{"id":411690,"date":"2022-03-03T14:33:37","date_gmt":"2022-03-03T11:33:37","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/ledger-cto-warns-crypto-users-about-the-dangers-of-blind-signing\/"},"modified":"2022-03-03T14:33:37","modified_gmt":"2022-03-03T11:33:37","slug":"ledger-cto-warns-crypto-users-about-the-dangers-of-blind-signing","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/ledger-cto-warns-crypto-users-about-the-dangers-of-blind-signing\/","title":{"rendered":"# Ledger CTO warns crypto users about the dangers of ‘blind signing’"},"content":{"rendered":"

# Ledger CTO warns crypto users about the dangers of ‘blind signing’ <\/strong>”
\n<\/p>\n

With the recent attack on OpenSea highlighting blockchain vulnerabilities, Charles Guillemet, the CTO of Ledger warns users about \u201cblind signing\u201d which he defines as \u201cconsenting a transaction to be signed blindly, without understanding what it means.\u201d\u00a0<\/p>\n

In an interview with Cointelegraph, Guillemet broke down the problems and highlighted issues with blind signing. The Ledger CTO notes that consenting to transactions requires signing a message to be sent to the blockchain. A user is the only one capable of signing transactions with the private key, while others can verify if it’s correct. “The issue is that this message is not intelligible by default. It\u2019s a digital payload,” says Guillemet.<\/p>\n

Guillemet also explained that when a coin transfer is signed, it\u2019s normally supported by a wallet that \u201cproperly parses the payload and displays its intent.\u201d However, when it comes to signing complex interactions with smart contracts, Guillemet says that \u201cparsing the display is not always properly supported and you have no choice but consenting blindly for a transaction that you don\u2019t understand.\u201d<\/p>\n

\u201cIt\u2019s risky because you can think you\u2019re signing a transaction to move part of your funds to address A while you actually sign a transaction to move all your funds to address B.\u201d<\/p><\/blockquote>\n

Related: <\/em><\/strong>OpenSea disables features temporarily as contract migration completes<\/em><\/strong><\/p>\n

The security expert also gave examples where blind signing led to significant losses. In the most recent OpenSea exploit, users encountered a phishing attack that resulted in the loss of $1.7 million worth in nonfungible tokens (NFTs). Guillemet notes that in this incident, the attackers tricked their victims into blind-signing a message that made them consent to sell all their NFTs for 0 ETH.<\/p>\n

\u201cThe attacker had only to sign a transaction saying \u2018I\u2019m ok to buy these NFTs for 0 ETH,\u2019 and then presented these two messages to OpenSea to actually execute the transaction swapp<\/a>ing 0 ETH against all the victims\u2019 NFTs.\u201d<\/p><\/blockquote>\n

When asked what he thinks is the solution to the issue of blind signing, Guillemet turned to an old crypto adage, \u201cdon\u2019t trust, verify.\u201d He tells crypto users to \u201calways verify the transaction you consent to sign.\u201d One suggestion that the security expert brought up is signing transactions using trusted displays that can be found on hardware wallets.<\/p>\n