You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
There are a number of scams that use Cosmos SDK authz MsgGrant feature to give themselves complete control over the wallet on the chain, and users may not be aware that signing the MsgGrant can lead to such outcomes.
MsgGrant is a very valid feature and should surely be better explained to users, however it feels like wallets like Keplr could have a responsibility in alerting their users of potential risks before signing such transactions. I am especially thinking of the cases with GenericAuthorization allowing the grantee access to MsgGrant, MsgSend. These should not be too common.
Describe the solution you'd like
I would like Keplr wallet extension (or mobile app) to show a warning whenever the user is ready to sign an authz MsgGrant (at least with GenericAuthorization giving the grantee access to MsgGrant, MsgSend.
The warning could be something like: "We notice that you are going to sign a transaction that can lead to loss of funds in your wallet. Please confirm that you are absolutely certain that you are on a legitimate site and that you know what you are doing, before signing the transaction."
Describe alternatives you've considered
I don't think we can ask the Cosmos SDK team to block certain messages in MsgGrant, so it seems the wallet is the best place to warn users to not fall to this kind of scam.
Additional context
Please find below an example of a wallet being drained this way.
The victim only signed one transaction that granted the attacker the right to MsgGrant. https://www.mintscan.io/cosmos/tx/421B90D333AC90E8EC27264CDF6DDDA75B69D3B93AB3288DDA019786DBF2C41D?height=19607412
From there, the attacker had all access, could grant himself more permissions, then granted same full access to 2000 of its wallets (making it more difficult to revoke - that's another topic) and then drained all funds (~1000 staked ATOM + all liquid assets).
The text was updated successfully, but these errors were encountered:
Is your feature request related to a problem? Please describe.
There are a number of scams that use Cosmos SDK authz MsgGrant feature to give themselves complete control over the wallet on the chain, and users may not be aware that signing the MsgGrant can lead to such outcomes.
MsgGrant is a very valid feature and should surely be better explained to users, however it feels like wallets like Keplr could have a responsibility in alerting their users of potential risks before signing such transactions. I am especially thinking of the cases with GenericAuthorization allowing the grantee access to MsgGrant, MsgSend. These should not be too common.
Describe the solution you'd like
I would like Keplr wallet extension (or mobile app) to show a warning whenever the user is ready to sign an authz MsgGrant (at least with GenericAuthorization giving the grantee access to MsgGrant, MsgSend.
The warning could be something like: "We notice that you are going to sign a transaction that can lead to loss of funds in your wallet. Please confirm that you are absolutely certain that you are on a legitimate site and that you know what you are doing, before signing the transaction."
Describe alternatives you've considered
I don't think we can ask the Cosmos SDK team to block certain messages in MsgGrant, so it seems the wallet is the best place to warn users to not fall to this kind of scam.
Additional context
Please find below an example of a wallet being drained this way.
The victim only signed one transaction that granted the attacker the right to MsgGrant.
https://www.mintscan.io/cosmos/tx/421B90D333AC90E8EC27264CDF6DDDA75B69D3B93AB3288DDA019786DBF2C41D?height=19607412
From there, the attacker had all access, could grant himself more permissions, then granted same full access to 2000 of its wallets (making it more difficult to revoke - that's another topic) and then drained all funds (~1000 staked ATOM + all liquid assets).
The text was updated successfully, but these errors were encountered: