Is it possible a malicious dApp creator collects a signed txn then send it to another dApp?

Suppose a malicious dApp attacker created dApp “Bad”, and there is a legit dApp “Good”, and there is a user Alice.

Steps like this:

1, The attacker connects to dApp “Good” and established a wallet-connect session using Alice’s address (this is doable since in the wallet-connect’s session request step, you can response with any address, no sign required in this step), now the attacker (disguised as Alice) has an active wallect-connect session with dApp “Good”. Then suppose the dApp “Good” asks for a transaction from Alice’s address to dApp “Good” 's address, and wait for a response.

2, The attacker asks the real user Alice to connect to his dApp “Bad” (the attacker could phish users like say it is a reward program and Alice may bite it). Since the attacker is the creator of dApp “Bad”, the attacker now has an active wallet-connect session with real user Alice. Then the attacker starts a transaction whose sender address is Alice and receiver is dApp “Good” address from his dApp “Bad”, then asks Alice to sign it. Alice signed and sent back to the attacker.

3, Now the attacker can respond the signed txn data via the connected wallet-connect session in the 1st step. Once the dApp “Good” received the signed transaction, treated it as Alice signed the txn to use dApp “Good” and do other logics, although during the whole process Alice never touched the dApp “Good”

It is like the attacker uses a malicious dApp to play the man-in-the-middle attack. Is the above process possible? and if it is, is there a way to prevent it?

Thank you

1 Like

Your scenario indeed is possible.

A webapp can request any transaction to be signed to a user.
There is nothing at the wallet level that will check whether a given webapp is supposed to make a given transaction.
Therefore, users must be very careful when approving transactions and must read them carefully, especially when it involves transferring funds, but not only.

Wallets obeying the ARC-0001 draft standard must show warnings for particularly dangerous transactions such as close transactions: ARCs/ at main · algorandfoundation/ARCs · GitHub
But there is really nothing a wallet can do to prevent a bad website to request a signature for a good dApp.


thank you @fabrice for the reply, yep, I think this attack is more like a “social engineering” attack other than on the tech part, just like some phishing websites, while App can do its best to warn user, users need to be careful too