Nexo

Start Earning Up to 16% Interest Automatically

Learn More
Home » News » Ledger to halt blind signing on dApps, encourages clear signing for security

Ledger to halt blind signing on dApps, encourages clear signing for security

by

The policy shift can be seen as Ledger's attempt to address the impact and severity of last week's exploit.

Ledger to halt blind signing on dApps, encourages clear signing for security

Share this article

A week after an exploit on its Connect Kit library led to losses of over $600k, Ledger has announced its decision today to disable blind signing for all Ethereum dApps.

Blind signing is when a user signs a transaction without being fully aware of its contents. The details in this type of verification are not “human-readable” because they are displayed as raw smart contract signing data.

According to Ledger, it will end blind signing for Ethereum dApps currently supported by its hardware wallets by June 2024. The hardware wallet provider also committed to reimbursing victims of the hack. Ledger claims it is working with its community and ecosystem partners to establish Clear Signing as a security standard.

“Front-end attacks have happened many times before and will continue to plague our ecosystem. The only foolproof countermeasure for this type of attack is to always verify what you consent to on your device,” Ledger stated.

While blind signing is intended to enhance privacy and security by providing complete details, it can pose a significant risk if a user is unaware of the exact specifications of what they are signing. Blind signing may allow malicious actors to trick users into unknowingly approving unauthorized or malicious transactions, putting their assets at risk.

On the other hand, clear signing allows users to view the full details of a transaction in a human-readable format before verifying and providing authorization. This method provides a degree of transparency and helps users ensure that they are approving legitimate transactions.

As explained in our coverage of the incident, the attack began with a sophisticated phishing attempt on a former Ledger employee who still had access due to delays in manually revoking their access. The hacker used an exploit identified as an “Angel Drainer attack” to route user assets. When users of the affected dApps signed transactions they could not fully view or understand, the wallet drainer payload automated transfers to the hacker’s wallet, effectively siphoning off funds.

The policy and priority shift can be seen as Ledger’s attempt to address the impact and severity of last week’s exploit.

In 2020, a data breach that originated from Ledger’s e-commerce database was discovered, exposing personal information from over 270,000 Ledger customers. Ledger later denied allegations that this leak was connected to its wallets.

Share this article

The information on or accessed through this website is obtained from independent sources we believe to be accurate and reliable, but Decentral Media, Inc. makes no representation or warranty as to the timeliness, completeness, or accuracy of any information on or accessed through this website. Decentral Media, Inc. is not an investment advisor. We do not give personalized investment advice or other financial advice. The information on this website is subject to change without notice. Some or all of the information on this website may become outdated, or it may be or become incomplete or inaccurate. We may, but are not obligated to, update any outdated, incomplete, or inaccurate information.

Crypto Briefing may augment articles with AI-generated content created by Crypto Briefing’s own proprietary AI platform. We use AI as a tool to deliver fast, valuable and actionable information without losing the insight - and oversight - of experienced crypto natives. All AI augmented content is carefully reviewed, including for factural accuracy, by our editors and writers, and always draws from multiple primary and secondary sources when available to create our stories and articles.

You should never make an investment decision on an ICO, IEO, or other investment based on the information on this website, and you should never interpret or otherwise rely on any of the information on this website as investment advice. We strongly recommend that you consult a licensed investment advisor or other qualified financial professional if you are seeking investment advice on an ICO, IEO, or other investment. We do not accept compensation in any form for analyzing or reporting on any ICO, IEO, cryptocurrency, currency, tokenized sales, securities, or commodities.

See full terms and conditions.