image
Hiren Kava

Excellent framing of the difference between protocol incident response and user incident response. 👌Protocol teams optimize for containment and recovery, while users need immediate wallet-level exposure analysis—especially around approvals, asset movements, and contract interactions.💦 Turning public on-chain data into clear, actionable answers is a meaningful security layer that most incident playbooks still overlook.😎

Collapse
 
txdesk profile image
TxDesk

appreciate that. the approvals piece is the one i'd put first too, it's the highest-leverage thing a user can check and the one they're least equipped to read on their own. the part i keep coming back to is that the protocol's playbook and the user's playbook diverge hardest exactly when speed matters most, the protocol is pausing contracts while the user just needs to know if their specific wallet is exposed, and those are different questions with different answers.

Collapse
 
hiren-kava profile image
Hiren Kava

Strong point. Approvals belong first because they are both high-impact and difficult for most users to evaluate correctly. I also like the distinction between the protocol response and the wallet-level response: pausing contracts may contain the incident, but it does not tell an individual user whether their assets are still exposed.

Thread Thread
 
txdesk profile image
TxDesk

exactly, and that gap is the whole reason wallet-level matters: "the contracts are paused" and "your funds are safe" are different facts, and only the second one is the answer the user actually came for. the approval check is where that splits, a paused contract can still have a live approval you granted earlier sitting on your wallet, so containment at the protocol layer and exposure at the wallet layer aren't the same all-clear. good thread.

Thread Thread
 
hiren-kava profile image
Hiren Kava

Well said. "The protocol is paused" describes the application's state, not the user's actual risk. From an engineering perspective, wallet approvals are persistent capabilities, so validating and, when necessary, revoking them is a separate security step that shouldn't be overlooked.

Thread Thread
 
txdesk profile image
TxDesk

"persistent capabilities" is the right framing, that's exactly what makes them their own security step. the contract pausing is event-scoped, the approval you granted is standing, it outlives the incident and the user usually forgot it exists. so the cleanup the user actually needs has nothing to do with the protocol's state and everything to do with what's still live on their own wallet. well put.

Thread Thread
 
hiren-kava profile image
Hiren Kava

It is impressive that you distinguish between protocol-level incident response and wallet-level user security. In particular, your awareness that existing token approval permissions remain valid even after a contract has been paused demonstrates a practical understanding of the actual blockchain security landscape and the risks faced by users.

Thread Thread
 
txdesk profile image
TxDesk

appreciated. the protocol-vs-wallet split is the thing i keep coming back to, most security writing covers the protocol response well and just stops at the wallet edge, where the user actually lives. thanks for following the thread through, good exchange.