Recently, we've observed a rampant increase in eth_sign blind signing scams. Many individuals have been baited into signing seemingly safe eth_sign signatures on dubious websites, resulting in loss of funds. To ensure a better understanding of how this scam works, it is essential first to explain the true nature of eth_sign signatures.
In the Ethereum ecosystem, eth_sign is a common signature method. It allows users to sign a message using their private keys - a cornerstone of blockchain transactions, as it attests to a specific account initiating a transaction. Simply put, it’s like signing a document, therefore agreeing to or supporting its contents.
However, the commonly overlooked issue with eth_sign is its notorious byname - 'blind signing.' This term stems from the fact that when signing a message with eth_sign, you may not fully comprehend what you're endorsing, nor can you retrospectively verify the signature's actual content. The eth_sign inputs are in a raw character format, not easily readable by humans. It's akin to signing a contract written in indecipherable language, hence the term 'blind signing.'
Upon understanding the concepts of eth_sign signatures and blind signing, we can delve into eth_sign's potential risks and how to prevent them. Since eth_sign signatures are used to endorse all types of messages, including transactions and smart contract instructions, a malicious third party can trick you into signing a message you don't fully understand, transferring your funds to their account. Even worse, they might present an apparently harmless message for you to sign. In reality, this message could be a transfer order, and signing it would result in token loss.
In its latest version, imToken has completely redesigned the signing experience and implemented more robust measures to counter such scams. When you sign transactions of this kind, the system identifies them as "eth_sign" signatures and warns about the potential risks associated with the transaction.
The imToken security team has your back – read their expert advice to protect your tokens:
- Remain vigilant about all requests demanding eth_sign signatures, particularly those from unknown or untrustworthy origins. If there's any suspicion about the authenticity or intent of the request, please refrain from signing it hastily.
- Ensure the messages or transaction requests you sign originate from reliable sources, such as official websites, social media, or verified communication channels. Never trust unverified links, emails, or private messages.