Posted on August 12, 2024 at 5:35 p.m. EST.
Blind signing is probably one of the biggest threats to institutional security we’ve ever allowed on the blockchain. ScamsnifferIn the first half of 2024 alone, $314 million was illegally obtained through phishing signatures. Additionally, $295 million was stolen last year through phishing and front-end attacks. Much of this loss could have been avoided if plaintext signatures had been used.
It’s time for institutions to make the shift. Clear signing is the best way to protect customer assets and put in place a truly robust risk management strategy to avoid not only financial losses, but also the erosion of customer trust.
What is blind signing and why is it a failure for institutions?
Blind signing is a process of approving transactions without seeing the full context or content, making these transactions vulnerable to phishing scams and malicious attacks. Here’s how it works: Institutions interact with decentralized applications (dApps), smart contracts, or certain staking transactions, and when a transaction is initiated, users are prompted to sign it through their digital wallet interface. However, many wallets don’t do the hard work of presenting the signing message in a human-readable format; instead, users see code that’s difficult to interpret or understand.
Hiding the exact details of the transaction leads users to approve it without actually knowing what they are authorizing, hence the term “blind signing.”
Although the crypto industry has somewhat internalized this risk as a expected In this process, the result of countless users’ funds being depleted will spell disaster for institutions. That’s why every wallet provider should have a timeline for switching to supporting plaintext signatures exclusively, and every institution should require plaintext signatures from their wallet provider.
Examples of blind signature attacks
A recent example is the attack on WazirXan Indian cryptocurrency exchange platform. Even a multi-signature wallet couldn’t withstand hacker attacks, with hackers resorting to phishing to obtain two of the four signatures needed to gain full access.
They then turned the wallet into a malicious contract, draining $230 million in various cryptocurrencies including Ethereum, Solana, and DOGE. Ultimately, WazirX distributed the losses among its userswhich caused immediate outrage and an erosion of trust.
Meanwhile, in March 2021, Cream Finance, a decentralized lending protocol, suffered a DNS hijacking attackAttackers compromised Cream Finance’s front-end interface, redirecting users to a fraudulent website that mimicked the real platform.
Read more: 5 Safety Measures Cryptocurrency Investors Should Take During a Bull Market
Users visiting the compromised Cream Finance website were prompted to connect their wallets and sign transactions. The malicious interface requested blind signing of transactions that, unbeknownst to users, transferred their funds to the attacker’s address. This attack led to the theft of approximately $37.5 million in cryptocurrency.
These are just a few examples that illustrate the weaknesses of blind signing, which raises the question of what can we do to better protect exchanges, institutions, and everyday users of cryptocurrencies?
Clear Signature to the Rescue
Unlike blind signing, plaintext signing allows users to verify all transaction details before approval. This process provides transparency and security, allowing users to understand what they are signing in a human-readable format.
There are three key areas where the clear signature clearly outperforms the blind process:
-
- Nothing is out of sight. Users can see the exact details of the transaction, including the recipient, amount and all associated data.
- It’s easier to spot scams. By reviewing transaction details, users can identify and reject suspicious activity. Or better yet, the wallet’s policy engine, which includes rules governing transaction policies, key sharing generation process, backup and recovery, audit log database, and account-level changes, can do it. This reduces the risk of phishing and other malicious attacks.
- Human error is significantly reduced. By enabling users to make informed decisions, clear signature minimizes the risk of human error, a common factor in security breaches.
The clear signature is especially crucial for institutions and large asset holders whose actions often cause a ripple effect that reverberates throughout the DeFi sector.
Read more: Front-end domains of over 100 crypto projects at risk of attack via Squarespace
Implementing plaintext signing also involves upgrading the technology infrastructure to support a higher level of transparency. This includes integrating advanced features into user interfaces that present transaction details in a clear and understandable manner. Additionally, institutions must ensure that their security protocols mandate plaintext signing, making it a mandatory step in the transaction process.
It is worth noting that a granular policy engine can provide another line of defense against attacks. The role of such an engine is to whitelist certain paths and deny by default anything outside the approved “to/from” path, rather than doing simple rate limits or risk budgeting for a given portfolio.
How institutions can start implementing clear signature
While it may seem like a daunting task, implementing plaintext signing is much simpler than it seems. Here’s how to get started:
Institutions should first audit their current security infrastructure. This involves identifying all points where blind signing occurs and understanding the existing workflow for transaction approvals. The assessment should highlight vulnerabilities, such as signing messages that are not understandable or lack domain controls, as well as inefficiencies in the current system that need to be addressed quickly.
Second, employees need to understand and embrace the new signing process seamlessly. Institutions need to educate their teams about the risks associated with blind signing and teach them to exercise caution, as hacks can often occur due to human error if, for example, an employee signs a malicious contract masquerading as a legitimate contract (this is where a policy engine also serves as a strong line of defense).
The goal is to make the elements of each transaction (the recipient, the amount, and the data) understandable to regular users trying to efficiently perform what should be a routine task. If a user can simulate a transaction before signing it, it can also help avoid potential scams.
Finally, institutions should adopt a zero-trust security model that operates on the principle of “never trust, always verify.” This way, every touchpoint of the transaction, as well as hard-coded access and transfer controls, can be continuously validated,
A further step would be to adopt a Zero Trust self-custody solution, in which the institution controls the assets and the policies that govern them without relying on a third party, which takes care of the clear signature. By using such platforms, institutions can have complete control over their keys, transaction policies and security measures, minimizing the risk of threats and allowing institutions to implement effective controls.
We must build a safer future today
The fight against hackers, scammers, and malicious actors will be long and arduous. But for the industry to have a chance, institutions must require that all signatures be in clear text to mitigate the very real risk of theft they face when transferring assets belonging to the company or its customers.
While clear signature may be out of reach in some cases (flash loans come to mind as an example, as they are executed very quickly), in the majority of cases it is available. All staking and smart contract interactions should therefore start using clear signature as soon as possible to ensure a safe environment for value transfer.
Sebastian Higgs is the COO and co-founder of Cordial Systems, a provider of institutional-grade self-custody software using a Zero Trust security model.