Tezos Wallets Were Reportedly Vulnerable to ‘Blind Sig’ Attacks; Issue Now Fixed
Apparently, Tezos (XTZ) has an inherent flaw that would allow users with bad intentions to perform blind signature (blind sig) attacks. The information was released by the Reddit user tzlibre a few days ago on the r/tzlibre subreddit.
As per the user, most KYC-Tezos wallets they’ve tested are vulnerable to a simple but catastrophic attack that could lead to users losing their funds. In order to demonstrate it, they’ve exposed a malicious RPC to test wallets in which they warn that funds could be lost.
The post written by tzlibre reads as follows:
“These wallets connect to a server (the RPC node) but they do not build the raw tx like normal cryptocurrency wallets, nor do they check the binary provided by the RPC before signing it. Should the RPC get hacked (or turn malicious) it will provide clients with a malicious tx to sign: with no way to parse the binary, the unsuspecting user will sign a tx which sends 100% of their funds to the attacker’s address.”
According to the post, there are several vulnerable wallets, including Galleon, T3Wallet, Tezbox Chrome, Tezbox MacOs, Tezbox Windows, Tezos Blue, TezBridge and WeTez. The wallets that are not vulnerable are Kukai, Librebox, Magnum and Tezbox Web. These last two were able to fix this issue.
The Redditor explains that crypto wallets were meant to be trustless, but these KYC-Tezos wallets are not. In this case, users are giving their trust to the server RPC to send the money where users want to. The RPC could turn malicious at any moment if it is hacked and there is no way to detect it for users. If that happens, users could lose their funds when they perform a transaction.
The attack works with the RPC turning malicious, for example, if it is hacked. The wallet securely connects to the malicious RPC using HTTPS. After it, the wallet provides JSON of tx to build. Finally, the RPC provides malicious binary sending funds to another address and the wallet ‘blindly’ signs binary. This is how the funds get lost.
As per the post, SSL security between clients and the server will not help to solve this situation. The first thing that a malicious RPC would do is to establish a secure connection and then provide malicious tx to sign. Thus, SSL provides users with a false sense of security.
The next steps suggested are for KYC-Tezos users not to sign any transaction using a vulnerable wallet until the issue is addressed and solved. The Tezos Foundation should release specifications for the binary tx format and improve documentation to a more decent standard.
Tezos is currently the 24th largest digital asset in the market. It has a market cap of $250 million and each coin can be purchased for $0.41.