Background
In the previous issue of Web3 Security Beginner's Guide to Avoiding Pitfalls, we mainly explained the risks when downloading/purchasing wallets, how to find the real official website and verify the authenticity of the wallet, and the risk of private key/mnemonic leakage. We often say "Not your keys, not your coins", but there are also situations where even if you have a private key/mnemonic, you cannot control your assets, that is, the wallet has been maliciously multi-signed. Combined with the MistTrack theft form we collected, some users' wallets were maliciously multi-signed and they didn't understand why they still had balances in their wallet accounts but couldn't transfer funds out. Therefore, in this issue, we will take the TRON wallet as an example to explain the relevant knowledge of multi-signature phishing, including the multi-signature mechanism, hackers' routine operations, and how to avoid malicious multi-signatures on wallets.
Let's first briefly explain what multi-signature is. The original intention of the multi-signature mechanism is to make the wallet more secure, allowing multiple users to jointly manage and control the access and use rights of the same digital asset wallet. Even if some managers lose or leak private keys/mnemonics, the assets in the wallet will not necessarily be damaged.
TRON's multi-signature permission system is designed with three different permissions: Owner, Witness, and Active, each with specific functions and uses.
Owner permissions:
Have the highest permission to execute all contracts and operations;
Only with this permission can modify other permissions, including adding or removing other signers;
After creating a new account, the account itself has this permission by default.
Witness permissions:
This permission is mainly related to Super Representatives. Accounts with this permission can participate in the election and voting of Super Representatives and manage operations related to Super Representatives.
Active permissions:
Used for daily operations, such as transferring and calling smart contracts. This permission can be set and modified by the Owner permission. It is often assigned to accounts that need to perform specific tasks. It is a collection of several authorized operations (such as TRX transfers and pledged assets).
As mentioned above, when a new account is created, the address of the account will have the Owner permission (the highest permission) by default. You can adjust the permission structure of the account, choose which addresses to authorize the permissions of the account, specify the weight of these addresses, and set the threshold. The threshold refers to the weight of the signatory to perform a specific operation. In the figure below, the threshold is set to 2, and the weights of the three authorized addresses are all 1. Then, when performing a specific operation, as long as there is confirmation from 2 signatories, the operation will take effect.
(https://support.tronscan.org/hc/article_attachments/29939335264665)
After the hacker obtains the user's private key/mnemonic, if the user does not use the multi-signature mechanism (that is, the wallet account is controlled by only one user), the hacker can authorize the Owner/Active permissions to his own address or transfer the Owner/Active permissions of the user to himself. These two operations of the hacker are usually referred to as malicious multi-signature, but this is actually a broad term. In fact, it can be distinguished based on whether the user still has Owner/Active permissions:
Using the multi-signature mechanism
In the figure below, the user's Owner/Active permissions have not been removed, and the hacker has authorized Owner/Active permissions to his own address. At this time, the account is controlled by the user and the hacker (the threshold is 2), and the weights of the user's address and the hacker's address are both 1. Although the user holds the private key/mnemonic and has Owner/Active permissions, he cannot transfer his assets because when the user initiates a request to transfer assets, both the user and the hacker's address need to sign for this operation to be executed normally.
Although the operation of transferring assets from a multi-signed account requires the confirmation of multiple signatures, multiple signatures are not required to deposit into a wallet account. If the user does not have the habit of regularly checking the account permissions or has not made any transfer operations recently, he will generally not find that the authorization of his wallet account has been changed, and then he will continue to be damaged. If there are not many assets in the wallet, the hacker may play the long game and wait for the account to accumulate a certain amount of digital assets before stealing all the digital assets at once.
Using TRON's permission management design mechanism
Another situation is that the hacker uses TRON's permission management design mechanism to directly transfer the user's Owner/Active permissions to the hacker's address (the threshold is still 1), causing the user to lose Owner/Active permissions and even "voting rights". It should be noted that the hacker here does not use the multi-signature mechanism to prevent users from transferring assets, but people usually call this situation malicious multi-signature of the wallet.
