“Do not trust; verify,” advises Charles Guillemet, chief technology officer of hardware wallet maker Ledger.
With the recent attack on OpenSea showcasing blockchain weaknesses, Ledger’s CTO Charles Guillemet warns users against “blind signing,” which he describes as “consenting to a transaction being signed blindly, without comprehending what it entails.”
Guillemet broke down and emphasised the challenges with blind signing in. Consenting to transactions, according to The Ledger’s CTO, entails signing a message to be sent to the blockchain. A user is the only one who can sign transactions using the private key, although others can verify that the signature is correct. “The issue is that by default, this message is unintelligible. It is a data payload “Guillemet asserts.
Additionally, Guillemet explained that when a currency transaction is signed, it is typically accompanied by a wallet that “correctly parses the payload and exposes its intent.” However, Guillemet notes that when it comes to signing complex interactions with smart contracts, “parsing the display is not always supported adequately, leaving you with no choice but to assent blindly to a transaction you do not comprehend.”
“It’s risky because you may believe you’re signing a transaction to transfer a portion of your assets to address A when, in fact, you’re signing a transaction to transfer all of your cash to address B.”
Additionally, the security expert provided examples of instances in which blind signing resulted in large losses. Users were targeted by a phishing assault in the most recent OpenSea hack, resulting in the loss of $1.7 million in nonfungible tokens (NFTs). According to Guillemet, the attackers duped their victims into blind-signing a message authorising the sale of all their NFTs for 0 ETH.
“All the attacker needed to do was sign a transaction stating, ‘I agree to buy these NFTs for 0 ETH,’ and then present these two messages to OpenSea, which would then execute the transaction swapping 0 ETH for all the victims’ NFTs.”
When asked what he believes is the solution to the blind signature problem, Guillemet cited an old cryptographic adage: “do not trust, verify.” He advises cryptocurrency users to “always verify the transaction that you agree to sign.” One suggestion made by the security expert is that transactions be signed using trustworthy displays such as those found on hardware wallets.
Disclaimer: These are the writer’s opinions and should not be considered investment advice. Readers should do their own research.
