Ledger CTO warns crypto users about the dangers of 'blind signing'

With the recent onslaught connected OpenSea highlighting blockchain vulnerabilities, Charles Guillemet, the CTO of Ledger warns users astir “blind signing” which helium defines arsenic “consenting a transaction to beryllium signed blindly, without knowing what it means.” 

In an interrogation with Cointelegraph, Guillemet broke down the problems and highlighted issues with unsighted signing. The Ledger CTO notes that consenting to transactions requires signing a connection to beryllium sent to the blockchain. A idiosyncratic is the lone 1 susceptible of signing transactions with the backstage key, portion others tin verify if it's correct. "The contented is that this connection is not intelligible by default. It’s a integer payload," says Guillemet.

Guillemet besides explained that erstwhile a coin transportation is signed, it’s usually supported by a wallet that “properly parses the payload and displays its intent.” However, erstwhile it comes to signing analyzable interactions with astute contracts, Guillemet says that “parsing the show is not ever decently supported and you person nary prime but consenting blindly for a transaction that you don’t understand.”

“It’s risky due to the fact that you tin deliberation you’re signing a transaction to determination portion of your funds to code A portion you really motion a transaction to determination each your funds to code B.”

Related: OpenSea disables features temporarily arsenic declaration migration completes

The information adept besides gave examples wherever unsighted signing led to important losses. In the astir caller OpenSea exploit, users encountered a phishing onslaught that resulted successful the nonaccomplishment of $1.7 cardinal worthy successful nonfungible tokens (NFTs). Guillemet notes that successful this incident, the attackers tricked their victims into blind-signing a connection that made them consent to merchantability each their NFTs for 0 ETH.

“The attacker had lone to motion a transaction saying ‘I’m good to bargain these NFTs for 0 ETH,’ and past presented these 2 messages to OpenSea to really execute the transaction swapping 0 ETH against each the victims’ NFTs.”

When asked what helium thinks is the solution to the contented of unsighted signing, Guillemet turned to an aged crypto adage, “don’t trust, verify.” He tells crypto users to “always verify the transaction you consent to sign.” One proposition that the information adept brought up is signing transactions utilizing trusted displays that tin beryllium recovered connected hardware wallets.