Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Being hacked by a rainbow security setting vulnerability!!! #5094

Closed
huihzhao opened this issue Oct 4, 2023 · 5 comments
Closed

Being hacked by a rainbow security setting vulnerability!!! #5094

huihzhao opened this issue Oct 4, 2023 · 5 comments

Comments

@huihzhao
Copy link

huihzhao commented Oct 4, 2023

I was hacked by a fake base bridge site and lost 30k value ETH. and I found it is because the transaction signature is not human readable and I confirmed the fake transaction, in reality I just gave all my ETH balance to the hacker.

That means rainbow wallet eth_sign is enabled by default, which is very bad design.

  1. eth_sign should be disabled by default, it is a very old type signature, most of modern dApp should not use this.
  2. A warning message should be prompted to the user if user need to enable it manually.
  3. if any transaction using eth_sign, a warning should be prompt to the user to avoid this kind of attack.
@huihzhao
Copy link
Author

huihzhao commented Oct 6, 2023

any update?

@skylarbarrera
Copy link
Contributor

hey @huihzhao

so sorry you had that happen!

we don't plan on disabling eth_sign, while we understand its not popular it is still being used and we'd rather support than not, this issue isn't specific to eth_sign either unfortunately

we do take these kinds of things seriously and are working on a few things that will help protect you and other users.

we will be adding dapp warnings for sites with known scams, security vulnerabilities, etc. this should be live within the month

we are also adding tx and signature simulations which will tell you what the signature is allowing so you will have more information as to what you're signing

thanks for using 🌈 and we hope you'll stick around for these security features!

I'll reply here once some of these are live

@huihzhao
Copy link
Author

any details about the security TX and signature simulations?

@linear linear bot mentioned this issue Oct 20, 2023
Merged
@Howdy4228
Copy link

The same thing with Rainbow Wallet happened to me about 10 days ago. I’m still rekt. They are supposed to look into it and get back to me this week. Words cannot express how badly this has affected my life

@Howdy4228
Copy link

I was hacked by a fake base bridge site and lost 30k value ETH. and I found it is because the transaction signature is not human readable and I confirmed the fake transaction, in reality I just gave all my ETH balance to the hacker.

That means rainbow wallet eth_sign is enabled by default, which is very bad design.

  1. eth_sign should be disabled by default, it is a very old type signature, most of modern dApp should not use this.
  2. A warning message should be prompted to the user if user need to enable it manually.
  3. if any transaction using eth_sign, a warning should be prompt to the user to avoid this kind of attack.

The same thing happened to me!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@skylarbarrera @huihzhao @Howdy4228