Enable Blind Signing: Why, When and How to Stay Safe
|— Blind signing means confirming a smart contract interaction you can’t verify through a human readable language.|
— This can be either because your wallet can’t extract the details, or because you can’t trust the computer screen itself (hacks are always a risk).
— Ledger is making blind signing a thing of the past; your Ledger device can display full smart contract details on its trusted display, any time you interact with an integrated platform.
— But when you’re interacting with apps outside of Ledger’s ecosystem, you will need to enable blind signing on your device.
— Here’s the lowdown on how that works – and how to maximize your security, no matter where you’re exploring.
Wondering why you’re being asked to enable blind signing? Here, we explain why it’s necessary and how to stay safe.
The ol’ blind signing is a hot topic here at Ledger. In the web3 world, blind signing is one of the sneakiest risks you’ll face, and this is why Ledger’s platform of integrations is gradually making this practice a thing of the past.
But when you’re interacting outside of that ecosystem, there are still times when blind signing is necessary; this is why you’ll occasionally see the message “Enable Blind Signing” appearing on your device as you interact with dApps and DeFi. In this article, we’ll recap what it means to sign a smart contract transaction, what to do when you see this message and how to make sure you stay safe, no matter what sort of App you’re interacting with.
What is Blind Signing? A Recap
Would you sign a contract you hadn’t read? Probably not. And if doing so sounds alarming to you, you’ve already grasped the problem we’re talking about. Blind signing, in its simplest form, means confirming a blockchain-based smart contract you don’t know the full details of – something that has become commonplace in crypto due to how the space has evolved.
Wallets Struggle to Display Smart Contracts
Crypto wallets – both software and hardware varieties, have difficulty with smart contracts, for different reasons.
- Hardware Wallets – Can’t Display Smart Contract Details
Traditionally, crypto hardware wallets were designed to handle simple transfers of value, but smart contracts are more complex – the wallet can understand the conditions, but it cannot display them to you in a format you’ll understand. It’s a simple case of technology outpacing its tools, and leaves you needing to sign transactions based on trust, without any real guarantees about what’s inside.
Private messages are a hotbed for this type of threat. A recent incident saw scammers posing as OpenSea tech admins on Discord. An experienced collector looking for technical help started a conversation about his account, believing he was talking to a service advisor. In the course of the chat the advisor asked him to approve a transaction call – showing no contract details – using his Ledger device. In reality, the transaction he was verifying provided access to his vault, and the advisor was really a fraud – the entire scenario was the staging for a scam.
- Software Wallets – No Trusted Display
We know what you’re thinking: software wallets are designed for interactions with NFT and DeFi platforms, and can easily read and display full transaction details for you to inspect. But there is no way of verifying that what you see is what you’re signing. Why is that?
Software wallets, by their definition, are always connected to the internet. This means hacks can be deployed to tamper with your wallet’s display (check out Man in the Middle Attacks for more on that), meaning you can never be totally sure of what you’re agreeing to. Imagine confirming a transaction to buy a new NFT, and realising within seconds that it was really an agreement to give a scammer access to all the NFTs in your wallet? This is one of the key vulnerabilities of using a software wallet – not to mention, your private keys are always online.
So in short, no matter what type of wallet you’re using, chances are you won’t always have full transparency over your smart contract interactions. This is where Ledger is changing things.
Clear Signing With Ledger Live Integrations
Ledger’s mission is to bring transparency to every transaction you carry out on your wallet. To achieve this, we’ve enabled “clear signing”- when full smart contract transaction details can be displayed on the device’s trusted screen – with every one of our integrated apps within the Discovery section of Ledger Live.
No matter how quickly Ledger is integrating new apps within its secure ecosystem, you’ll likely still want to use non-integrated platforms at times as you make the most of Web3. During these transactions, you’ll be prompted to “enable blind signing” on your device in order to interact.
Enable Blind Signing Explained
When you enable blind signing, you enable your device to approve a smart contract transaction, even though it hasn’t been able to display full contract data to you. In other words, you’re agreeing to trust, instead of verify, the transaction.
If this sounds like more of a risk, that’s because it is. Blind signing by definition lacks vital transparency – but with the dApp and DeFi ecosystem expanding so rapidly, it’s a process that sometimes cannot be avoided.
In these cases, you are the gatekeeper for your crypto: that means doing some due diligence to ensure things check out before you sign. So what other indicators can you look at to check that your transaction is credible and safe?
Enable Blind Signing Check List – DYOR for your Transactions
Let’s be clear from the start: none of these factors will give you the same transparency or security as seeing the contract data itself. However, using this checklist can help you identify nefarious transactions, and safeguard your private keys as you interact. These points should be top of mind any time you “enable blind signing”. Let’s do a quick run-down of the essentials.
- Check the URL of the website you’re interacting with (develop) – fake sites are a great pretext for blind signing scams to be deployed.
- Ensure the dApp you’re transacting with is one you’ve heard of before – authenticity and reputation are key indicators when it comes to building a profile, and this means only transacting on reputable platforms.
- NEVER interact with anyone who sent you a private message on Discord, Twitter or any other social platform – remember, in Web3, nobody has any reason to reach out to you personally.
- Always use a hardware wallet – this means you can still make sure those all-important private keys stay offline as you interact, giving you a security baseline.
- After you’ve completed your transaction, use the settings in your app to disable blind signing once again.
- And HEY – NEVER GIVER YOUR SEED PHRASE TO ANYONE. CAPICHE??
Minimize Your Risk: Set Up A Warm Wallet
There is one final point we need to mention here – and it might be the most important of all. A warm wallet is another name for whatever wallet you’re using to interact with smart contracts – your active Web3 wallet, in effect.
So say you’re using a Ledger device to secure your NFT collection – under no circumstances should you be securing your collection using the same wallet you sign smart contracts with. Why? Because if you make a mistake, or sign a malicious transaction, your entire collection is at risk.
Instead, you should always segregate your assets into different wallets, and dedicate just one of these wallets, for interacting with smart contracts. This means you can move only what you need (when you need it) into your warm wallet – and the rest of your collection is protected even if you make the wrong call when signing a smart contract.
Transparency, Security, Education – the Crypto Trinity
Ledger is not just about securing your private keys – our MO here at the Academy is giving you the information you need to be completely autonomous and secure as you explore Web3. It’s not about us – it’s about you.
Ledger’s goal is to bring complete transparency to every interaction, the whole objective of our integrations. But where this isn’t possible, we still have you covered – making sure you’re literate enough in Web3 to safely navigate it.
Knowledge is power.
Blind signing is the only scam in crypto that relies on YOU opening the door – so understanding its finer points is absolutely essential for you to be an effective gatekeeper. Luckily, School of Block has you covered.