What is Blind Signing? How to Avoid and When to Enable Blind Signing?
How many times have you approved a cryptocurrency transaction without fully understanding the details?
Users may argue “never” because they know the CTA button they are clicking on. But buttons on a screen could easily mean one thing and perform another if the website is malicious.
Chances are most of us never really bothered to look through the transaction data/signing message because it is not essentially human-readable.
In a post on X, Ledger highlighted the drainage of over $600,000 worth of assets due to blind signing and has since transitioned to allowing only “clear signing” on a Ledger device.
This article will explain blind signing to absolute beginner cryptocurrency users so they can safely navigate uncharted crypto waters.
What is Blind Signing?
Blind signing refers to the practice of approving a smart contract transaction without having full knowledge of its details. This typically happens because smart contracts are too complex for most people to read and most crypto wallets are limited in their ability to present the signing message in a human-readable format.
“Blind signing transactions is like unsafe sex. It’s fine, until it isn’t. Giving all dApps the ability to offer Clear Signing with Ledger adds an important layer of security. To be secure with crypto you need a secure element to store and perform transactions, and you need to Clear Sign on a secure screen. Only Ledger can fulfill all the requirements, but without Clear Signing we are missing an important piece of the security stack.”
— Ian Rogers | Chief Experience Officer, Ledger
When you interact with a decentralized application (dApp) or platform, you might be asked to sign a transaction to authorize the dApp to access your wallet or perform specific actions with your assets.
In many cases, your wallet might not be able to show you the full details of the smart contract that governs the transaction. Therefore, you are essentially "blindly" signing the transaction, trusting that the dApp will act in your best interest.
Here’s an analogy.
When you transact on a blockchain, you’re essentially signing a smart contract — akin to a contractual agreement in the real world.
Like in the real world, this contract binds, once signed, binds you to any and all stipulations mentioned in the agreement.
How Cybercriminals Take Advantage of Blind Signing
Let’s look at a few ways in which cybercriminals take advantage of the blind signing vulnerability in cryptocurrency wallets.
Malicious Smart Contracts
Attackers create seemingly legitimate dApps that entice users to interact with them. When users attempt to use these dApps, they are presented with a transaction request that appears normal but actually triggers a malicious smart contract.
These malicious contracts often contain hidden functions that are not immediately obvious to the user. These functions could allow the attacker to drain the user's wallet, transfer their assets to another address, or perform other harmful actions.
Since most wallets don't display the full details of the smart contract, users blindly sign the transaction, unknowingly authorizing the malicious actions.
Man-in-the-Middle Attacks
Attackers intercept and modify transaction data on compromised networks, such as public Wi-Fi hotspots. They can insert malicious code into the transaction that gets executed when the user signs it.
Malware installed on a user's device can intercept and alter transaction data before it's sent to the wallet for signing.
Ice Phishing
This sophisticated phishing attack involves tricking users into signing a transaction that grants an attacker unlimited spending approval on their assets.
Due to the complexity of smart contracts, many users don't scrutinize every detail of a transaction.
They might sign, assuming it's a standard approval, only to realize later that they've given an attacker full control over their funds.
How to Avoid Blind Signing
The only way to avoid blind signing is to use a signing device that is fully air-gapped (cut off from the internet) and can present the signing message in a human-readable format through a trusted display.
Use A Trusted Display
Source: Ledger
“Trusted display” is a key aspect of blind signing because even if you were to sign a transaction contract on your laptop or phone, that is still a point of vulnerability as those screens are hackable (because they can be accessed remotely, say, via the internet) and the hacker could have changed the contents of the display. This would steer the user into signing a malicious transaction they think is legitimate.
Trusted displays are typically found in hardware crypto wallets, like Ledger, which rely on the security guarantees of the wallet’s secure element chip to minimize the attack surface and to ensure users only sign what they see on the display.
Simulate Transaction Before Signing
Source: Militereum
Simulating the transaction before signing it is another way to avoid blind signing.
When a user initiates a transaction on a dApp or platform, the simulation tool (like the browser extension offered by Militereum) intercepts the request.
The tool analyzes the underlying smart contract code associated with the transaction. This involves decoding the contract's functions, parameters, and potential execution paths.
Based on the analysis, the tool simulates the transaction in a sandboxed environment, predicting the potential changes to the user's wallet balance, token holdings, and any approvals granted to the smart contract.
Conclusion
In some cases, blind signing may be unavoidable. So, you have no option but to enable blind signing.
For example, in the case of a fast-paced transaction, like in flash loans, there may not be enough time to review the transaction thoroughly as the window of opportunity is very small. So, in such cases, you may have to decide for yourself whether or not to take that leap of faith.
However, it is strongly suggested that users follow adequate precautions and always clear sign (disable blind signing) wherever and whenever possible.
About the Author:
