ZenGo has identified a major security flaw prevalent among DApp wallets whereby users grant complete access to their tokens by authorizing a single transaction.
Cryptocurrency wallet provider ZenGo has built a testnet to demonstrate a major security flaw prevalent among decentralized application (DApp) wallets.
On March 23, ZenGo published an article highlighting that, when authorizing a specific transaction, many DApp wallets actually grant access over all of that particular token stored in the connected wallet:
“As a result, if the DApp is vulnerable to a security issue or is rogue to begin with, attackers can abuse these highly excessive privileges to steal ALL of the DApp’s users holdings (in the approved tokens) without any further user consent. They can do so at any point in the future, even if the user no longer uses the DApp.”
ZenGo builds testnet to demonstrate vulnerability
ZenGo said that “almost every DApp” exhibits the vulnerability, resulting in users unwittingly providing DApp smart contracts full control over their funds.
To demonstrate the vulnerability, ZenGo has launched a public testnet featuring a “rogue” token swapping DApp dubbed baDAPProve.
When a user authorizes a transaction of a specific number of FRT tokens on the testnet, baDAPProve will drain the users’ entire FRT wallet — emphasizing the risks associated with the vulnerability.
ZenGo is currently developing a solution intended to fix the security issue.
Despite the vulnerability having been identified several years ago, ZenGo believes that wallet providers are not doing enough to ensure that users are aware of the security risks associated with authorizing DApps to access their wallets.
The firm claims that popular wallets Opera, Imtoken and Trust wallet do not offer any warnings identifying the security risk. However, Trust wallet indicated it will upgrade their wallet after being contacted by ZenGo.
ZenGo found that the wallets offered by Brave and Metamask provide users with advanced settings that allow them to choose the sum that a DApp is able is to access, while Coinbase provides a warning to users emphasizing the risks.
Wallet vulnerability unacceptable as decentralized finance grows
ZenGo also identified that even if a user no longer uses a DApp, the smart contract is still able to access their tokens as a result of previously granted permission.
While ZenGo concedes that certain security compromises “might have been acceptable in the era when users were scarce and highly technical,” the firm argues that the increasing popularity of decentralized finance protocols necessitate security upgrades as it attracts a growing number of non-technical users.
Cointelegraph has reached out to several of the aforementioned wallets but has not received a comment as of press time.