Episode 33 – Blind Signing: The crypto attack vector you must be aware of!

Watch 14 min

Some scams are as old as time itself. Technology and security may move on, from portcullises and vats of boiling oil, to cryptographically secure decentralized networks.

There is of course a modern equivalent to LADDERS and ROPE, and for that we can turn our beady eye to BLIND SIGNING.

A legitimate process in many crypto transactions, but also the ONE OF THE MAIN ATTACK VECTORS in modern crypto scammery.

What exactly is it? How do you know when a SCAM may be lurking? When should you BLIND SIGN and when should you EXERCISE CAUTION?

Well, hang onto your chainmail, because we’re going on a wild ride into not so medieval skullduggery.

Welcome to School of Block.

And if you like helping us help you find financial freedom, then how about a like and a subscribe? The algo feeds us and helps us feed you. Like a mother bird. Only with more crypto.

 

INTRO

dApps and DeFi – introduced back in Episode 13, if you’re wondering – have brought an unprecedented level of freedom to your financial possibilities and interactions, but unfortunately that freedom does come at a price.

And that’s because the new technology has brought new vulnerabilities for scammers to leverage – and new responsibilities for you when it comes to keeping your crypto safe.

It all stems from the SMART CONTRACTS used in present-day dApps and NFTs. They’ve posed a challenge for the current generation of crypto wallets because their code – containing key contract details – cannot be fully extracted and displayed, thus, users sign without knowing what they are signing.

Imagine signing a rental contract for an apartment BLINDFOLDED. Or, not reading the terms and conditions before clicking ACCEPT when you’ve got a new electronic device.

One of these you might be more likely to do than the other – but when the contract you’re signing MANAGES YOUR MONEY, it pays to be prudent.

We are of course talking about BLIND SIGNING, something that you’ll come across in crypto as soon as you start exploring the NFT and dApp space.

It’s actually the industry standard, so it’s not BAD per se – you just need to exercise judgement and good practice.

The problem is a computer’s screen can’t always be trusted – and even if the software wallet shows a message, this could be compromised.

[ROBIN HOT WALLET BLIND SIGN TUTORIAL]

– showing that key details are not shown to the user. Here you’re trusting, not verifying.

The solution is a HARDWARE WALLET, as the trusted display on the hardware wallet itself can’t be got at.

BUT… most hardware wallets use MIDDLEWARES such as metamask, wallet connect and others to access the dApps you’re trying to use. Although these middlewares can help (sometimes) understand the contract data, the hardware wallet displays its content in its raw form (123AFE456…). So even if a hardware wallet screen enjoys what we call a trusted display… the information here can be trusted, but can’t be easily verified.

And hence, even if you can verify the content of your transaction, because it’s so cryptic… you end up blind signing, EVEN IF you’re using a hardware wallet.

Let’s have a look at an example.

[ROBIN TUTORIAL – note keys are safe but transaction details are still absent.]

SCAMS

 

So how do the scams work? Well, it’s not just CRYPTO NOOBS who get targeted – a couple of well known CRYPTO JUNKIES recently got taken to the cleaners. 

 

And that’s because BLIND SIGNING has two elements: The TECHNOLOGY – and YOU. That’s why your own judgement has never been so crucial.

 

Both Jeff Nicholas and Sohrob Farudi got taken in by scammers on the Discord channel for major NFT marketplace Opensea.

 

These scammers had somehow mimicked the usernames of the Open Sea founders, and directed Jeff and Nicholas to a place where they revealed the Metamask QR Code in their browser extension – essentially the same as giving out your SEED PHRASE.

 

In Jeff’s case, despite the fact he had a hardware wallet, the scammers persuaded him to blind sign a series of transactions before after they got to his ultimate QR code in order to transfer some of his precious NFTs.

 

And this is the key lesson: with crypto bursting into the mainstream, more and more people are becoming educated about how to keep their assets secure, and there are fewer opportunities for scammers to gain access to your assets. 

 

So instead of trying to break the door open – they are relying on you to open it for them by tricking you into blind signing. 

 

Sohrob documents the whole sorry saga on twitter, Jeff it seems was too gutted to be quite as detailed. By all means have a read in your own time, it’s a pretty toe-curling sequence of events that might help you avoid something similar yourself. 

https://twitter.com/sohrobf/status/1430478533306982408?s=20

 

THE LEDGER SOLUTION

 

Ledger’s solution is to integrate dApps directly in their APP CATALOGUE on LEDGER LIVE, in order to make sure the tech is compatible and there’s no blind signing.

 

Instead there’s CLEAR SIGNING, where a transaction in Ledger Live – via paraswap for instance – is displayed clearly on the trusted display showing all the transaction details. 

 

This helps you practice one of the key messages for keeping yourself safe:

 

DON’T TRUST, BUT VERIFY. 

 

The phrase was made popular by President Reagan in the 1980s during the Cold War, referring to the information the Americans had about the size of the opposing nuclear arsenal. 

 

But it absolutely applies to transactions in crypto too. 

 

So let’s take a look at how CLEAR SIGNING works when using a LEDGER HARDWARE WALLET to VERIFY.

 

[ROBIN TUTORIAL – CLEAR SIGNING WITH PARASWAP FROM LL.]

 

We are aware though that not all dApps are in Ledger Live just yet, so in the meantime here’s what you need to be looking out for when you transact outside of the Ledger Live ecosystem. 

 

BEST PRACTICE

 

Here are some simple rules of thumb to keep yourself safe, for those times when you need to BLIND SIGN through an intermediary wallet but need to MITIGATE your RISK. 

 

FIRST UP, don’t use dApps that you’ve never heard of before, always double check authenticity. NFT DROP website you’ve never heard of before? Temper that FOMO, and do some due diligence. 

 

NEXT, and this is massive: Be VERY SCEPTICAL of DM’s on social media: if someone you don’t know is actively reaching out to you, consider the reasons why. 

 

Remember, it could be anyone  – so don’t click on any links they send you, no matter how much free bitcoin they’re promising. 

 

THIRD, always keep your keys isolated by using a HARDWARE WALLET – no matter what type of transaction you’re doing. 

 

Using something like a LEDGER NANO adds a layer of security to ALL of your interactions.

 

And FINALLY, should we need to say it again…

 

NEVER DISCLOSE your recovery phrase to anyone, SAVE IT on a device connected to the internet or ENTER IT into a software wallet. 

 

Keep it written down on paper somewhere safe you won’t forget. That’s it.

 

CONCLUSION

 

At Ledger, we’re trying to make the process better. 

 

So in our ever expanding APP CATALOGUE on LEDGER LIVE there’s no need to BLIND SIGN – you can VERIFY each and every transaction and know exactly what is happening to your tokens. 

 

This CLEAR SIGNING is a recent innovation, and one that is incredibly necessary.

 

Indeed, it is the future. But until it’s everywhere, be careful out there folks. With FINANCIAL FREEDOM does come great RESPONSIBILITY.

 

No matter how advanced your wallet is, YOU are the last point of defence for your crypto assets. 

 

So always be on the lookout for bandits trying to throw that ladder over your battlements, or even just asking you nicely to open the front door – which may well be more likely.

 

Be smart, be careful, and that horse right there is just gagging to be ridden off into the sunset. 

 

You’ve been watching School of Block, presented by Ledger and the Defiant, demystifying decentralisation, one block at a time. Don’t forget to subscribe, drop us a like if that’s what you’re into, and as always – here’s to your financial freedom.


Stay in touch

Announcements can be found in our blog. Press contact:
[email protected]