|
Following the EIP-712 standard, for hashing or signing structured data, offline signing is recommended. SlowMist has mentioned potential security issues even with signTypedData_v4. While the signature information may appear clear, it could be an identical signature request initiated by a phishing website, which could be exploited later.
Hence, for wallets, not only should they support parsing structured data of signTypedData but also display the application's name and URL as the signature source, along with interaction history. Even for non-standard EIP-712 wallets, intelligent risk prompts should be in place.
Scenario: Signature for Transactions
Transferring tokens is a major use case for wallets. It involves transferring Ethereum's native token ETH as well as tokens adhering to ERC-20 and ERC-721 standards. Security tools like MistTrack developed by SlowMist provide risk address labels. Wallets need to intelligently intercept or display risk alerts to help users avoid falling victim.
Apart from that, there are non-conventional transfer scenarios, such as transferring to contract addresses. Standard wallet transfers go to Externally Owned Accounts (EOA), but if the recipient address is a contract address, special attention is required as risks often exist, although it might also be a contract wallet address. For wallets, intelligently recognizing whether an address is a regular one or a contract address and adding specific label alerts for contract addresses can help enhance user security awareness. |
|