Blind signing is possibly one of the biggest threats to institutional security that we’ve ever allowed on the blockchain. According to Scamsniffer, a total of $314 million was illegally obtained by phishing signatures in just the first half of 2024. Additionally, $295 million was stolen last year via phishing and front-end attacks. A lot of this could have been avoided if clear signing had been used instead.
It’s time for institutions to make the shift. Clear signing is the best way to protect customer assets and put in place a truly robust risk management strategy to avoid not only financial loss but also erosion in customer trust.
What Is Blind Signing and Why Is It Failing Institutions?
Blind signing is a process of approving transactions without seeing the full context or content, making those transactions susceptible to phishing scams and malicious attacks. Here’s how it works: institutions interact with decentralized applications (dApps), smart contracts, or some staking transactions, and when a transaction is initiated, users are prompted to sign it through their digital wallet interface. However, a lot of wallets don’t do the hard work of presenting the signing message in a human-readable format; instead, users see code that is hard to interpret or make sense of.
Hiding the exact details of the transaction leads users to approve them without actually knowing what they are authorizing — hence the term “blind signing.”
While the crypto industry has in a way, internalized this risk as an expected part of the process, the outcome of countless users’ funds being drained will result in a disaster for institutions. This is why every wallet provider should have a timeline for moving to only support clear signing, and every institution should demand clear signing from their wallet provider.
Examples of Blind Signing Attacks
One recent example is the attack on WazirX, an Indian cryptocurrency exchange. Even a multi-signature wallet couldn’t withstand hacker attacks, with hackers phishing their way into obtaining two of the four signatures necessary to gain full access.
They then upgraded the wallet to a malicious contract, draining $230 million in various cryptocurrencies, most notably Ethereum, Solana, and DOGE. Ultimately, WazirX distributed the losses among its users, which led to instant outrage and an erosion of trust.
Meanwhile, in March 2021, Cream Finance, a decentralized lending protocol, fell victim to a DNS hijacking attack. The attackers compromised Cream Finance’s front-end interface, redirecting users to a fraudulent website that mimicked the real platform.
Read more: 5 Security Measures Crypto Investors Should Take in Bull Markets
Users visiting the compromised Cream Finance site were prompted to connect their wallets and sign transactions. The malicious interface requested blind signing of transactions that, unbeknownst to the users, transferred their funds to the attacker’s address. This attack led to the theft of approximately $37.5 million in cryptocurrency.
These are only a few examples showcasing the weaknesses of blind signing, which begs the question of what can we do to better protect exchanges, institutions, and everyday crypto users?
Clear Signing to the Rescue
Clear signing, in contrast to blind signing, ensures that users can review and verify all transaction details before approval. This process provides transparency and security, allowing users to understand what they are signing in a human-readable format.
There are three key areas where clear signing clearly outperforms the blind process:
-
- Nothing is out of sight. Users can see the exact details of the transaction, including the recipient, amount, and any associated data.
- It’s easier to spot scams. By reviewing transaction details, users can identify and reject suspicious activities. Or better yet, the policy engine — which includes rules governing transaction policies, key share generation process, backup and recovery, database of audit logs, and account level changes — of the wallet can do this. This reduces the risk of phishing and other malicious attacks.
- Human error is greatly reduced. By empowering users to make informed decisions, clear signing minimizes the risk of human error, which is a common factor in security breaches.
Clear signing is particularly crucial for institutions and large asset holders whose actions often cause a ripple effect that echoes through the entire DeFi industry.
Read more: Front-end Domains of Over 100 Crypto Projects Are at Risk of Attack via Squarespace
Implementing clear signing also involves upgrading the technological infrastructure to support a higher level of transparency. This includes integrating advanced capabilities into user interfaces that present transaction details clearly and understandably. Additionally, institutions need to ensure that their security protocols enforce clear signing, making it a mandatory step in the transaction process.
It’s worth noting that a granular policy engine can provide another line of defense against attacks. Such an engine’s role is to whitelist certain paths and deny-by-default anything out of the approved “to-from” path, rather than doing simple velocity limits or risk budgeting for a given wallet.
How Institutions Can Start Implementing Clear Signing
While it may seem like a tall order, beginning to implement clear signing is a lot simpler than it seems. Here’s how to start:
First, institutions need to audit their current security infrastructure. This includes identifying all points where blind signing occurs and understanding the existing workflow for transaction approvals. The assessment should highlight vulnerabilities, such as signature messages that are not understandable or lack domain checks, as well as inefficiencies in the current system that need to be addressed promptly.
Second, employees need to understand and get on board with the new process of clear signing. Institutions should educate their teams about the risks associated with blind signing and how to be cautious, because hacks can often happen due to human error if, for example, an employee signs on a malicious contract pretending to be a legitimate one (this is where a policy engine also serves as a solid line of defense).
The goal is to have each transaction’s elements — recipient, amount, and data — be understandable to regular users who are trying to efficiently perform what should be a routine task. If a user can simulate a transaction before signing it, this can also help to avoid potential scams.
Finally, institutions should adopt a zero-trust security model that operates on the principle of “never trust, always verify.” This way, every touchpoint of the transaction, along with hardcoding access and transfer controls, can be continuously validated,
A step further would be to adopt a Zero-Trust self-custody solution, in which the institution controls the assets and policies governing them with no reliance on a third party, that supports clear signing. By using such platforms, institutions can have full control over their keys, transaction policies, and security measures, thereby minimizing the risk of threat and allowing institutions to set up effective controls.
We Need to Build a Safer Future Starting Today
The battle against hackers, scammers, and malicious actors will be long and arduous. But for the industry to stand a chance, institutions need to demand that all signatures be clear signing only to mitigate the very real risk of theft that they face in moving firm or client-owned assets.
While clear signing may be out of reach in some cases (flash loans come to mind as one example, since they are executed so quickly), in the majority of instances, it is available. All staking and smart contract interactions should thus begin using clear signing as soon as possible in order to ensure a safe environment for value transfer.
Sebastian Higgs is the COO & co-founder of Cordial Systems, a provider of institutional-grade self custody software using a Zero Trust security model.
