Sep 13, 2022
| Updated Sep 14, 2022
|— On Web3, you interact with dApps using your crypto wallet.
— Communication with a dApp is done via cryptographic signatures – signing things with your private key to approve them.
— But you’ll sign a variety of different things with your private key – messages and transactions are two different things, with totally different consequences.
— If you don’t fully understand what you’re signing, you’re a sitting target for scammers. Here, we explain wallet confirmation messages.
Cryptocurrency is an innovative, fast-paced, and often complex space, where the UX can often be hard to understand. So if you’re interacting regularly with Web3, it pays to get familiar with details – literally.
In Web3, users typically engage by cryptographically signing interactions via their wallet. But not all interactions are the same.
Broadly speaking, you’ll find yourself signing two types of interaction – transactions and confirmations. Confusion about these two types of interaction – and how to spot them – is a significant source of scams on Web3. So taking time to fully understand each one, and how to identify it, is a no-brainer for anyone looking to protect their crypto.
In this article, we explain the difference between signing a wallet confirmation and a fully-fledged smart contract transaction – and how to spot it for yourself.
What is a blockchain transaction?
Let’s start with a quick refresh. A blockchain transaction is an action – verified by you – that moves data or value from one point to another on the blockchain. In other words, sending or receiving from your crypto wallet, or entering into a smart contract relationship such as staking, selling an NFT or interacting with a liquidity pool.
To initiate a blockchain transaction, you will need to give a digital signature – this signature is a cryptographic representation of your intention. It confirms that you agree to a given transaction, and initiates the change to the blockchain.
What is a wallet confirmation message?
Like blockchain transactions, wallet confirmation messages also use a signature from your wallet. But they have no interaction with the blockchain and have no smart contract function to enact
Instead, they create a verification system for any dApp requiring a user to prove they own the wallet they’re transaction from.
Where will I see Wallet Confirmation Messages?
In addition to coming across signature request messages when accessing a dApp on a blockchain, you may also encounter them on marketplaces and allow list registries.
By signing a unique message, you assure the dApp that you own the private key you’re interacting with, without needing to make an actual transaction. All of this is done fully off-chain, like the two parties are waving at each other, but not actually doing business.
Because there is no change to the blockchain, there will be no gas fee attached to a wallet confirmation signature. Ever.
Wallet Confirmation Messages: The Scams
Wallet confirmation signatures – due the confusion over exactly what they are – can be used as part of a scam to exploit users.
Recently, a hacker on allow list registration site PREMINT scammed thousands of users out of the NFTs in their wallet. The hacker was able to publish a malicious “wallet confirmation pop-up” on the website; victims signed the pop-up believing it to be an innocuous wallet confirmation message (standard for allow list registration sites). Instead, it was a malicious transaction – signing it gave the hacker access to NFTs in their wallet.
The pop-up containing the transaction looked like an innocent wallet confirmation – and the victims missed red flags, such as the presence of a gas fee, that indicated it was really a transaction.
In another case, malicious sites take your most recent incoming transaction, with the real details about the sender address, ETH amount, and date, and claim that MetaMask requires a signature to accept it. The thing is, incoming transactions do not require any action on the recipient’s side: what you’re really doing is signing another transaction and losing your crypto. This is why it’s so essential to be aware of what you’re signing.
How to Spot a Malicious Wallet Confirmation Message
If you take just one thing from this article, it should be this: users need to exercise caution when signing any type of interaction with their wallet, and this means learning how to spot the difference between a transaction and a wallet confirmation. A couple of things to watch out for are:
- A wallet confirmation message will never have a gas fee.
- A wallet confirmation message will never feature a smart contract function – seeing one, such as SetApprovalForAll, SafeTransfer or SendEth should be a big red flag if you think you’re simply confirming your wallet.
- Wallet confirmation message will normally be requested as you start to interact with a dApp – you shouldn’t be receiving this pop-up at random times as you browse.
Web3 Literacy is Essential!
Every message you sign has a consequence – and understanding what type of message you’re signing is the only way of knowing what the consequence will be.
A hardware wallet is the most secure way to store your private keys, but even a Ledger Nano cannot protect you from signing the wrong thing.
Scams involving wallet signature request messages primarily take advantage of the lack of understanding on users’ behalf of what they’re signing. That’s why it’s so important to not only protect your private key at all times, but to keep educating yourself on the evolving Web3 space – and the scams being deployed there – in order to truly secure your hard-earned crypto.
Knowledge is power.
Gaurav began writing professionally in 2017. Since then, he has assisted over 100 companies in a variety of domains, including e-commerce, blockchain, cybersecurity, online marketing, and a lot more. He is also keen on learning a new skill every year. In his free time, he likes playing games on his Xbox and scrolling through Quora.