What is an “eth_sign” Phishing Attack?

Ethereum, one of the busiest blockchains with huge transactions as the foundation network for many Web3 projects, has continued to gain increasingly more attention, especially since it became a deflationary crypto asset at the end of last month (January 2023). The daily burn rates soared from a range of 1,000 to 3,000 ETH over the past few months, to a high of over 3,300 ETH on February 7th. Coupled with the recent market price rally, this news is a green light for some crypto investors and traders.

As interest in the ever-expanding Ethereum ecosystem snowballs, bad actors are becoming more sophisticated in their phishing techniques. Phishing scams in the Ethereum ecosystem often involve fraudulent websites or applications that mimic popular DeFi platforms, such as Uniswap, Compound, Aave, or Curve, in order to trick users into entering their login credentials or providing access to their wallets.

For example, when searching for “Curve” on Google, some people might click “Curve Staking — Swap,” which will direct users to an illegitimate source or impersonating website with a URL like “https://www.appcurve-fi.biz”. This is especially troublesome, given that the intended site people want to access is “Curve: Swap,”, from “http://curve.fi”. Once users access the impersonating website, the phishing attacker will ask users to agree to the terms and conditions of the website via MetaMask. The bad actors will disguise this signing message to look like a “personal-sign” message, which is for off-chain approvals to simply agree to the website’s terms and conditions. However, it is an “eth_sign” message for on-chain approvals, and once users sign the message, their wallet will be compromised.


The “eth_sign” method is most susceptible to phishing as it relies on the use of basic transaction information, such as addresses, amounts, and gas fees, among others. When using “personal_sign”, the message is first hashed using the SHA-3 algorithm, and then the hash is signed with the private key. On the other hand, when using “eth_sign”, the message is signed directly with the private key without being hashed first. This means that “personal_sign” is a more secure method for signing messages, as it is resistant to certain types of attacks that could potentially compromise the private key. However, despite such vulnerabilities of “eth_sign,” a number of active projects still choose this eth-signing method for its ease-of-use.

Eth_sign & personal_sign

Even Metamask, one of the world’s most widely used self-custodial crypto wallets, continues to use this signing method due to the sheer number of active projects. When prompted, it displays a pop-up warning message (see image above) warning users of the risks of signing on an “eth_sign” signature request. This could be one of the methods to inform users to confirm that they understand the risks, and also ensure that they know which method they’re signing with.

However, even with this displayed, all it could take is a lapse in judgment or simple human error to leave your funds vulnerable.

To avoid these kinds of phishing attacks that leverage a relatively vulnerable sign method, Cactus Custody has been designed to exclude the sign method and only support more secure sign methods for its clients such as “Personal_sign” and “signTypedData_v4.” Additionally, when clients want to enhance their account security, they can opt to disable signing features when they don’t have any transactions to sign. This feature ensures that clients do not receive any signature requests which are not initiated by them.

Cactus Custody is committed to giving its clients the best user experience with its cutting-edge security controls. Learn more about Cactus Custody’s institutional-level DeFi experience with enhanced security level at https://www.mycactus.com/en.