Fairyproof’s Overview of EIP-712 and Security in NFT Transactions
Indeed, a booming NFT ecosystem has attracted a huge influx of users since 2021. This directly results in a surging volume of NFT…
Indeed, a booming NFT ecosystem has attracted a huge influx of users since 2021. This directly results in a surging volume of NFT transactions, since most of the users who step into this ecosystem buy NFTs as a social symbol, a digital collectible, an art piece, and more.
As more users participate in the activities, security issues or risks arise as well, among which a significant issue or risk is that users’ signatures are exploited.
With regard to the exploit of users’ signatures, this often happens when a user transacts an NFT. Based on an existing transaction procedure, a user may need to sign a message to log in to a platform, send his/her payment for an NFT, or approve another address to transfer his/her NFT. In this case, if the user doesn’t check or cannot check whether this message is a legitimate one, he/she may suffer from an attack thus causing either losing his/her payment or losing his NFTs.
A typical issue with a message a user signs is that the message is a blind message i.e., the message just contains a hash value rather than meaningful texts. Here is a typical blind message with a hash value:
From the screenshot, we can see that the “MESSAGE” field just contains a hash value which no one can read and know what it really means.
If the message is to approve a malicious transaction and the signer signs it, he/she will very likely be exposed to risks.
A solution to this issue was proposed as EIP-712 and was submitted to the Ethereum community in 2017.
This EIP aimed to improve the usability of off-chain message signing for use on-chain.
The EIP-712 outlines a scheme to encode data such that a message could be displayed to a user for verification before he/she signs it. A typical EIP-712 looks like the one shown below:
Note: the details of each field in the message are wiped out due to privacy.
So, for the developers of an NFT application that requires users to sign a message, if EIP-712 is implemented, its users will have a chance to review the message and make sure they are interacting with the correct application and will approve a transaction they intend to do. This would greatly reduce the possibilities the users might be trapped in a malicious application.
From users’ point of view, it would be better to interact with an application that pops up a message with detailed information. When you encounter a message with detailed information, do review its details before proceeding to sign it. This would help mitigate your risks of being exploited.
About the author:
Yuefei TAN, CEO of Fairyproof
About Fairyproof:
Fairyproof Tech is a blockchain security company, established in Jan 2021.
It was founded by a team with rich experience in smart contract programming and network security. The team members participated in initiating a number of draft standards in the Ethereum field, including ERC-1646, ERC-2569, ERC-2794, and EIP-3712, of which ERC-2569 was officially accepted by the Ethereum team.
The team participated in the launch and development of various Ethereum projects, including blockchain platforms, DAO organizations, on-chain data storage, decentralized exchanges, and conducted security audits of multiple projects which have been deployed on Ethereum. Based on its strong R&D capability and deep understanding of smart contract security, Fairyproof has developed comprehensive vulnerability tracking and security systems and tools.
Fairyproof Tech serves and works closely with customers by providing systematic solutions covering both “code vulnerabilities” and “logic vulnerabilities” and aims to provide customers with the best and most professional services.