Show Posts
I recommend including more details like the purpose and for whom, just to ensure that it can't be reused or otherwise misconstrued.
Please take note of what is said there.
Imagine this scenario:
I have no bitcoins at all. I pretend to be you. I contact John Smith and tell them that I have some number of bitcoins that I want to send to them in exchange for something. They ask me to send a signed message proving that I'm you.
Meanwhile, I've been talking to you about a "business deal" with you, and I get you to send me a signed a message that just says "Hi, 2024-03-17".
I then take the exact signed message that you've provided to me, and send it on to John Smith. John Smith is now convinced that I'm Speedoguy. I get John smith to provide me whatever he's selling. Next, I disappear.
John Smith now contacts YOU demanding the Bitcoins that he says YOU owe him. You claim that you never received anything from him. You claim you've never even talked to or heard of him. He shows the message where he asked me (pretending to be Speedoguy) for a signed message, and then he shows YOUR signed message saying that it PROVES that YOU did talk to him and that you agreed to send him bitcoins.
What a mess.
All that could have been avoided, if you were just a bit more careful about what you had signed. Instead of just "Hi". Make sure that The message is very clear about details such as who it's from, who it's to, why it's being sent, when it was requested, what it's intended to prove. That will make it much more difficult for the message to be reused.
If instead of "Hi, 2024-03-17" you had signed a message that said:
"This message was requested of Speedoguy by DannyHamilton in an email sent from notDannyHamiltonsEmail@gmail.com at 17:25 UTC on 2024-03-17 to notSpeedoGuysEmail@gmail.com. This message is intended to prove that address bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh contains exactly 0.30834147 as of 17:42 UTC on 2024-03-17. This message was requested as part of a business deal where Speedoguy would put up 0.2 BTC as collateral for a loan of $5,000 from DannyHamilton, to be paid back by SpeedoGuy (with interest) in payments of $1,100 on the first day of five consecutive months beginning with the first payment due on 2024-05-01".
It's going to be a lot harder for me to forward that message on to John Smith and convince him that I'm Speedoguy and that I'm providing him 0.30834147 bitcoins to him in exchange for $20,000 of his Monero.
Ya good point about making the message specific. I thought this sort of man in the middle thing was a very real possibility and the most likely scam angle, but I generally think the person is pretty legit, met them, they're using real name verifiable by social media etc and vouched for by others. It's obviously not foolproof though and just trying to make sure the wallet is as secure as possible. They've supposedly done similar deals in the past and acted like signing a message was very standard for showing ownership of funds on a blockchain (which I kind of assume is the main purpose behind the signing feature) but just wanted to make sure there wasn't some possible attack vector
