0

I've been told that signing a message on a Dapp is the only way to prove that you actually own the account you are connecting with (i.e., simply connecting your wallet isn't enough because someone could just send a backend call that uses someone else's wallet).

However, I'm having a tough time understanding how that would work. If I look at libraries like web3modal, web3react, and web3-onboard, they all just use a function like connect() to open up someone's injected wallet in their browser. Can a nefarious actor somehow edit connect() and pass in a wallet address they don't own?

TylerH
  • 20,816
  • 57
  • 73
  • 92
Dimitri Borgers
  • 71
  • 4

1 Answers1

0

Can a nefarious actor somehow edit connect() and pass in a wallet address they don't own?

You can pass whatever data from the client to the backend or blockchain. If you do not sign the data there is not any kind of verification you own the data.

Mikko Ohtamaa
  • 76,495
  • 46
  • 227
  • 378
  • That part makes sense to me, I'm more wondering how exactly that would be done in this case. If I have a website that uses connect() function to connect to injected MetaMask, what does a nefarious actor do to send in a wallet that isn't theirs. – Dimitri Borgers Apr 07 '22 at 18:27
  • They make a HTTP request with whatever payload they want. Please read here https://stackoverflow.com/a/3483669/315168 – Mikko Ohtamaa Apr 07 '22 at 20:59