Support clear-sign for EIP712 on Ledger #1816
Comments
|
Why not verify it via Rabby UI? |
|
Point of using hardware wallet is no need to trust Rabby UI (or any other software wallet). Why use hardware wallet at all if I will trust software wallet? |
|
Got your point, does Ledger hardware support this? |
|
Yes, hardware does support this. When I use Ledger Live it displays full EIP712 data on the device. So, I do not need to trust Ledger Live in this case, only to Ledger device. |
|
OK, will check how Ledger Live make it |
|
btw, you need to click the button on device several times in this way right? |
No, I do not think this is too much. But if somebody thinks so, they can just disable it in the device settings and trust theirs software wallet. |
|
Maybe it is even disabled by default, @vvvvvv1vvvvvv check ETH application settings (on the device) when you look into this. |
|
will revert in #2026 since we found this will cause some issues with EIP-712 signature, will also report to Ledger team to fix them |
|
Could you rather add switch to ask user whether they want to use clear sign or blind sign? Compromising on security to workaround some rather rare bug (I personally had 0 issues with clear sign since it was merged) seems like a very bad decision to me. Adding switch so user can use clear sign but disable it if there are problems seems to be a lot better solution. |
|
Have to temporary revert since other user meet the issue, no worry, will make it back after Ledger fix the issue, for track: |
|
You can use specify version until we make it back, download here: https://github.com/RabbyHub/Rabby/releases/tag/v0.92.49 |
Ledger show only hashes when user prompted to sign EIP712 with Rabby and there is no easy way to verify what these hashes correspond to. Signing hashes is dangerous, because it might be phishy permit to transfer WETH, WBTC or monkey without expiration. Ledger supports displaying EIP712 domain and data on the device screen when signing with Ledger Live. Rabby should too!
Might be related: https://pypi.org/project/eip712-clearsign/
The text was updated successfully, but these errors were encountered: