Cover photo

Enhance your crypto security by avoiding blind signing

It's widely acknowledged that security is crucial when dealing with blockchain. You may already know what a private key is and how to keep it safe from being stolen or lost. But crypto is not just about having your key safe. It’s also about how you are using it day-to-day - how you sign transactions and messages. If you are doing it wrong, having a private key or a seed phrase securely stored means nothing and your all life savings stored on blockchain might disappear one day like a “house of cards”.

Do not let your crypto fortress be built out of game cards! Make it build of stones!
Do not let your crypto fortress be built out of game cards! Make it build of stones!

In this post, I would like to try to familiarize yourself with the Blowfish extension. It might help you to stay away from one of the most common problems called "blind signing".

Problem of blind signing

Even when you feel safe because you are using your hardware wallet and you are no longer worried of exposing your private key anyway, you are still a danger of being a victim of another beast - blind signing.

Bind signing refers to the act of signing a transaction without fully understanding its contents. This can be risky because it opens up the possibility for hackers to deceive users into signing harmful transactions that might lead to funds being lost, even though user is having a perception to do things that are 100% safe. Even when a user is presented with a consent prompt before making a transaction in his wallet (like in a MetaMask), it is common for the transaction to be accepted without proper verification.

A transaction to deposit ETH into the WETH contract. Probably it does not say much to a user of what happens with his assets… Have you ever wondered what those hexes and functions actually mean?
A transaction to deposit ETH into the WETH contract. Probably it does not say much to a user of what happens with his assets… Have you ever wondered what those hexes and functions actually mean?

I do not want to say that you have to worry about going into every detail of a transaction and spend hours verifying each and every line of Solidity smart contract that you interact with. Do not get crazy! Be pragmatic but always do your own research as best as possible! At the end you and I have limited time and capabilities, we are not experts in everything. Even when we are using a hardware wallet (which is great anyway), this does not guarantee us to be safe when transacting on-chain. Blind signing can result in substantial losses, as attackers can deceive victims into unknowingly consenting to transfer out all their assets like tokens or precious NFTs. To address the issue of blind signing, the solution is to adopt a "don't trust, verify" approach. You might say: nice “big words” and “I have already heard about it”, but “how to stay away of making a mistake and do not fall into signing a wrong transaction”? I will show you one of the approaches to avoid blind signing in a practical way.

Blowfish extension for a rescue

Let's explore if there are any methods to protect ourselves. There is a useful Chromium extension called Blowfish. While you should never fully trust any creator of any extension, it's more practical to utilize tools that increase your chances of staying safe rather than exposing yourself to potential risks. Anyway, when signing transactions with this extension enabled, you don't replace any of your habits - instead, you enhance the security by adding an extra layer of protection.

https://blowfish.xyz/

Why Blowfish could be considered safe to use:

  • it supports 10+ chains (eg. Ethereum, Optimism, Arbitrum One, Polygon, Solana and more)

  • it is backed by big names in a crypto space such as Uniswap and Paradigm

The way it operates is by verifying if the contract you are engaging with, is not listed in its database of untrustworthy contracts. It decodes the transaction information to a human readable format (if contract’s source code is available) and displays a user-friendly page explaining the asset movements (shows the simulation of what is going to be sent and received). At the end it is evaluating the transaction with a risk score.

Take a look below of what is presented to a user when a low risk transaction is to occur:

A transaction of wrapping ETH to WETH is a low risk transaction. Extension presents every detail of transaction to be signed in MetaMask and in addition shows what is being send and received in it.
A transaction of wrapping ETH to WETH is a low risk transaction. Extension presents every detail of transaction to be signed in MetaMask and in addition shows what is being send and received in it.

Interacting with a malicious contract in action

Let me now demonstrate what happens when you try to sign a malicious transaction. The best part is that Blowfish gives you clear feedback through a pop-up that is hard to miss. This serves as an important precautionary measure to prevent you from signing a transaction that could potentially lead to the loss of your entire life savings, even if you are distracted - something that should never happen to you! Better not interact with anything on-chain if you are distracted!

Imagine: You are tired after work, but it's an airdrop season in a bull market. You do not want to skip a "precious" airdrop, and there is not much time left to claim tokens since you have just realized it from an ad on social media! Actually, this is a 3-minute window that you can claim tokens, and it closes soon. “Lot’s of red flags” - you think… Maybe it’s worth a try anyway… What could go wrong… But are those 3 minutes worth risking your cryptocurrency? That is what Blowfish is created for.

First prompt is so obvious that probably even if you "clicked a link you should not have", you will realize there is something wrong about it before proceeding. In the picture, the website tries to impersonate collab.land verification.
First prompt is so obvious that probably even if you "clicked a link you should not have", you will realize there is something wrong about it before proceeding. In the picture, the website tries to impersonate collab.land verification.
If you ignore the previous message, you will still be able to review what the potentially malicious transaction wants to do. In this case the contracts tries to steal NFTs from our wallet.
If you ignore the previous message, you will still be able to review what the potentially malicious transaction wants to do. In this case the contracts tries to steal NFTs from our wallet.

If you liked what you have just learned, or even better, if you actually decided to use Blowfish to protect yourself, please consider claiming this free NFT (only gas cost and fee of few cents thanks to L2). It will show me that such topics matter and you want more of such content.

Wrap up

I would strongly suggest using this extension as it provides an extra level of security before the transaction is even sent to MetaMask for final approval. We are humans, we make mistakes. Let’s add a few more steps to ensure we are signing the right things with our private keys. While using Blowfish cannot make you a light-hearted person (always be vigilant no matter the tools you use), I cannot stress enough how crucial it is for anyone to protect against blind signing. There are hardware wallets like Keystone which provide even more security against those kinds of threats, but why not use software solutions as well? The easier it is to sign a transaction, the higher the time pressure and emotions are around, the higher the risk of falling into being a victim of a scam.

It's important to prioritize securing and educating yourself as early as possible to prevent or minimize losses. The world of cryptocurrency can be unpredictable. "We are at the frontier we head west. We can always lose what we put in," as the Bankless podcast hosts often emphasize. However, be prepared! Get ready and explore the cryptospace, because this is an exciting journey where you can gain valuable knowledge, stay ahead of others, and try new things before most people are onboarded!

Stay safe and consider subscribing for more interesting crypto related posts.