[lxgr]

> I can be certain that my HSM signed what I wanted it to sign by verifying the signature against my known input.

But what if, after checking, you realize that instead of "send $50 to $friend for dinner", you signed "send my life savings to $fraudster"? That's the main attacker model of cryptocurrency wallets.

[woodruffw]

That's the kind of attacker model I wouldn't invite in the first place!

But more seriously: I've never fully understood why this is such a common issue with cryptocurrencies. My understanding of how Bitcoin works is that you need to actually submit your transaction for inclusion in a block, meaning that you have ample opportunity to verify the transaction's correctness before offering it for submission. Why aren't hardware wallets encouraging that?

[jallen_dot_dev]

> you have ample opportunity to verify the transaction's correctness before offering it for submission

I think the idea is malware on your computer could submit the signed, fraudulent transaction against your will.

[lxgr]

Where would you verify the transaction and potentially choose to not submit it?

If it's on your computer or phone, this means that you trust it enough to not need a hardware wallet in the first place.

If your computer is compromised, you can trust the attacker to take care of the submission for you.

[IanCal]

How is the rest of the network supposed to tell the difference between you signing and submitting a transaction and you signing and then a malicious program on your machine submitting the transaction?