Everything You Need To Know About Blind-Signing (2023 Guide)
βιντυ
0x29A4
January 12th, 2023

Can I be blunt with you?

Blind signing is the weak link in your DeFi security chain.

Do you agree? Well, you c

an disagree but before you do, let me share one truth.

If you sign transactions blindly, you must be ready to lose all your funds to some DeFi scammer. Too bogus a claim?

Sit with me; let me walk you through the concept of blind signing.

What is Blind Signing?

Hands over the eyes of a young girl
Hands over the eyes of a young girl

You'd agree with me that we sign a contract to seal an agreement? Before signing such a contract, it is essential to read the contract's content before giving away your granny's life's work to a random dude.

In the same vein as traditional contracts, blockchain contracts require you to tender a digital signature before any transaction is conducted.

However, sometimes you trust someone so much that you don't read the contract's content. For instance, your lawyer briefs you about an opportunity, then brings out a contract, asking for your signature to implement the agreement therein. Because it is your lawyer, you may not object to giving your signature. That is blind signing.

Blind signing (in Web3) is a process by which blockchain users append their digital signature to a smart contract transaction without knowing its content.

There are many reasons a user may not be able to read the content of a transaction. One such reason is the size of their screen. The user only gets to read the most basic information about the transaction. Other times, the user is not technical. They can't read the code used in that contract.

Sadly, many people lose their tokens—NFTs and Crypto—through blind signing.  A quick search of the phrases "wallet drained" and "wallet hacked" on Twitter will reveal several unfortunate cases of people who lost their funds. But how so? Many of these cases can be attributed to blind signing.

You may ask, how does it happen?

The Process of Blind Signing?

In traditional finance, the contract has to be written in a language you understand. Because it is written in a known language, the onus is on you to read the contract before signing. But can we say the same for decentralized finance contracts? No, it is not the same.

The process is entirely different. Smart contracts are codes. Hence, incomprehensible to a non-technical person. They only see what is available on their DApps' interface (which can be manipulated).

These DApps are built with an intuitive interface to help users interact with the blockchain and carry out blockchain transactions.Usually, a user logs into a DApp protocol, sees an activity, engages with it, and signs the transaction. Immediately, the user appends their signature and consents to the call contract.

Let's show that process in the infographic below:

Infographic on the process of blind signing
Infographic on the process of blind signing

With the infographic above, it is clear that if you are signing any blockchain transaction using your computer or phone screen, you are blind signing. Technically, you can only see the tiny information the DApp sends to your non-custodial wallet. You trust the DApp's smart contract not to be harmful and do all you understand it will do.

Hence, when you sign such a transaction, you are blind signing—based on trust.

Many have claimed that using a ledger wallet is better for blind signing. But is this true? Does it mean that you can enable blind signing on your Ledger wallet?

Should You Enable Blind Signing on Ledger?

Blind signing is mandatory if you use a ledger to sign transactions from external DApps. So, you may ask, "should I enable blind signing on the ledger? "

That's up to you. As I've explained earlier, blind signing involves trusting the DApp and its smart contracts. When you enable blind signing on your device, you permit the wallet to sign a transaction, even without the full details of the smart contract. Hence, you are only trusting the contract but not verifying it.

So, back to the question, should you enable blind signing on Ledger? Yes, you should. The only way to get done with transactions is by using the ledger's live DApp.

Sounds like too much risk? Of course, it is! Let's discuss the risks attached to blind signing.

Risks of Blind Signing? (Reported Cases of Blind Signing)

It is not unknown that blind signing is complicated, with various risks attached to it.

It begins with signing a contract/ transaction you don't understand fully. Hackers often leverage this human error to trick users and drain funds in wallets.

Another risk is that the blinding factor can link a series of signatures to a single signer, compromising the signer's anonymity. CEOs or people in charge of finance in companies often fall prey to this risk.

One of the prominent victims of blind signing is Hugh Karp, the founder of Nexus Mutual, an insurance company. On the 14th of December, 2020. He got tricked into signing a malicious contract.

According to reports, the hacker got remote access to Hugh's computer and updated the MetaMask extension, tricking him into signing a different transaction that transferred funds to the hacker's address, resulting in the theft of $8 million in cryptocurrency.

