Over the past year, our research team has identified multiple critical vulnerabilities within mobile wallets. These range from dubious and disingenuous code that sends users' private keys to servers under various excuses, to the excessive collection or unintended exposure of personal data, and to even unexplainable buggy code that leads to remote code execution.
Following responsible disclosure guidelines, we promptly informed the vendors of these issues. While reporting was generally straightforward, getting vendors to address these issues proved more challenging. At times, we had to fully exploit the vulnerability to highlight its seriousness.
Furthermore, when attempting to inform the community about these (remediated) vulnerabilities, we were generally met with resistance from vendors. Their reasons ranged from concerns about causing panic within the community to claims that there were no actual losses, suggesting there was no need for public disclosure.
Our latest investigations have uncovered several striking issues in various wallet implementations that we believe users should be aware of. These issues range from concealed functions within wallets, and mishandling private keys, to uploading sensitive information to external servers.
At CertiK, we're committed to enhancing security and transparency within the blockchain ecosystem. However, we face a challenging balance between alerting the community and honoring the confidentiality agreements with vendors. From our experience, although several vendors prioritize public disclosure, many prefer to keep these issues private, complicating shared growth.
Without disclosing these issues, however, the community never has a chance to have a healthy debate, and vendors don’t face much pressure to reconsider their practices. Therefore, we decide to introduce a new approach to improve the security of the entire Web3 community.
In the forthcoming weeks, we plan to share our insights with the community, while maintaining the anonymity of the involved vendors and withholding specific details that could facilitate exploitation. Our goal with this extended disclosure initiative is to elevate the security standards within the Web3 wallet sector, benefiting developers, auditors, and users alike.
We advocate for a culture of openness and improvement, and urge vendors to prioritize user safety and transparency. We believe that educating the community about the risks associated with wallet implementations can lead to a more secure ecosystem. By working together, we can build a safer blockchain ecosystem for everyone. It is only when every stakeholder prioritizes security above all else that the Web3 community can truly thrive and prosper.
