Offline signatures can drain your wallet: EIP-6384 can save it (Part 3/4)

This is part 3/4 in our series on one of the most exploited issues in Web3: Offline signatures.

In Part 1, we investigated how attackers abuse these issues with OpenSea, the largest NFT marketplace. In Part 2 we exposed new attack vectors that allow attackers to exploit offline signatures in novel ways, including the stealing of ERC-20 tokens.

Just this week, millions of USD worth of NFTs were stolen from an industry-leading NFT pioneer. This only underlines the urgent need for our industry to deploy a comprehensive, sustainable solution.

Source: https://twitter.com/kevinrose/status/1618323487067869184

Today, we share our suggested solution to this acute security issue, published as an official Ethereum (EIP) standard draft, EIP-6384. We plan to work with industry leading protocols and other wallets to finalize and deploy this solution, in order to protect Web3 users’ assets.

A review: How users are getting scammed with offline signatures

The core problem with offline signature hacks is the indecipherable message displayed to users. This message is not human-readable and phishing sites trick users to sign harmful messages, e.g. sell their precious NFTs for a zero price in OpenSea, or allow hackers access to their funds in Uniswap.

The video below, taken by Zengo’s research team on a live phishing site, shows what such an attack looks like from the victim’s point-of-view.

Victim’s Point of View

As shown above, the suggested message to be signed is hardly comprehensible for normal users and certainly does not hint that the victims are going to sell their NFTs for virtually nothing.

The message to be signed does not tell the victims they are about to sell their NFTs for nothing!

It is important to note, that since offline signed messages are not immediately and directly executed by a smart contract, the standard technique of transaction simulation that solves similar problems for on-chain transactions is not applicable for this case. 

For additional background and details, please see Part 1 and Part 2.

The Solution: Make offline signatures human-readable

Our solution is a new draft EIP, now live on the Ethereum Foundation’s website: EIP-6384 leverages the fact that the current offline signature standard (EIP-712) already specifies and cryptographically binds the signed message with the smart contract that would eventually interpret it.

By adding a view-only (= fee less) function to such contracts that would translate the message to its true meaning, the wallet will be able to query the contract and present the relevant description to the end user. 

An EIP-6384 compliant smart contract and wallet would work as follows:

  1. A Dapp requests the user, via their wallet, to sign an offline message
  2. The wallet then:
    1. Extracts the verifying contract address
    2. Calls this contact’s signature evaluation function (no fees!)
    3. Displays the human readable signature explanation to the user (and may even add another intelligence layer on it, e.g. warn the users when they are going to sell at a very low price)
  3. The user can now make an informed decision on whether to sign this message or not!
EIP-6384 compliant user experience: The danger is clear!

It should be noted the attackers must specify the relevant good smart contract (e.g. OpenSea’s) or otherwise the attack would not work. (for a detailed security discussion please refer to the EIP on the Ethereum Foundation’s website).

Besides the obvious security benefits of implementing this EIP, providing a human readable description of the message to be signed will improve the user experience even for benign cases.

As a result, the responsibility for the offline signature message description is now owned by the contract. This allows the contract to:

  • Leverage its authoritative knowledge of the message’s meaning and potentially reuse the code that handles this message when received on-chain
  • Provide the best explanation to prevent a possible fraud or mistake by the user
  • Rely solely on existing system participants (wallets and smart contracts) to surface the required information. This removes any need for additional participants like 3rd party services or browser extensions, which can introduce additional layers of potential vulnerabilities and trust issues
  • Maintain the fee-less customer experience as the added function is in “view” mode and does not require an on-chain execution and fees
  • Maintain Web3’s composability property

Next steps: Our industry’s obligation to act

It’s time for a change. As an industry, we have a responsibility to act. By sharing our solution as an Ethereum standard, we choose to go through the harder yet better way of benefiting the entire Ethereum and EVM (e.g.Polygon) ecosystem.

We would like to thank members of the Ethereum community for their help facilitating this process so far and especially to Ethereum Foundation members: Yoav Weiss and Sam Wilson (our EIP editor) for their guidance, reviews and remarks.

To finalize this EIP we call on key industry players to act: NFT marketplaces, smart contract developers, wallets and infrastructure partners. Please review this EIP and collaborate with us. Let’s implement this EIP and put an end to this type of attack!

It’s time to make Web3 a safer place for everyone, and remove this offline signature vulnerability once and for all.

Please reach out to us with questions, comments, or partnership ideas: Either publicly via the EIP’s discussion thread on ethereum-magicians 🧙 or privately via [email protected].

Follow Zengo on Twitter for latest updates: @Zengo
Learn more about Zengo X, our open-source MPC library, and github here.