The ethereum (ETH) ecosystem is finally starting to fix the so-called blind signing UX issue that allowed criminals to steal billions in ethereum-compatible crypto assets over the past decade – all because people were putting signatures under transactions they couldn’t read.
Crypto wallets and protocols can finally start implementing a new format (ERC-7730) for signing ethereum transactions that would replace blind signing. Until now, when signing a transaction, instead of a human-understandable summary, such as "swap 1000 ETH for USDT," ethereum users saw a complex long string of numbers and letters or a generic "Data Present" message.
This complexity has been used by criminals to trick victims into signing malicious transactions and transferring all their crypto assets. The biggest hack in history, when the Bybit exchange lost around $1.5 billion, was also facilitated by blind signing.
Now, the Ethereum Foundation (EF), together with industry partners, has rolled out tools that allow teams to implement the clear signing format, which translates raw transaction data into human-readable descriptions, as shown in the picture below.
"For users and institutions to feel comfortable storing and interacting with assets on ethereum that amount to trillions, "What You See Is What You Sign" (WYSIWYS) must be our goal, and Clear Signing must be the default," the EF said after a decade of waiting and billions lost.
ERC-7730 now acts as a shared format for transaction descriptions. According to the EF, anyone can contribute descriptors to this system, while their accuracy is verified through independent reviews and attestations, and wallets decide which sources they trust.
"While these descriptors are provided alongside the transaction, rather than embedded directly in it, this approach makes it possible to support both existing and new applications, while still allowing their accuracy to be independently verified," the Foundation said, admitting that "Signing a transaction you can’t read is like signing a blank check."
Other blockchains might have different formats for signing transactions. For example, when signing a bitcoin (BTC) transaction, a user clearly sees the destination address, the amount being sent, and the fee. Also, in the worst-case scenario, only the specific BTC amount being sent can be lost, while in ethereum’s case, an entire token balance can be drained.
That said, BTC addresses are usually also presented as a long (yet much shorter than ethereum's complex string) sequence of letters and numbers, and the user must check the whole address carefully. Cybernews has already reported on the so-called address poisoning attacks happening on bitcoin, too.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked