Unraveling Blind Message Attacks in Web3 Authentication

Abstract

As Web3 continues its rapid expansion, the security of Web3 authentication—often the gateway to Web3 applications—becomes increasingly crucial. Despite its widespread adoption, the security risks of Web3 authentication remain understudied.

This paper investigates vulnerabilities in the Web3 authentication process and introduces blind message attacks, where attackers trick users into signing messages from target applications by exploiting their inability to verify message sources. We present:

• Web3AuthChecker: A dynamic detection tool identifying vulnerabilities in 75.8% of evaluated Web3 authentication deployments (22/29 cases).
• Web3AuthGuard: A wallet-integrated solution that alerts users to potential attacks, successfully preventing 80% of tested threats.
• Responsible disclosure: Two CVE IDs (CVE-2023-50053, CVE-2023-50059) were assigned for reported vulnerabilities.

Keywords: Web3, Authentication, Blockchain, Security

Introduction

Blockchain technology powers Web3 applications like DeFi, NFTs, and decentralized games, with ecosystems worth billions. However, Web3 authentication—used for user login and profile updates—relies on users blindly signing messages without verifying their origin. This paper uncovers how attackers exploit this weakness to hijack accounts via blind message attacks.

Key Contributions:

1. New Vulnerabilities: Identification of blind message attacks, replay attacks, and blind multi-message attacks.
2. Detection Tool (Web3AuthChecker): Automates vulnerability detection by testing backend APIs.
3. Mitigation (Web3AuthGuard): A wallet-based solution to alert users during suspicious sign requests.

How Blind Message Attacks Work

Attack Flow:

1. Target Selection: Malicious sites identify high-value targets (e.g., NFT marketplaces) via blockchain transaction history.
2. Message Spoofing: The attacker requests a legitimate message from the target application and presents it to the victim for signing.
3. Unauthorized Access: The attacker uses the victim’s signature to gain access to their account on the target site.

Root Cause:

• Users cannot verify message origins due to missing domain or nonce fields.
• Servers often fail to validate message integrity (e.g., static fields like domain).

Web3AuthChecker: Detecting Vulnerabilities

Methodology:

1. Message Analysis: Checks for critical fields (domain, nonce) and validates server-side verification.
2. API Testing: Sends crafted payloads to authentication APIs to detect flaws.

Results:

• 75.8% of tested applications were vulnerable to blind message attacks.
• Advanced Attacks: 11 cases allowed replay attacks; 7 were susceptible to multi-message attacks.

Case Studies

1. Unchecked Message Vulnerability (LearnBlockchain)

• Issue: The message "learnblockchain" lacked critical fields, allowing any user signature to pass authentication.
• Impact: Attackers could drain user points (exchangeable for currency).
• Resolution: Fixed post-disclosure; awarded a bug bounty.

2. Blind Multi-Message Attack (Foundation, QuestN, Planetix)

• Exploit: A single malicious message bypassed authentication on three sites by embedding target fields.

• Example:

  Welcome! [Hidden: Foundation’s message] Web3TokenVersion:2 Nonce:84800972...

Mitigation with Web3AuthGuard

How It Works:

1. Template Extraction: Wallets store message templates (static fields) from trusted sites.
2. Fuzzy Matching: Alerts users if a new message resembles a template from another site.

Effectiveness:

• 80% success rate in blocking attacks.
• Limitations: Fails if attackers modify message bodies entirely (5/25 cases).

FAQs

Q1: How do blind message attacks differ from phishing?
A1: Phishing mimics a specific site, while blind message attacks dynamically target any vulnerable application using a user’s transaction history.

Q2: Can users detect these attacks manually?
A2: Only if messages include verifiable domain fields. Most users overlook this due to UX complexity.

Q3: How can developers prevent these vulnerabilities?
A3: Enforce EIP-4361 (SIWE) standards, ensuring messages include domain and nonce fields.

Conclusion

Blind message attacks expose critical flaws in Web3 authentication, enabled by poor message design and lax server verification. Our tools—Web3AuthChecker for detection and Web3AuthGuard for prevention—offer actionable solutions.

👉 Explore secure Web3 authentication best practices
👉 Learn how wallets can integrate Web3AuthGuard

Future Work: Standardizing end-to-end protocols (e.g., SIWE) and promoting unique keys per application.

### Key Features: