News

Ledger CTO warns crypto users about the dangers of 'blind signing'

With the latest assault on OpenSea highlighting blockchain vulnerabilities, Charles Guillemet, the chief expertise officer of Ledger warns customers about “blind signing,” which he defines as “consenting a transaction to be signed blindly, with out understanding what it means.” 

In an interview with Cointelegraph, Guillemet broke down the issues and highlighted points with blind signing. The Ledger chief expertise officer notes that consenting to transactions requires signing a message to be despatched to the blockchain. A consumer is the one one able to signing transactions with the non-public key, whereas others can confirm if it is appropriate. “The problem is that this message isn’t intelligible by default. It’s a digital payload,” says Guillemet.

Guillemet additionally defined that when a coin switch is signed, it’s usually supported by a pockets that “correctly parses the payload and shows its intent.” Nevertheless, in terms of signing advanced interactions with sensible contracts, Guillemet says that “parsing the show isn’t all the time correctly supported and you haven’t any alternative however consenting blindly for a transaction that you just don’t perceive.”

“It’s dangerous as a result of you possibly can assume you’re signing a transaction to maneuver a part of your funds to handle A when you really signal a transaction to maneuver all of your funds to handle B.”

Associated: OpenSea disables options quickly as contract migration completes

The safety knowledgeable additionally gave examples the place blind signing led to important losses. In the latest OpenSea exploit, customers encountered a phishing assault that resulted within the lack of $1.7 million value in nonfungible tokens (NFTs). Guillemet notes that on this incident, the attackers tricked their victims into blind-signing a message that made them consent to promote all their NFTs for 0 ETH.

“The attacker had solely to signal a transaction saying “I’m okay to purchase these NFTs for 0 ETH,” after which offered these two messages to OpenSea to really execute the transaction swapping 0 ETH towards all of the victims’ NFTs.”

When requested what he thinks is the answer to the difficulty of blind signing, Guillemet turned to an outdated crypto adage, “don’t belief, confirm.” He tells crypto customers to “all the time confirm the transaction you consent to signal.” One suggestion that the safety knowledgeable introduced up is signing transactions utilizing trusted shows that may be discovered on {hardware} wallets.

Don\'t Miss THIS ONE !  Nftnews Today Researchers find security flaw in Rarible: Users could have lost all their NFTs

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button