Ledger CTO warns crypto users about the dangers of 'blind signing'

Published at: March 3, 2022

With the recent attack on OpenSea highlighting blockchain vulnerabilities, Charles Guillemet, the CTO of Ledger warns users about “blind signing” which he defines as “consenting a transaction to be signed blindly, without understanding what it means.” 

In an interview with Cointelegraph, Guillemet broke down the problems and highlighted issues with blind signing. The Ledger CTO notes that consenting to transactions requires signing a message to be sent to the blockchain. A user is the only one capable of signing transactions with the private key, while others can verify if it's correct. "The issue is that this message is not intelligible by default. It’s a digital payload," says Guillemet.

Guillemet also explained that when a coin transfer is signed, it’s normally supported by a wallet that “properly parses the payload and displays its intent.” However, when it comes to signing complex interactions with smart contracts, Guillemet says that “parsing the display is not always properly supported and you have no choice but consenting blindly for a transaction that you don’t understand.”

“It’s risky because you can think you’re signing a transaction to move part of your funds to address A while you actually sign a transaction to move all your funds to address B.”

Related: OpenSea disables features temporarily as contract migration completes

The security expert also gave examples where blind signing led to significant losses. In the most recent OpenSea exploit, users encountered a phishing attack that resulted in the loss of $1.7 million worth in nonfungible tokens (NFTs). Guillemet notes that in this incident, the attackers tricked their victims into blind-signing a message that made them consent to sell all their NFTs for 0 ETH.

“The attacker had only to sign a transaction saying ‘I’m ok to buy these NFTs for 0 ETH,’ and then presented these two messages to OpenSea to actually execute the transaction swapping 0 ETH against all the victims’ NFTs.”

When asked what he thinks is the solution to the issue of blind signing, Guillemet turned to an old crypto adage, “don’t trust, verify.” He tells crypto users to “always verify the transaction you consent to sign.” One suggestion that the security expert brought up is signing transactions using trusted displays that can be found on hardware wallets.

Tags
Blockchain
Nft
Transactions
Security
Interview
Ledger
Related Posts
Cryptosat’s first nanosatellite blasts off Wednesday on SpaceX rocket
If all goes to plan, Wednesday’s SpaceX rocket launch in Florida will blast a “crypto-satellite” into low Earth orbit, paving the way for secure blockchain-related cryptography in space. Cryptosat, as the name hints, is the company that created Crypto1, a crypto-satellite module hitching a ride aboard a Falcon 9 rocket for SpaceX’s Transporter 5 mission. The blockchain satellite technology has already been trialed on the International Space Station. “We’re basically joining the Uber of spaceflight,” co-founder of Cryptosat Yonatan Winetraub told Cointelegraph, “Everybody goes into the same orbit and we’re one of the passengers.” “SpaceX launch a bunch of satellites, …
Technology / May 25, 2022
Ledger Discloses Five Reported Vulnerabilities in Two Models of Trezor Hardware Wallets
Major hardware wallets manufacturer Ledger has unveiled vulnerabilities in its direct competitor Trezor’s devices, according to a report published on Monday, March. 11. As of press time, Trezor was not immediately available to comment on Ledger’s findings. The study states that the vulnerabilities were found by Attack Lab, the company’s department that hacks into both its own and competitors’ devices to improve security. Ledger claims that it has repeatedly addressed Trezor about weaknesses in their Trezor One and Trezor T wallets, and has decided to make them public after the responsible disclosure period ended. The first issue is related to …
Blockchain / March 11, 2019
Financial Giant SBI Group to Develop Wallet Following New Partnership
Japan-based financial services firm SBI Group and Danish cryptography services company Sepior ApS have partnered to jointly develop a proprietary wallet, according to an announcement published Oct. 13. The wallet is set to ensure secure transactions on SBI’s cryptocurrencies exchange platform, VCTRADE. The SBI Group was established in 1999 in Japan as an Internet-based financial services provider. Since then, the company has formed a financial conglomerate with a focus on new technologies, including fintech, Internet of Things (IoT), artificial intelligence (AI), and others. In 2018, SBI reportedly invested over $533 million in the blockchain and AI sectors. Per the press …
Blockchain / Oct. 23, 2018
Building multichain is a new necessity for DeFi products
At present, your DeFi product needs to be multichain to be competitive — this is the hard (and exciting) truth of 2021. Whether you’re building a wallet, a lending service or a DeFi game, your target audience knows that there is more to the crypto space than Ethereum. And they expect you to provide the best of all worlds. It seems there will always be a debate about which blockchain makes for the best foundation for projects. Enhanced security, low transaction costs and formidable speed — there will always be a chain that offers bigger advantages. As the speculators argue …
Technology / Nov. 20, 2021
Solana CEO hoses down claims network outages caused by on-chain voting
Anatoly Yakovenko, the founder and CEO of Solana Labs has downplayed claims that Solana's network outages were being caused by a high volume of validator messages and its on-chain voting system clogging its consensus layer. While the Solana Foundation confirmed in a Feb. 27 post that the “root cause” of the recent 20-hour network outage is still not clear, the CEO responded to speculation that Solana’s decision to include on-chain votes as transactions is a “massive design flaw” that has led to its many outages. The controversial thread in question was posted by Twitter user DBCryptoX earlier on Feb. 27 …
Blockchain / Feb. 28, 2023