ZenGo proposes solution to tackle offline signature exploits with EIP-6384
ZenGo, a crypto security and wallet provider, has introduced a solution to tackle the rising problem of offline signature exploits. Such exploits have led to attackers deceiving users into signing hard-to-read wallet messages to steal crypto assets and NFTs.
Over the last few years, several crypto users have fallen victim to these malicious signatures, particularly on NFT marketplaces such as OpenSea where offline signatures are extensively used to trade NFTs without paying fees upfront.
In January, NFT entrepreneur Kevin Rose was hacked for NFTs totaling $1.5 million, after he was tricked into signing a malicious offline signature in what appeared to be a genuine feature on OpenSea.
To address this prevalent security issue, ZenGo has released its proposed solution as an official Ethereum improvement proposal, known as EIP-6384. The proposal seeks to make offline signatures both secure and easily readable for users. By building upon the existing offline signature standard EIP-712, ZenGo has added a view-only function to smart contracts that translates the message into a human-readable form.
By implementing EIP-6384, all Ethereum smart contracts would assume the responsibility of providing a clear explanation of the message, preserving the fee-less transaction experience of decentralized apps. This change would allow wallet users to receive a clear and understandable description of the message they are being asked to sign, allowing them to make an informed decision while signing transactions.
While there are certain third-party services already available to help users understand what they are signing, those may not always be reliable. If wallets and decentralized apps adopt this proposal, users will no longer have to depend on such third-party tools to read information on offline signatures, ZenGo noted.
«The EIP relies solely on existing system participants, such as wallets and smart contracts, to display the necessary information. This eliminates the need for additional participants like third-party services or browser extensions, which can introduce additional layers of potential vulnerabilities and trust issues,» said Tal Be’ery, chief technology officer at ZenGo.
The proposed solution may mark a step toward creating more secure apps and alleviating users and projects from the fear of losing assets to hackers while using offline signatures, the ZenGo team added.