You can read the full story of how it happened on Hugh Karp's Medium account.

Another unforgettable case of blind signing is that of OpenSea—a trusted protocol. Hackers stole about $1.7 million worth of assets within three hours. It was more or less a Carte Blanche. How so?

The hackers sent half of a valid Wyvern order to targets, and the unknowing targets signed it. So, all the hackers had to do was complete the remaining transaction with their own smart contract. Interesting? Only when you hear that before the attack, OpenSea had instructed users to migrate all listed NFT assets from Ethereum to a new contract. So, an opportunity for attackers to use a phishing scam on users— as analysts claim.

The OpenSea scenario shows that you could still be at risk even when you trust the protocol. So, how do you protect yourself from these risks?

How To Prevent Getting Wallet Drains through Digital Signing?

You already know that just approving a transaction can leave you losing all your funds. But how can you secure your funds?

With a few tips, you'll learn how.

1- Set up a Degen Wallet

If you actively engage with DeFi applications, you can't risk not setting up a degen wallet. A degen wallet is a separate wallet for signing smart contracts and interacting on protocols. This wallet should not be used for storing funds. Why? Any wrong contract you interact with can wipe out your total funds.

Tip: Some Metamask users often add a new account without generating mnemonic phrases. It is easy to generate multiple wallet address with this pattern. However, it also makes all the accounts susceptible to attacks, as a blow to one is a blow to all. So, creating a new wallet address with unique keys is better.

2- Always Verify

As mentioned earlier, blind signing is based on trust. Hence, it is non-debatable to research a protocol before you blind sign. As Ledger's academy put it,' The Gatekeeper is You.' Some key things you can do to gatekeep your wallet include:

  • Verifying links. Check the link properly, as web3 scammers commonly use phishing links.

  • Avoid interacting with random links sent through DMs—Twitter, Discord, anywhere. As much as possible, only interact with reputable brands. Ensure that their information is public and authentic.

  • Your private keys should remain private. Keep your mnemonic phrases private.

  • Be wary of random crypto tokens in your wallet.

Always verify and do your research (DYOR) before trusting.

3- Ledger's Clear Signing

The ledger hardware wallet has enabled their app to allow users to read and display smart contract information. You can view integrated DApps. It can also be used to display other DApps not integrated. See this transaction on Paraswap below.

Ledger
Ledger

4- Tools for Blind Signature

As problems persist, so do innovations. Certain products have sprung up to tackle the issues of blind signing. They include;

1. Keystone

Keystone is an hardware device that prevents users from getting their wallets drained through blind signing. Keystone is displayed on a 4" screen to give a complete transaction view. It also helps users verify smart contract addresses and smart contract functions.

With these features, users can quickly verify if they got the right transaction call and if it's meant for a specific purpose.

Keystone's screen
Keystone's screen

2. Forta

Forta
Forta

Forta is a decentralized network of nodes that verify and detect smart contracts for threats. They help users keep track of the health of smart contracts by sending timely reports. It also aids in uncovering every anomaly in blockchain transactions.

3. DeFirewall by Redefine

DeFirewall
DeFirewall

DeFirewall is one of the products of Redefine. Like its name, it is a decentralized firewall. DeFirewall conducts a risk assessment on every on-chain transaction, helping you make informed decisions before signing.

Tips for Blind Signing
Tips for Blind Signing

Conclusion

Blind signing remains one of the ways by which hackers drain funds from the wallets of individuals and protocols. The rate of hackers using blind signing will not reduce anytime soon. Hence,  just like you wouldn't sign traditional contracts with casual people in the real world, don’t try it online. So, keep yourself safe by using appropriate security precautions.

If you gained new information from this piece, kindly hit the subscribe button below.

Subscribe to βιντυ
Receive the latest updates directly to your inbox.
Mint this entry as an NFT to add it to your collection.
Verification
This entry has been permanently stored onchain and signed by its creator.
Arweave Transaction
vM6bSQbm7rkczc6…B2AjEFK02oKw9XQ
Author Address
0x29A43CEC74995a9…0a09DAeb28853b7
Content Digest
vPVCsBXf_hTspR0…xeCXsiemju6BsKY