Being hacked by a rainbow security setting vulnerability!!!

[huihzhao]

I was hacked by a fake base bridge site and lost 30k value ETH. and I found it is because the transaction signature is not human readable and I confirmed the fake transaction, in reality I just gave all my ETH balance to the hacker.

That means rainbow wallet eth_sign is enabled by default, which is very bad design.

1. eth_sign should be disabled by default, it is a very old type signature, most of modern dApp should not use this.
2. A warning message should be prompted to the user if user need to enable it manually.
3. if any transaction using eth_sign, a warning should be prompt to the user to avoid this kind of attack.

[huihzhao]

any update?

[skylarbarrera]

hey @huihzhao

so sorry you had that happen!

we don't plan on disabling eth_sign, while we understand its not popular it is still being used and we'd rather support than not, this issue isn't specific to eth_sign either unfortunately

we do take these kinds of things seriously and are working on a few things that will help protect you and other users.

we will be adding dapp warnings for sites with known scams, security vulnerabilities, etc. this should be live within the month

we are also adding tx and signature simulations which will tell you what the signature is allowing so you will have more information as to what you're signing

thanks for using 🌈 and we hope you'll stick around for these security features!

I'll reply here once some of these are live

[huihzhao]

any details about the security TX and signature simulations?