Sending arbitrary ethereum transactions (via MetaMask) doesn't show which derivation path you're working with, but should #2225
Labels
bug
Something isn't working as expected
Comments
|
this is basically a duplicate of #2151 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Sending arbitrary ethereum transactions (via MetaMask) doesn't show which derivation path you're working with on your Trezor. A corrupted host computer could send the Trezor a request to sign something on a different derivation path than what your MetaMask is telling you it's signing for.
I realize that sending arbitrary transactions is a huge security risk in the first place (because good luck deciphering what you're even signing), but by simply showing the derivation path you're working with on the Trezor it would add a lot of security. For example I could restrict myself to only doing MUCH safer Eth transfers for m/44'/60'/0'/0/0 which could hold the majority of my funds, but then allow myself to send arbitrary transactions for m/44'/60'/0'/0/1 which could hold a much smaller amount.
Workaround: use passphrases, instead of derivation paths, to safely keep "accounts" separate from one another
Note: I have Trezor's "safety checks" set to "prompt" to allow myself to send arbitrary ethereum transactions via MetaMask.
The text was updated successfully, but these errors were encountered: