Beginner’s Guide to Web3 Security: Risk of Wallet Being Maliciously Multi-Signed

SlowMist
7 min readJul 25, 2024

--

Background

In the previous installment of the Web3 Security Guide, we discussed the risks associated with downloading or purchasing wallets, how to find official websites, methods to verify the authenticity of wallets, and the dangers of private key/seed phrase leaks. The phrase “Not your keys, not your coins” emphasizes the importance of controlling your private keys. However, there are situations where even possessing the private keys or seed phrases does not guarantee control over your assets, such as when a wallet is compromised by a malicious multisignature setup.

Based on data collected from MistTrack’s stolen funds report, some users find that their wallets contain funds, but they cannot transfer them due to malicious multisignature configurations. In this guide, we use the TRON wallet as an example to explain the concept of multisignature phishing, the mechanics of multisignature systems, common tactics used by hackers, and strategies to prevent your wallet from being maliciously configured with multisignature settings.

Multisignature Mechanism

A multisignature (multisig) mechanism is designed to enhance wallet security by allowing multiple users to collectively manage and control access to a digital asset wallet. This setup means that even if some managers lose or leak their private keys/seed phrases, the assets within the wallet may remain secure.

TRON’s multisignature system includes three distinct permission levels: Owner, Witness, and Active, each serving specific functions and purposes.

Owner Permissions:

- Hold the highest level of authority, capable of executing all contracts and operations.

- Only an owner can modify other permissions, including adding or removing signers.

- When a new account is created, the account itself is assigned the owner permission by default.

Witness Permissions:

- Primarily associated with Super Representatives, this permission allows an account to participate in the election and voting processes for Super Representatives, as well as manage operations related to them.

Active Permissions:

- Used for daily operations such as transfers and smart contract execution. The owner can set and modify these permissions, typically assigning them to accounts that need to perform specific tasks. Active permissions encompass a range of authorized actions, such as TRX transfers and asset staking.

As mentioned earlier, a new account’s address automatically receives owner permissions (the highest level) by default. This owner can then adjust the account’s permission structure, deciding which addresses receive permissions, the weight of these permissions, and setting thresholds. The threshold determines the required weight of signatures to execute specific actions. For example, if the threshold is set to 2, and each of the three authorized addresses has a weight of 1, then at least two signatories must approve for the operation to proceed.

The Process of Malicious Multisignature

When a hacker obtains a user’s private key or seed phrase, and the user has not implemented a multisignature mechanism (meaning the wallet is solely controlled by the user), the hacker can either grant themselves Owner/Active permissions or transfer the user’s Owner/Active permissions to their own address. These actions are commonly referred to as malicious multisignature, but this term can be broadly defined. In reality, the situation can be categorized based on whether the user still retains any Owner/Active permissions:

Exploiting the Multisignature Mechanism

In the scenario depicted below, the user’s Owner/Active permissions have not been removed; instead, the hacker has added their own address as an authorized Owner/Active party. The account is now jointly controlled by the user and the hacker, with the threshold set at 2. Both the user’s and the hacker’s addresses have a weight of 1. Despite the user possessing the private key/seed phrase and retaining Owner/Active permissions, they cannot transfer their assets. This is because any request to transfer assets requires the approval of both the user and the hacker, as both signatures are necessary for the operation to proceed.

While the process of transferring assets from a multisignature wallet requires multiple signatures, depositing funds into the wallet does not. If users do not regularly check their account permissions or have not made any recent transfers, they may not notice changes to their wallet’s permissions, leading to prolonged losses. If the wallet contains only a small amount of assets, hackers might wait until the account accumulates more assets before stealing everything at once.

Exploiting TRON’s Permission Management System

In another scenario, hackers exploit TRON’s permission management system by directly transferring the user’s Owner/Active permissions to the hacker’s address, with the threshold still set at 1. This action strips the user of their Owner/Active permissions, effectively removing their control over the account, even the “voting rights.” Although this is not technically a case of malicious multisignature, it is commonly referred to as such.

In both cases, whether the user retains any Owner/Active permissions or not, they lose actual control over the account. The hacker, now possessing the highest permissions, can alter account settings and transfer assets, leaving the legitimate owner unable to manage their wallet.

Methods of Malicious Multisignature Attacks

Based on data collected from MistTrack’s stolen funds report, we have identified several common causes of malicious multisignature attacks. Users should be vigilant in the following situations:

1. Downloading Fake Wallets: Users may download fake wallets by clicking on links to fraudulent websites sent via Telegram, Twitter, or other sources. This can lead to the leak of private keys or seed phrases, resulting in malicious multisignature attacks.

2. Entering Private Keys on Phishing Sites: Users who enter their private keys or seed phrases on phishing sites offering services like fuel cards, gift cards, or VPNs can lose control of their wallets.

3. OTC Trading: During OTC (over-the-counter) transactions, someone may capture or otherwise acquire the user’s private keys or permissions, leading to a malicious multisignature attack.

4. Scams Involving Private Keys: Scammers may provide a private key, claiming they cannot withdraw assets and offering a reward for assistance. Although the associated wallet appears to have funds, the withdrawal permissions are configured to another address, preventing any transfer.

5. Phishing Links on TRON: Users might click on phishing links on TRON and sign malicious data, resulting in a malicious multisignature setup.

Conclusion

In this guide, we used the TRON wallet as an example to explain the multisignature mechanism, how hackers conduct malicious multisignature attacks, and common tactics used. This information aims to enhance understanding and improve prevention against malicious multisignature attacks. Additionally, some users, especially beginners, may accidentally configure their wallets for multisignature, requiring multiple signatures for transfers. In such cases, users need to meet the multisignature requirements or revert to a single signature by assigning Owner/Active permissions to only one address.

Recommendations

The SlowMist Security Team advises users to regularly check their account permissions for anomalies, download wallets from official sources, avoid clicking on unknown links, and never enter private keys or seed phrases on suspicious sites. Installing antivirus software (such as Kaspersky, AVG) and phishing protection plugins (such as Scam Sniffer) can also enhance device security.

About SlowMist

At SlowMist, we pride ourselves on being a frontrunner in blockchain security, dedicating years to mastering threat intelligence. Our expertise is grounded in providing comprehensive security audits and advanced anti-money laundering tracking to a diverse clientele. We’ve established a robust network for threat intelligence collaboration, positioning ourselves as a key player in the global blockchain security landscape. We offer tailor-made security solutions that span from identifying threats to implementing effective defense mechanisms. This holistic approach has garnered the trust of numerous leading and recognized projects worldwide, including names like Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, and Cheers UP. Our mission is to ensure the blockchain ecosystem is not only innovative but also secure and reliable.

We offers a variety of services that include but are not limited to security audits, threat intelligence, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) solutions, Vulpush (Vulnerability monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) , Safe Staking and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, FireEye, RC², TianJi Partners, IPIP, etc.

By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we wish to help spread awareness and raise the security standards in the blockchain ecosystem.

💬Website 🐦Twitter ⌨️GitHub

--

--

SlowMist
SlowMist

Written by SlowMist

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.

No responses yet