Hello, so here is something I’m having a hard time to figure out.
Whenever you connect to third party webpage , lets say pancakeswap, and you make some transacations - you confirm on your trezor device those transactions. Once you connect your wallet could such webpage take control on some of your coins? Lets say you swap BNB-BUSD, can webpage withdrawn those 2 coins or maybe also others without your authorisation? Of course pancakeswap is legit webside, but I’m wondering if I start using some bridges, swapping services and make some transactions. Am i still safe?
I have similar concern about participating in airdrops. If I sing up on fake webpage for airdrops with my wallet, can I loose all the assets? Of course not giving out to anyone seed, just confirming transactions. Thank you in advance for all the help and explanations
Yes.
So long as you don’t reveal your Recovery seed anywhere and check every transaction address fully in a transfer of coins, you should be safe.
My advice is to stay away from airdrops entirely. There are many scammers and fake websites and I suspect many of the scams we hear of on this forum originates from interactions with airdrops. Never click on an unknown address in your wallet, if you get an airdrop you don’t recognize. Just leave it be. Trezor will get functionality to remove these at a later date.
Fake websites may have malicious code that changes your transaction address to something else, so try to stay away from fake websites. Do your own research and only use websites trusted by many other users.
Well airdrops are the reason why I’m asking. Many projects at first may look suspicious, but later on those are like winning lotteries.
So summing up. Even if you get into a fake website or rug pull. The only way to loose funds is if the code alter withdraw address and YOU physically confirm transaction on your trezor without checking it? The webpage can NOT withdraw anything or get private keys on its own (even if you sign a few transactions before?)
So here’s the thing: on Ethereum and other EVM networks, when you do anything beyond a simple send funds, you see a screen that looks like this:
you should technically be checking that this is what you want. Practically, this is not really possible.
One thing you might be confirming via this screen is a so-called allowance. This allows another smart contract to manipulate some token in your name. You actually need this with, e.g., PancakeSwap, because otherwise the other contract can’t do the swap for you.
But what can happen is, you confirm a transaction that seems to be something innocuous, but you actually gave an unlimited allowance to a malicious smart contract. It is then allowed to take all your balance of a particular token and move it away.
There is an open issue about preventing this, but it’s not implemented yet.
So the answer to this question is yes and no:
No, the webpage can’t just glance at your Trezor and steal the keys and take all your money, if you don’t actually click Confirm on the Trezor.
But, when you do click Confirm, you might be confirming something you don’t want to do.
If you confirm a simple send, where Trezor shows you amount + destination address + fees, then you’re OK. That’s just a simple send.
If you confirm a transaction with data in it, which is actually a smart contract call, a lot of things can happen.
OK, thank you for detailed explanation. But Ill take it a bit farther I understand if you confirm a smart contract from a fake webpage then you are in huge troubles.
Now if I got 3 wallets, lets call them A,B,C. And I confirm allowance for wallet A. Are wallet B,C secure or this allowance influence all wallets and all the coins and tokens under this seed/trezor?
Another question if on my wallets A, I got 50 coins/tokens and I give a smart contract allowance for lets say BNB/USDT transactions. All of those 50 tokens are in danger or only those from pair BNB and USDT?
Allowance is per address. So if you confirm allowance for address A, then no other address is affected.
Unfortunately, Trezor is currently not showing you the “spending from” account. If the page is malicious, it can request an allowance for a different address (still only one per one confirmation though).
You might be able to see this information on the Trezor Connect popup – that thing that is asking you “export public keys for account #1 yes/no”. But I’m not entirely sure what is its concept of “account” and how it relates to addresses.
If you use different passphrases for wallets A, B, C, then there is very little cross-contamination risk: whichever passphrase you entered last, that’s the wallet you are spending from.*
Allowance is per token, not per pair. Unless the Pancakeswap manual is lying to me, you need to enable every token before you trade from it. So if you’re selling BNB for BUSD, you need to enable BNB; if you want to sell BUSD back for BNB, you need to enable BUSD too. Each of those “enable” operations is an allowance.
If you give an allowance for BNB, only your BNBs can be taken.
However, I am not an EVM developer. While it doesn’t seem possible to create multiple allowances in a single transaction, there might be tricks or techniques I am not aware of.
*) Technically, if you entered more than one passphrase recently, a malicious site could, in theory, use the older passphrase(s) without you noticing. It is unlikely in practice: this would be too much work for the malicious site to implement it, just on the off chance that there is a very paranoid user who at the same time goes confirming things on a scam site.
If you want to be 100% sure to avoid this very slim risk, you can unplug your Trezor between switching passphrases.
