0

I've been told that signing a message on a Dapp is the only way to prove that you actually own the account you are connecting with (i.e., simply connecting your wallet isn't enough because someone could just send a backend call that uses someone else's wallet).

However, I'm having a tough time understanding how that would work. If I look at libraries like web3modal, web3react, and web3-onboard, they all just use a function like connect() to open up someone's injected wallet in their browser. Can a nefarious actor somehow edit connect() and pass in a wallet address they don't own?

TylerH
  • 20,799
  • 66
  • 75
  • 101
Dimitri Borgers
  • 328
  • 4
  • 15

1 Answers1

0

Can a nefarious actor somehow edit connect() and pass in a wallet address they don't own?

You can pass whatever data from the client to the backend or blockchain. If you do not sign the data there is not any kind of verification you own the data.

For the purpose of authenticating addresses and logins, see Sign in with Ethereum.

Mikko Ohtamaa
  • 82,057
  • 50
  • 264
  • 435
  • That part makes sense to me, I'm more wondering how exactly that would be done in this case. If I have a website that uses connect() function to connect to injected MetaMask, what does a nefarious actor do to send in a wallet that isn't theirs. – Dimitri Borgers Apr 07 '22 at 18:27
  • They make a HTTP request with whatever payload they want. Please read here https://stackoverflow.com/a/3483669/315168 – Mikko Ohtamaa Apr 07 '22 at 20:59
  • I believe the HTTP request vulnerability only holds in this situation if a wallet method (e.g. eth_sendTransaction) is being handled by a backend service. I am struggling to see how a wallet could spoofed in a SPA that retrieves wallet data directly from an injected provider (e.g. Metamask). For example, in a test SPA I listen for a onClick event to connect to MM. After the user connects to their MM account successfully (thus proving their account ownership) I retrieve the etherum.selectedAddress. This way any attempt to spoof the address inside the console does NOT update the address in SPA. – dberning Jan 22 '23 at 16:48