Hi! I'm Psy. It's the middle of the night and I'm hungry. What can I do? I can only pick up my phone and order takeout.
Open Hungry, select a payment method, and jump to your wallet.
The interface pops up, and I still need to sign, then do facial recognition, and ding, the payment is successful.
The above content is all Psy’s imagination, but imagine that in the near future, you can use cryptocurrency to pay for takeout orders. Isn’t it a bit exciting? But don’t get excited. Sometimes, I just signed my name on the wallet, why is my money gone?
Understand the two major secrets of wallet operation, signature and interaction, and master the interaction logic behind it. You will feel like you have found a treasure while learning how to keep funds.
When using a wallet, we mainly involve two basic operations: signing and interacting. In the simplest terms, signing is done outside the blockchain (off-chain), which means you don’t need to pay any Gas fees; while interacting is done directly on the blockchain (on-chain), which involves certain Gas fees.
Names play a vital role in blockchain transactions.
The main functions of the signature include that the signature proves that the transaction was initiated by the holder of the wallet, because only the person holding the private key can generate a valid signature. Once the transaction is signed, it has the characteristic of being unchangeable, because any modification will invalidate the signature. At the same time, the signature is actually a way to authorize the transaction, proving that the initiator of the transaction has the right to transfer a specific amount of assets.
To further explain, the signature operation is similar to signing a document, which verifies the transaction or data without directly recording these actions on the blockchain. Therefore, it is a low-cost and fast way to pre-approve transactions or verify identities.
On the other hand, interactive operations are like actual transactions or contract calls in the blockchain network. Each step needs to be confirmed by the network, which requires the payment of certain fees to ensure the operation and security of the network.
In many cases, signatures are used to prove identity. For example, one day, I want to go to the club brother @alert的会所 for a massage. I need to book a technician on the platform, and first I need to connect my digital wallet. At this time, the system will ask me to sign. This is equivalent to me taking out my membership card to prove that "I am the owner of this membership card." After the signature is completed, I can continue to book a technician. This process does not cause any data or status changes to the blockchain, so no fees are required.
When I decide to make an actual service reservation on the platform, such as booking a massage service, the real interaction begins. First, I need to pay a fee, which is equivalent to telling the club's smart contract: "You are allowed to withdraw the corresponding amount from the membership card in my wallet", which is an authorization (approve) action. After that, I need to pay a fee again, this time to notify the smart contract: "I confirm that I want to book this service, please deduct the money from my membership card now." After completing these steps, I successfully booked a private customized oil massage service from the club brother.
Just like that, when I was doing many comfortable private customizations, two troublemakers had already appeared quietly behind me: authorization fishing and permit signature fishing.
A cunning hacker created a link for me that was almost identical to the club booking website and sent it to me. The smart contract prompted again: "You agree to let me withdraw the fee from your wallet membership card." I suddenly realized that I had already authorized the regular club website, so I would not easily authorize it again. Out of caution, I took a closer look and found a clue - this is a typical trick of authorization phishing. However, authorization phishing has an obvious weakness: the need to pay a gas fee makes the operation involving money particularly eye-catching. Once you click on the website link, you can detect the abnormality with a little observation, which makes it easy to prevent.
We know that authorization is like you paying a certain fee to tell the club's smart contract: "You can withdraw this amount of service fees from me." At this time, another troublemaker Premit came on the scene. And Permit is like signing a piece of paper, saying: "I allow someone to withdraw this amount of service fees from my club account." After that, this person takes this signed paper to the smart contract, pays a fee and says: "He has agreed that I can withdraw this money."
Now, let's say you want to book a massage. Hackers took advantage of this mechanism and created a phishing website that is almost identical to the club's website. They turned the button that originally allowed you to log in to your wallet into a Permit phishing trap. You signed this "note" without knowing it, authorizing a third party that you thought was the club. In fact, the hacker took this authorization to the smart contract and easily withdrew your assets from your club account. Throughout the process, you just signed your name, but this signature means that you have authorized others to book services and deduct money on your behalf. Users need to carefully manage the scope and time of authorization to avoid inadvertently granting too much or permanent permissions.
In short, Permit signature is an important progress in the user experience and security of blockchain technology, representing a more flexible and user-friendly authorization and transaction method. Through this mechanism, blockchain applications can provide smoother interactions, and users can manage their digital assets more securely.
