With the recent OpenSea attack highlighting blockchain vulnerabilities, Charles Guillemet, Ledger’s CTO, warns users about “blind signatures,” which he defines as “giving consent for a transaction to be signed at blind, without understanding what it means”.
In an interview with Cointelegraph, Guillemet discussed the issues and highlighted the issues with the blind signing. Ledger’s CTO points out that giving consent to transactions requires signing a message that will be sent to the blockchain. A user is the only one capable of signing transactions with the private key, while others can verify if it is correct. “The problem is that this message is not intelligible by default. It is a digital payload”Guillemet says.
Guillemet also explained that when a coin transfer is signed, it is typically backed by a wallet that “correctly parses the payload and displays its intent.” However, when it comes to signing complex interactions with smart contracts, Guillemet says that “screen analytics isn’t always properly supported, and you have no choice but to blindly consent to a transaction you don’t understand.”
“It’s risky because you may think you’re signing a transaction to move some of your funds to address A when you’re actually signing a transaction to move all of your funds to address B.”
The security expert also gave examples where blind signing led to significant losses. In the latest OpenSea exploit, users encountered a phishing attack that resulted in the loss of $1.7 million in non-fungible tokens (NFTs). Guillemet notes that in this incident, the attackers tricked their victims into blindly signing a message giving them their consent to sell all of their NFTs for 0 ETH.
“The attacker just had to sign a transaction that said ‘I agree to buy these NFTs for 0 ETH’ and then presented these two messages to OpenSea to execute the transaction exchanging 0 ETH against all of the victims’ NFTs.”
When asked what he thought is the solution to the blind signing problem, Guillemet fell back on an old crypto adage, “don’t trust, verify.” It tells cryptocurrency users to “always verify the transaction you agree to sign.” One suggestion raised by the security expert is to sign transactions using trusted screens that can be found in hardware wallets.
Clarification: The information and/or opinions expressed in this article do not necessarily represent the views or editorial line of Cointelegraph. The information set forth herein should not be taken as financial advice or investment recommendation. All investment and commercial movement involve risks and it is the responsibility of each person to do their due research before making an investment decision.
Keep reading:
Investments in crypto assets are not regulated. They may not be suitable for retail investors and the full amount invested may be lost. The services or products offered are not aimed at or accessible to investors in Spain.