SigScope: Detecting and Understanding Off-Chain Message Signing-related Vulnerabilities in Decentralized Applications

Sajad Meisami; Hugo Dabadie; Song Li; Yuzhe Tang; Yue Duan

SigScope: Detecting and Understanding Off-Chain Message Signing-related Vulnerabilities in Decentralized Applications

Sajad Meisami, Hugo Dabadie, Song Li, Yuzhe Tang, Yue Duan

Published: 29 Jan 2025, Last Modified: 29 Jan 2025WWW 2025 PosterEveryoneRevisionsBibTeXCC BY 4.0

Track: Security and privacy

Keywords: Blockchains Security, Smart Contract, Decentralized Applications, Off-Chain Message Signing, Signing-related Vulnerabilities

Abstract: In Web 3.0, an emerging paradigm of building decentralized applications or DApps is off-chain message signing, which has advantages in performance, cost efficiency, and usability compared to conventional transaction-signing schemes. However, message signing burdens DApp developers with extra coding complexity and message designing, leading to new security risks. This paper presents the first systematic study to uncover and characterize the security issues in off-chain message signing schemes and the DApps built atop them. We present a holistic static-analysis framework, SIGSCOPE, that uniquely combines the insights extracted from DApp frontend code (HTML and Javascript) off-chain and backend smart contracts on-chain. We evaluate SIGSCOPE using the top 100 DApps to showcase its effectiveness and efficiency. Further, we leverage SIGSCOPE to study a large dataset of 4937 real-world DApps and show that 1579 DApps (including 73% of the top 100) rely on the off-chain message signing feature, and 1154 contain vulnerabilities. Finally, we use two real-world vulnerabilities in popular DApps to showcase our findings.

Submission Number: 2007

Loading