Publication Type

Conference Proceeding Article

Version

publishedVersion

Publication Date

5-2025

Abstract

In Web 3.0, an emerging paradigm of building decentralized applications or DApps is off-chain message signing, which has advantages in performance, cost efficiency, and usability compared to conventional transaction-signing schemes. However, message signing burdens DApp developers with extra coding complexity and message designing, leading to new security risks.This paper presents the first systematic study to uncover and characterize the security issues in off-chain message signing schemes and the DApps built atop them. We present a holistic static-analysis framework, SigScope, that uniquely combines the insights extracted from DApp front-end code (HTML and Javascript) off-chain and back-end smart contracts on-chain. We evaluate SigScope using the top 100 DApps to showcase its effectiveness and efficiency. Further, we leverage SigScope to study a large dataset of 4937 real-world DApps and show that 1579 DApps (including 73% of the top 100) rely on the off-chain message signing feature, and 1154 contain vulnerabilities. Finally, we use two real-world vulnerabilities in popular DApps to showcase our findings.

Keywords

blockchain security, smart contract, decentralized applications, off-chain message signing, signing-related vulnerabilities

Discipline

Information Security

Areas of Excellence

Digital transformation

Publication

WWW '25: Proceedings of the ACM on Web Conference 2025, Sydney, Australia, 2025 April 28 - May 2

First Page

4284

Last Page

4299

Identifier

10.1145/3696410.3714686

Publisher

ACM

City or Country

New York

Additional URL

https://doi.org/10.1145/3696410.3714686

Download

Share

COinS