Whitepaper

Abstract

Harpie is ending on-chain theft.
We are the first on-chain firewall that prevents hacks, scams, and theft. Our service monitors pending transactions for potential attacks. When we detect an attack, we securely move funds away from vulnerable wallets before they can be stolen.

Introduction

It's a bullish day for Ethereum, and you've decided to rebalance some of your tokens into ETH. You hop on your favorite DEX and go through the exchange process as usual.
Even though you've given the protocol your tokens, the ETH never lands in your wallet. After a few minutes, you start wondering what's going on. You're about to make a report, but you see a tweet from the protocol that makes your stomach sink:
"Frontend is compromised. Do not use until further notice!"
You've just been robbed, and there was nothing you could have done about it.
Crypto shouldn't feel scary to use, but stories like the above happen every day to every subset of crypto user—from yield farmers, to NFT whales, to everyday hobbyists.
Theft is becoming rampant in the crypto space. Crypto users deal with attacks like website hijackings, social engineering scams, and social media misinformation on an almost-daily basis.
Harpie is the first service that protects you from crypto theft. If you're ever caught sending tokens to an unintended party, we stop that transfer in transit. We protect our users from a huge variety of attack vectors: social engineering, website hacks, accidental transfers, private key theft, etc.
You can learn all of the possible attack vectors we prevent in this section: What attacks can Harpie prevent?

How it works: summary

Harpie identifies malicious transactions by having users set up a "trusted network" of protocols and peers. If your wallet sends a transfer to someone outside this trusted network, we stop that transaction from happening.
We are able to eliminate these malicious transfers even after they're transmitted on-chain with an advanced strategy called frontrunning. When a malicious transfer or approval is detected, we move your funds to a noncustodial vault before the transaction can confirm. By paying a higher gas fee, we have the ability to move your funds to the vault before the hacker can move your funds to their own wallet.
Learn more about the "trusted network" concept: What is a Trusted Network?

Security: summary

Harpie has rigorous security measures in place to ensure the safety of your assets. Our smart contracts have public code and public audits in place, so anyone can verify as well.
Harpie works by transferring your assets out of your wallet and into a noncustodial vault before an attacker's transaction can execute. Because of this, we've made sure that our transfer mechanism is airtight.

Transferer Contract

When you sign up for Harpie, you'll give the Transferer contract permission to transfer your tokens to our noncustodial vault. It cannot transfer your tokens anywhere else.
When we detect an attack on your wallet, we use this Transferer contract to move your assets away from your compromised wallet. This smart contract can only move your assets to one location: our noncustodial Vault contract.

Vault Contract

The Noncustodial Vault contract is where you can withdraw your assets that have been transferred by our frontrunner. Only you can withdraw your assets from the Vault; there is no admin key that allows us to withdraw your assets on your behalf.

Conclusion

Because the Transferer contract can only move assets to the Vault, and since there is no ability for an admin to withdraw users' assets from the Vault, we feel that our system can responsibly handle the trust that comes with giving a contract access to transfer tokens.
You can learn more about our contracts and the security programmed within them in Contracts.

Frequently asked questions

Can I mint new NFTs even with a Harpie plan?
Yes, you can. We only stop transactions when your protected tokens are at risk (i.e. approvals and transfers) Since the minting of an NFT is not a risky operation, we allow them to run through our filter.
What if I want to use a new protocol or project? Will I have to manually add it to my trusted network?
We offer a curated list of the most popular & secure protocols, so you likely won't need to add any additional protocols. If you're using an all-new protocol, you're able to add them to your trusted network as a custom address. That being said, we recommend a strong amount of caution when adding custom addresses to your trusted network.
How does Harpie deal with mempool-obfuscating technology, like private mempools, Flashbots, etc.?
Mempool-obfuscating technologies do not substantially affect our operations.
An overwhelming majority of consumer-targeted attacks ask victims to sign the transaction that sends their assets over to an attacker. Since these transactions are self-signed, and our users are unlikely to use mempool obfuscators for their daily transactions, we find that mempool obfuscation is not a large concern for our usecase.
Last modified 2mo ago