MESSAGE SIGNING WITH COLLAB.LAND
What is message signing? What are you signing when using Collab.Land? And what can you do to keep yourself safer?
What is message signing?
Just like a physical signature proves that the signer has acknowledged the contents of a document, a cryptographic signature solves for a similar use case.
Without getting too technical, this is how it works :
- User is presented with a message
- User signs a message by clicking a button in their wallet. When the user clicks, the wallet creates a hash of the message using a private key (NEVER SHARE YOUR PRIVATE KEY OR SEED/RECOVERY PHRASE)
- This hash is referred to as the “signed message”
Always verify what you are signing and who is requesting the signature verification.
What happens if the message is an authorization to execute a function on a smart contract? In general, anyone can take this signed execution message, pay the transaction fee, and broadcast it to be processed on-chain.
This is why it is important for users to understand what they are signing. Malicious attackers trick users into signing messages that execute a function. If the message is not clearly understood (or readable), then don’t sign it.
Along with user vigilance, it is also the responsibility of smart contract teams when writing financial applications to understand that malicious attackers are waiting to trick unsuspecting users.
With this in mind, defensive programming best practices need to be used. It is NOT acceptable to expect an average user to read and understand a smart contract, let alone all the potential attack vectors. This is the responsibility of everyone associated with the deployment and maintenance of the contracts. Those that are profiting need to put themselves at the highest standard and develop contracts with adversarial actors in mind.
How does Collab.Land use message signing?
At Collab.Land, the messages we ask users to sign are ONLY plain (readable) text strings. We use message signing to cryptographically verify that a user owns the wallet by recovering the public key. We follow the EIP-712 to clearly show what the user is signing. We do not store the signed message.
Along with following EIP-712 (I have been a supporter since 2017), we remind users with a banner message to always verify the website address :
Most importantly, we are read-only.
We understand there are adversarial actors so even though we do not generate any revenue from any of the services we provide, we invest in anti-scamming solutions.
Your trust and safety matters.
What can you do to keep yourself safer?
- NEVER SHARE YOUR PRIVATE KEY OR SEED/RECOVERY PHRASE
- ALWAYS verify the website address
- ALWAYS understand what you are signing (and ASK questions if you don’t!!)