Be wary of the eth_sign blind signature scam: introduction, methods, and prevention

Beware of eth_sign blind signature scam: overview, methods, and prevention

Recently, we have noticed an abnormal activity of the eth_sign blind signature scam, where many users were induced to sign seemingly harmless eth_sign signatures on unknown websites, resulting in their assets disappearing from their wallets. To better understand how this scam works, we need to explain what eth_sign signature is first.

What is eth_sign signature

In Ethereum, eth_sign is a widely-used signing method that allows users to sign a message using their private key. This signing mechanism is a core part of blockchain transactions, as it can prove that a specific account is the initiator of a transaction. Simply put, it’s like signing your name on a piece of paper to prove that you agree with or support the content on the paper.

However, there is a problem that people often overlook in the use of eth_sign, which is that it is often referred to as “blind signature”. This is because when you use eth_sign to sign a message, you may not fully know what you are signing, and you cannot check what the signature represents in reverse. This is because the input of eth_sign is raw characters, not a human-readable format. It’s like signing a contract written in a language you can’t understand, which is why it’s called “blind signature”.

• WOO X responded that all accusations of misappropriation of assets and insolvency are false information that can be verified through public data.
• Decoding a16z Fundraising Deck: Why is the gaming industry worth doubling down on?
• Hotbit suddenly announced its closure. Is it a reshuffle in the industry or a trend?

Common scam methods

With an understanding of eth_sign signatures and blind signatures, we can delve into the potential risks of eth_sign and how to prevent such blind signature scams.

Because eth_sign can be used to sign any type of message, including instructions for transactions and smart contracts, malicious third parties may induce you to sign a message that you do not fully understand, resulting in your assets being transferred to their account. Worse yet, they may give you a seemingly harmless message to sign, but in reality, this message may be an operational instruction, and once you sign it, your assets will be transferred to their account.

In the face of this situation, how should we prevent it? To address this type of scam, the new version of imToken has upgraded its risk control system. When a user accesses a third-party DApp to call eth_sign to sign a message, imToken will provide a risk warning pop-up window, reminding the user that the current transaction may have potential risks, and start a 15-second countdown cooldown. This setting is designed to give users enough time to evaluate the necessity and security of the signature operation.

△ imToken risk warning popup

Security Reminder

The imToken security team reminds everyone:

• Be vigilant about all requests that require the use of eth_sign for signature, especially those from unknown or untrusted sources. If there is any doubt about the authenticity or purpose of a request, do not sign it lightly.
• Ensure that the message or transaction request being processed comes from a trusted source, such as an official website, official social media, or a verified communication channel. Do not trust links, emails, or private messages from unknown sources.

We will continue to update Blocking; if you have any questions or suggestions, please contact us!