Blind signing scams remain prevalent in decentralized finance today. It’s an exploit where scammers create deceptive smart contracts to steal assets from crypto wallet users. But why is it called blind signing, and how can you avoid these exploits?
Smart contracts and blind signatures
Smart contracts are the building blocks of many dApps, NFTs, and DeFi sectors. Suppose you wish to stake your cryptocurrency in a liquidity pool to earn a monthly yield. The liquidity protocol operates through smart contracts, which require access to the tokens in your wallet. Therefore, you need to grant their smart contracts access to your tokens.
When you sign this approval transaction with your hardware wallet's private key, it implies you agree with the smart contract’s terms and conditions and fully trust its code.
A blind signature means giving a smart contract access to tokens in your wallet without knowing the contract’s full details. In traditional finance, signing a contract implies understanding and agreeing to its terms. So, you can assume that blind signing is similar to signing a paper contract without fully reading its terms and conditions.
What if the smart contract does not provide its full information during signing?
Crypto wallets often struggle to display important information due to the complex code in smart contracts. These contracts usually contain crucial contract details that cannot be easily extracted and presented in a language that users can understand.
Initially designed for simple blockchain transactions, hardware wallets now allow users to interact with complex smart contracts for DeFi through protocols such as WalletConnect. However, these protocols may not always present information in an easy-to-understand manner.
This can lead to situations where you have to sign transactions in good faith without a definitive guarantee of their contents.
Does a trusted display prevent blind signing scams?
Some might argue that using a trusted display wallet reduces the risk of falling for blind-signing scams. In other words, a trusted display shows the user exactly what they’re signing.
A trusted display is a digital display that shows verified and authentic information, ensuring the presented information is accurate, reliable, and secure.
Here's an exciting thought. Can a trusted display present information that is simply not there? Such displays inherit the inherent drawbacks of a hardware wallet — smart contract code can be too complex. In addition, these displays can only show you whatever information the wallet’s chip can parse/decode from the smart contract, making it not so different from your mobile phone’s screen.
Unlike your mobile phone, which is one of the millions manufactured for various users, crypto wallets with “trusted displays” can be targeted and compromised by supply chain attacks—e.g., by replacing or reprogramming a non-secure chip inside the wallet.
How Tangem works around this issue
One critical advantage of Tangem Wallet over other hardware wallets is its durability. Our wallet has been subjected to ridiculous tests, including freezing, burning, gunfire, and the hydraulic press, yet it has remained functional. After all, the crypto space is in its Wild West phase — if you decide to be your own bank, you must ensure your vault is not easily broken into.
Adding a “trusted display” directly to the Tangem card poses a great risk to its reliability and security. These additional components often lack security certifications and might be prone to external influences, increasing the likelihood of failure. For instance, a supply chain attack could involve hackers substituting a genuine wallet display with a compromised counterfeit display.
The absence of a built-in display also offers Tangem Wallet users several advantages:
A minimum service life of 25 years;
Full IP69K waterproof and dustproof;
Extreme temperature resistance;
Lightweight, similar to a bank card.
99% of attacks on wallet users aim to obtain seed phrases, private keys, or signatures without user authorization. Tangem offers the best possible protection against all of these attack vectors.
What if a fake Tangem app gets into the app stores?
How can you trust the Tangem app to show you the correct information if your smartphone is compromised?
Unlike web apps, desktop platforms, and browser extensions, compromising client-side mobile apps and/or device firmware en masse is impossible. No known mobile malware can exploit apps like Tangem with a robust security architecture.
Mobile devices are 100% safe if bought from trusted vendors. Install official apps, and don't jailbreak the OS.
Reminder: Your private keys are stored on the card, which is not connected to the internet.
What if the smartphone's OS is compromised?
While Tangem doesn't control the underlying operating system—iOS or Android—we can vouch for the Tangem app and cards. It’s theoretically impossible to inject malicious code into the Tangem app or create a fake Tangem card. The Tangem app can function on an infected device, but we don’t recommend using it on one. Maintaining a secure environment is important for optimal protection.
What about keyloggers as an attack vector?
Keyloggers are malicious software that record and monitor keystrokes on a computer or mobile device. Their primary purpose is to capture sensitive information such as usernames, passwords, credit card numbers, and other personal data users enter.
When you generate seed phrases in the Tangem wallet, the app displays the seed on your smartphone and instructs you to write it down. Once written, the app prompts you to confirm by tapping the correct seed words. In conclusion, keyloggers are not a real threat here.
Don't forget to regularly run antivirus scans on your phone! Stay vigilant for any signs of malware, like a rapidly draining battery, a warm device, sluggish performance, or apps opening unexpectedly.
How to avoid blind signing scams
You can avoid becoming a victim of blind signing scams by taking the following measures:
Avoid interacting with unfamiliar decentralized applications.
Always do your own research and verify any project online.
Avoid interacting with direct messages on social media, especially when a project’s “team member” contacts you.
Don't click on links from unknown sources.
Don't experiment with your smartphone’s OS by jailbreaking it.
Do not enter your seed phrase (if any) anywhere or reveal it to anyone.
Self-custody means you control your private keys; therefore, you are the last line of defense for your crypto assets, and your judgment is essential.
Final thoughts
At Tangem, we take great care in ensuring the security of our app development and deployment processes. This is the foundation of our product and reputation, and we take it seriously. We guarantee that no malicious code will be included in the final version of our app. For those who wish to verify this, you can always check the latest code on GitHub and build the app yourself.|
