Published in



What is message signing? What are you signing when using Collab.Land? And what can you do to keep yourself safer?

Just like a physical signature proves that the signer has acknowledged the contents of a document, a cryptographic signature solves for a similar use case.

Without getting too technical, this is how it works :

  1. User is presented with a message
  2. User signs a message by clicking a button in their wallet. When the user clicks, the wallet creates a hash of the message using a private key (NEVER SHARE YOUR PRIVATE KEY OR SEED/RECOVERY PHRASE)
  3. This hash is referred to as the “signed message”

Always verify what you are signing and who is requesting the signature verification.

What happens if the message is an authorization to execute a function on a smart contract? In general, anyone can take this signed execution message, pay the transaction fee, and broadcast it to be processed on-chain.

This is why it is important for users to understand what they are signing. Malicious attackers trick users into signing messages that execute a function. If the message is not clearly understood (or readable), then don’t sign it.

Along with user vigilance, it is also the responsibility of smart contract teams when writing financial applications to understand that malicious attackers are waiting to trick unsuspecting users.

With this in mind, defensive programming best practices need to be used. It is NOT acceptable to expect an average user to read and understand a smart contract, let alone all the potential attack vectors. This is the responsibility of everyone associated with the deployment and maintenance of the contracts. Those that are profiting need to put themselves at the highest standard and develop contracts with adversarial actors in mind.

At Collab.Land, the messages we ask users to sign are ONLY plain (readable) text strings. We use message signing to cryptographically verify that a user owns the wallet by recovering the public key. We follow the EIP-712 to clearly show what the user is signing. We do not store the signed message.

Always check the message you are signing!

Along with following EIP-712 (I have been a supporter since 2017), we remind users with a banner message to always verify the website address :

We are excited to see other websites following this best practice!

Most importantly, we are read-only.

We understand there are adversarial actors so even though we do not generate any revenue from any of the services we provide, we invest in anti-scamming solutions.

Your trust and safety matters.

  2. ALWAYS verify the website address
  3. ALWAYS understand what you are signing (and ASK questions if you don’t!!)




building tools for tokenized communities

Recommended from Medium

CYBR Update-NFT Release & Social Structure

What is FLoC?

Poly Network AMA Events with O3 Swap

【ALPEX Announcement】

The Journey of Phase II

C Token x Poly Network

A Life in Public Service: A Conversation with Donna Dodson

RAILGUN Weekly Update, February 7, 2022

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
James Young

James Young

Proof of words — move fast and tokenize things

More from Medium

OTR | PhantaBears’ Power of the Crowd

How to Make Exclusive Content for Patreon with Web3

How Decentraland Users Saved Over $32,000 with Gasless

WTF is Elixir Sound Library?