The 16th of December is a day that will go down in crypto history, and for all the right reasons. Bitcoin, the king of cryptocurrency and the brainchild of Satoshi Nakamoto, skyrocketed above the $20,000 price mark, and between then and now there’s been no sign of this slowing down.
With institutions buying more BTC than is mined on a daily basis, and the floodgates of crypto being opened up to retail investors by the likes of payment giant PayPal, there has never been a more exciting time to be an investor in the cryptocurrency space. However, on the inverse, there’s never been a better time to be a malicious hacker looking to earn a quick buck (or, more realistically, a quick few hundred million dollars).
No individual or organization is immune to these types of cyber attacks, which often result in the losses of hundreds of millions of dollars in crypto assets. Binance, Bithumb, and UpBit are all major players in the crypto space, each with its own history of crypto hacks.
With the advent and rise of decentralized finance(DeFi), the blockchain and cryptocurrency world have, again, garnered attention from individuals and organizations around the world. A rise in users and value, makes for a rise in potential security incidents. Due to the sheer amount of value they’re holding, security of crypto wallets is vital.
Companies like Shapeshift build wallets that support different blockchain protocols, whilst a number of projects build native wallets to support their own chain, similar to DeepWallet for CertiK Chain
After looking at a wide variety of wallets during our research(check out our talk at Defcon blockchain village) and client engagement, we want to share the methodology and workflow for software-based crypto wallet security assessment. We believe that in order to assess an application, the most fundamental requirement is to understand how it operates.
Following our checklist, the next step is to examine whether the implementation follows security best practices and, if not, how these failures can be exploited. The checklists cover wallets in the form of a web application, mobile application, extension, and electron(desktop) application.
You can find the result of our research below, we consider the impact of both client and server-side configuration.
Questions below are suitable and should be focused on for all forms(mobile, web, extension, desktop) of crypto wallet applications, especially the first and second questions.
Compared to a laptop, mobile devices are easier to get lost or stolen. When analyzing threats for mobile devices, we must consider the situation that the attacker can potentially gain access to the user's device. During the assessment, we seek to identify issues that can potentially lead to accounts and crypto assets compromised if the attacker gains access to the user's device or the user's device infected by malware.
In addition to the checklist in the general section above, below is the list of items we check when assessing a mobile wallet.
In addition to the checklist in the general section above, below is the list of items we check when assessing a web wallet on the client-side. For server-side vulnerabilities, see the last section of this article.
Metamask, one of the most famous and frequently used crypto wallet, is present in the form of a browser extension. An extension wallet internally works pretty similarly to a web application by itself. The difference is it contains unique components called Content Script and Background Script. A website communicates with an extension page by passing events or messages through Content Script and Background Script. One of the most important things to look at during the extension wallet assessment is to test if a malicious website can read or write data belong to the extension without the user's consent.
In addition to the checklist in the general section above, below is the list of items we check when assessing extension wallets.
After writing the code for the web application, why not reuse the code to build a desktop application in Electron? Around 80% of desktop wallets we looked at are electron based desktop applications. When testing an electron based desktop application, we not only look for vulnerabilities that could exist in a web application but also examine the electron configuration.
Check out our article(link) and talk(link) on exploit vulnerability in electron based desktop applications.
More than half of all crypto wallet applications we look at communicate with blockchain nodes directly and don't have a centralized server. We believe this is the way to minimize the attack surface and protect user's privacy. However, if the application wishes to provide more functionalities other than account management and token transfer, it probably requires a centralized server with a database and server-side code.
What item to test for the server-side component is highly application feature dependent.
We compile the checklist below based on server-side vulnerabilities we found during our research and client engagement. It's not meant to contain all possible server-side vulnerabilities. For example, the list doesn't contain the XML external entity(XXE) because we never encounter any wallet application that deals with an XML file.
We at CertiK strive to secure the cyberworld regardless of the nature of each project that might be entrusting the integrity of its operations on DLTs and smart contracts and our numbers are loud about it.
Since our inception, we've audited and secured more than 150 smart contracts, and over 25 whole chains, while our security experts have performed more than 20 application penetration tests for top-shelf industry pioneers including but not limited to Binance, Tera, Kava, e-Money, Fetch.ai, Akropolis, Bancor, Shapeshift, and Blockstack.
To learn more about application penetration tests, smart contract audits, and find out the most optimal way to secure your next venture, don't hesitate to connect with one of our engineers and get a free consultation today.