Forum
OPRR
Finance
Specials
On-chain Eco
Entry
Podcasts
Data
What is the truth of the multi-signature scam for Tron wallet? How can users guarantee the security of their assets?
Summarized by AI
原文标题:《 针对波场钱包的多签骗局真相如何,用户如何保障资产安全? 》
原文作者:amanda
Recently, some users of TRON and TokenPocket reported that their wallets were inexplicably set up with "multiple signatures", and they could not smoothly receive and receive crypto assets. What's more, the assets in their wallets were stolen.
The aforementioned user suffered from multiple signature scams targeting Tron TronLink wallet and TokenPocket wallet.
For newcomers to the crypto world, how to properly use their wallets is always a topic that can't be sidestepped. The crypto world is like a dark forest, and fraud around wallets is endless, and users can lose their assets at the slightest mistake.
So what exactly is this multi-sign-up mechanism, and why do some users fall for it? Is it the design of TRON's security mechanism, or is it a deliberate trap by fraudsters? If you use the wallet mentioned above, or want to understand how TRON's sign-on mechanism works to avoid scams, this article will help you.
What's the reason for the oversigning?
We can first understand the multi-signature mechanism of TRON.
In general, every transaction you make in your wallet needs to be "signed" by yourself before it is executed; The signature can be a self-imposed password or a fingerprint on the phone. In this case, "you alone decide what goes in the account." You can complete the transfer of crypto assets from your own account by signing your name.
But there are also "multiple people deciding where to put the money in the account" scenarios, such as a joint crypto asset between the team and the company, or if you have two wallets to be on the safe side, the transaction is only approved when both wallets agree to it. In this case, one account can be managed by multiple private keys, and transactions created in one account can be signed by multiple private keys, enabling multiple people to jointly manage cryptoassets with different weights.
In the interface of TRON's TronLink wallet and TokenPocket wallet, multiple sign-on mechanisms can be set to meet different usage scenarios and needs.
Image credit: Tron Wallet Documentation
Now that we know what it is to sign more, let's take a look at the possible reasons why users are signed more.
First, the user initiatively sets multiple signatures
Some novices mistakenly set up multiple tabs while exploring the wallet function. When transferring assets, due to the setting of multiple signatures, at least two wallet addresses are required to complete the signature and confirmation of the transaction. At this time, only one wallet in the user's hand cannot complete the whole transaction, resulting in the transaction is blocked.
This situation is caused by user error, and the user's assets are still safe. The solution to this situation is simple. Users can either satisfy the requirement of multiple signings at the time of transaction, or cancel the setting of multiple signings and execute the transaction with a separate signature.
Second, the user's private key is leaked, resulting in more signatures
The most common scenario is when users download fake wallets from phishing sites. Users using fake wallet software also generate private keys and mnemonics.
But the fake wallet may steal the private key/mnemonic, which means that the user's wallet control is lost; At this point, through the multi-signature mechanism, the thief can set his address and your address together as multi-signature, when the user will find that the transfer can not proceed smoothly. And because the other party has your private key, and cooperate with his multi-signature account, so as to transfer your funds.
Third, others fishing deliberately leak the private key, resulting in the transfer of funds can not be retrieved
Although this method is ancient, it is also a disaster area for beginners. The scammer gives you the private key to his wallet, often with a significant amount of other assets in it. He might ask you to help him manipulate his wallet to transfer a certain amount of TRX and transfer an equal amount of stablecoin assets.
The user may think he has taken advantage, import the other party's private key or mnemonic, and transfer TRX into that wallet. At this point, the multiple sign trap is triggered.
The wallet given by the scammer is actually set up as a multi-signature wallet, so even if you get his private key, you will not be able to manipulate the assets in it, and the assets you transferred will be lost.
Photo credit: TP Wallet
Fourth, click the phishing link cause permission change
It is possible that the user clicks on a phishing link and the wallet's permissions are changed. For example, cheats construct a website to buy all kinds of card coupons or recharge at a low price, when the user uses the link they provide to recharge, it will call malicious permission promotion code, the user directly confirm and enter the password signature, will lead to their own wallet address permission change.
The actual case provided by TP Wallet shows that after the user clicks the phishing link to transfer money, the wallet will directly give a prompt to inform the user that the operation is not a simple transfer, but the function of "calling to upgrade the account authority". Once the user clicks "yes", it means that the scammer authorizes more signatures. When the user's wallet address is maliciously signed, then the transfer will have problems, but also may let the other party use more authority to transfer funds.
Photo credit: TP Wallet
Multi-signature security requires private key security
As can be seen from the above four common situations of multiple signings, the disclosure of the user's private key, or trusting others' phishing links and wallets, is the direct cause of asset loss.
In these scams, the multi-signature mechanism is more "innocent" and is used by fraudsters as a means to achieve fraud.
This is obviously not the starting point of TRON's multi-signature mechanism.
Think of Tron Wallet's multi-sign-on mechanism as a more secure combination of security locks that require multiple keyholes to be unlocked in order to move your home's assets. But this security has a premise, that is, users need to keep their own original permissions. If the key to unlocking the lock is all in the hands of one person, then even the most functional security lock will lose its value.
Looking at the current wallet fraud problem and the multiple signature mechanism of Tron together, it is not difficult to find that in most cases, the user is inadvertence, and the multiple signature mechanism itself is not a problem, the problem is more due to the environment -- users and fraudsters in the crypto world in the technical ability of the mismatch, and the industry in the early stage of the lack of more mature technical warning, identification and countermeasures.
However, in the current situation, can TRON take a further step on the development side while providing a multi-sign-on mechanism on the user side to reduce the possibility of fraud as much as possible by means of technology?
TRON's current multi-sign-on mechanism is only available in TronLink wallet and TokenPocket wallet.
At present, considering that multiple sign-on involves sensitive private key signature, TRON has disabled the interface service involving private key signature in the API reference manual.
In addition, wallets and other related products can evaluate multiple signatures based on their specific needs and decide whether and how to present the prompts to the user. Therefore, it is not a "required option" whether the TRON multi-sign-on mechanism is presented to users. When this option does arise, it does not come at the expense of security and reliability.
However, the ultimate security of assets, or inseparable from the enhancement of the user's inner security awareness. With less expectation of pie in the sky and more protection against temptation traps and possible scams, the security of the entire crypto world will be further improved.
Original link
Welcome to join the official BlockBeats community:
Telegram Subscription Group: https://t.me/theblockbeats
Telegram Discussion Group: https://t.me/BlockBeats_App
Official Twitter Account: https://twitter.com/BlockBeatsAsia