The results of the above two situations are the same. Regardless of whether the user still has Owner/Active permissions, the actual control of the account has been lost. The hacker address has obtained the highest permissions of the account, which can change account permissions, transfer assets, and other operations.
Combined with the stolen forms collected by MistTrack, we have summarized several common reasons for wallets to be maliciously multi-signed. We hope that users will be more vigilant when encountering the following situations:
1. When downloading a wallet, the correct path was not found, and the fake official website link sent by Telegram, Twitter, or netizens was clicked, and the fake wallet was downloaded. As a result, the private key/mnemonic phrase was leaked and the wallet was maliciously multi-signed.
2. Users entered private keys/mnemonics on some phishing recharge websites that sell gas cards, gift cards, and VPN services, and as a result, lost control of their wallet accounts.
3. During OTC transactions, someone with ulterior motives took a photo of the private key/mnemonic or used some means to obtain the authorization of the account, and then the wallet was maliciously multi-signed, and the assets were damaged. 4. Some scammers provide you with the private key/mnemonic, saying that they cannot withdraw the assets in the wallet account, and they will reward you if you can help. Although the wallet address corresponding to this private key/mnemonic does have funds, no matter how much handling fee you pay or how fast you withdraw, you cannot withdraw the funds because the withdrawal permission has been configured by the scammer to another address. 5. Another rare case is that the user clicks on a phishing link on TRON, signs malicious data, and then the wallet is maliciously over-signed.
In this guide, we mainly take the TRON wallet as an example to explain the multi-signature mechanism, the process and routines of hackers implementing malicious multi-signatures, and hope to help everyone deepen their understanding of the multi-signature mechanism and improve their ability to prevent wallets from being maliciously multi-signed. Of course, in addition to the situation of malicious multi-signatures, there are also some more special cases. Some novice users may mistakenly set their wallets to multi-signatures due to careless operation or lack of understanding, resulting in multiple signatures required for transfers. At this time, the user only needs to meet the multi-signature requirements or authorize the Owner/Active permission to only one address in the permission management, and restore the single signature.
Finally, the SlowMist security team recommends that users check account permissions regularly to see if there are any abnormalities; download wallets from official channels. We have talked about how to find the correct official website and verify the authenticity of wallets in the Web3 Security Getting Started Guide | Fake Wallets and Private Key Mnemonics Leakage Risks; do not click on unknown links, and do not easily enter private keys/mnemonics; install antivirus software (such as Kaspersky, AVG, etc.) and phishing risk blocking plug-ins (such as Scam Sniffer) to improve device security.
VeVe is releasing a stunning new digital comic collection titled "Star Wars: Return of the Jedi #1" on December 15th at 8am PT. This collection celebrates the iconic film's 40th anniversary and offers fans a unique way to own and experience a piece of Star Wars history.
JoyThe removal of its iOS and Chrome Extension wallets from the market is scheduled for November 1, 2023, although customers will still be able to access their wallets until October 1.
Coinlive The messaging feature will support the 1.3 million Ethereum addresses using the wallet that are human-readable and/or ENS-enabled.
nftnowRebecca Rettig, wants more clarity in the industry and sees that as key to approaching lawmakers.
TheBlockAfter the latest high-profile NFT hack, this time taking down tech entrepreneur Kevin Rose, the security advantages of self-custody wallets were making the rounds on Crypto Twitter again.
decryptThe team behind the company's crypto wallet was particularly hard hit, according to Axios.
OthersAs per the details from a tweet thread by Coinbase, iOS users will be unable to send NFTs from their wallets on iOS devices anymore.
OthersCardano's development team, Input Output has created a new light wallet which is called Lace. This new wallet comes with ...
BitcoinistWallet.app is launching the next stage in its EU-based, fully compliant crypto custody wallet, exchange and payment platform that will ...
BitcoinistCoinbase is rapidly expanding its product line this month, and some users can now access DeFi and other DApps on Ethereum through the Coinbase app.
Cointelegraph