Signature phishing
Does this article need to be translated?
Signature phishing is a method where attackers obtain an off-chain signature from users, and then use it later to steal their assets.
Naturally, there's a lot of blanks to fill in here, so let's begin.
What is an off-chain signature?
Signatures are an integral part of using a self-custody wallet like MetaMask. Any action in web3 requires your authentication—via signing—to prove that the message or transaction came from you.
Every time you interact with a smart contract, such as when swapping on MetaMask, you're signing a message that allows something to happen on your authority. A swap, for example, requires you to sign a message to confirm that you actually *do *want to swap a given amount of token A for a given amount of token B.
Want more on signatures?
For more information on signatures and their role in MetaMask, see here.
The majority of signatures are on chain; that is to say, they are broadcast to the network and recorded on the blockchain.
As Ethereum has evolved, it has become possible to sign transactions off chain. This means they are never broadcast to the network. Crucially, in this scam, off-chain signatures allow the dapp collecting the signature to use the signed message at a time of their choosing.
For a fuller explanation of the difference between on-chain and off-chain transactions, see our article on metatransactions here.