Today's big event was that a guy's assets on Binance were emptied by hackers because he installed a malicious plug-in. This incident once again sparked a heated discussion about security.

Just a few days ago, a friend of mine told me that his money was stolen and his assets were inexplicably transferred away. Since he is an old investor and knows the importance of keeping private keys, I seriously suspect that he opened some shady website and clicked on some dirty link.

The most likely reason why on-chain assets are at risk is because of random authorization and random signatures, among which random signatures are the most fatal!

Let's first clarify the difference between the two:

Authorization (apporve): Generally, apporve appears on tokens and NFTs, which authorizes a certain address to have corresponding permissions for a certain token.

Signature: It is used to complete interactive behaviors such as sending transactions and signing messages, proving that you are the owner of this account. It can be simply understood as, you are the boss, and only your signature can be performed.

The relationship between the two: the signature may have some authorization, but the authorization must be signed by the user. The signature includes the authorization.

From the above, we can conclude that signature is the last line of defense for security.

Some common signature scams on Solana:

1️⃣. Sign a transaction to transfer multiple tokens

The parallel transaction feature on Solana packages multiple transfer instructions into one transaction, and the entire process can be completed with only one signature.

A breach that hackers can exploit, causing the victim to lose all assets in one signature. Commonly seen in NFT phishing airdrops. When using a wallet, please be sure to carefully confirm each signature operation to avoid losses.

2️⃣.Signature diffusion mechanism

In Solana, there is a signature diffusion mechanism. A user signs a contract A, but when contract A calls contract B internally, the user's signature will be diffused to contract B along with the cross-contract call.

Therefore, the user has also signed Contract B. It can be simply understood that the signature is copied and reused. Contract A is safe, but the security of Contract B cannot be guaranteed.

3️⃣. Transfer of token account ownership

Solana is an account mechanism. All tokens have a corresponding account, which also records the balance and related information of the corresponding token. Each token account has an owner.

The phisher will use SetAuthority to modify the Owner of the user's Token account. Once the user signs a transaction containing this instruction, the Owner will become the phisher, allowing the phisher to obtain the user's assets.

4️⃣. The signature information is unreadable, blind signature

In principle, when we use wallets, we follow the principle of “what you see is what you sign”. The dapp needs to display at least key information such as account information, balance, the source website of the signature request, and the message being signed in the signature information.

However, some dapps present a string of characters that are unreadable by users, commonly known as "blind signatures". Even if there is no security problem with this behavior, it shows that the dapp developers have a weak sense of security.

5️⃣. Durable Nonce to defraud transaction signatures

Durable Nonce is a feature in the Solana blockchain. From Solana's documentation, we can see this feature: sign first, then trade at a certain time in the future. It is commonly used in Defi, cross-chain, multi-signature and other scenarios.

However, phishers can use the Durable Nonce mechanism to trick users into signing a message disguised as a secure transaction. This is common in phishing airdrop activities.

The user completes the signature and receives the airdrop, but in fact, he has signed an instruction to transfer the user's assets to the scammer. The user cannot see any transaction through the browser. The scammer only gets the signature of this transaction, and they can broadcast the transaction to the chain at any time in the future.

Some good daily habits can help us improve asset security:

a) Improve safety awareness: Learn more about blockchain, cryptocurrency, and Internet security knowledge to improve safety awareness. For example, the "Blockchain Dark Forest Self-help Manual" written by SlowMist is worth reading. github.com/slowmist/Block…

b) Keep the software updated and clean regularly: Please update your wallet and transaction-related software to the latest status in a timely manner, and clean up any inappropriate software and plug-ins on your commonly used devices in a timely manner to avoid being hijacked.

c) Make good use of the wallet transaction simulation function: Use the transaction simulation function provided by wallets such as @phantom @Backpack and carefully check the transaction simulation results.

d) Carefully check the transaction details: Before making any transaction, please carefully check the signature information and the specific content of the transaction. It is best to read the contract if you can.

e) Regularly cancel useless authorizations: Solrevoker.com uses tools to regularly cancel some useless authorizations to ensure the security of assets.