ZenGo Warns of Major Security Flaw Among DApp Wallets

Published at: March 24, 2020

Cryptocurrency wallet provider ZenGo has built a testnet to demonstrate a major security flaw prevalent among decentralized application (DApp) wallets.

On March 23, ZenGo published an article highlighting that, when authorizing a specific transaction, many DApp wallets actually grant access over all of that particular token stored in the connected wallet: 

“As a result, if the DApp is vulnerable to a security issue or is rogue to begin with, attackers can abuse these highly excessive privileges to steal ALL of the DApp’s users holdings (in the approved tokens) without any further user consent. They can do so at any point in the future, even if the user no longer uses the DApp.”

ZenGo builds testnet to demonstrate vulnerability

ZenGo said that “almost every DApp” exhibits the vulnerability, resulting in users unwittingly providing DApp smart contracts full control over their funds.

To demonstrate the vulnerability, ZenGo has launched a public testnet featuring a “rogue” token swapping DApp dubbed baDAPProve.

When a user authorizes a transaction of a specific number of FRT tokens on the testnet, baDAPProve will drain the users’ entire FRT wallet — emphasizing the risks associated with the vulnerability.

ZenGo is currently developing a solution intended to fix the security issue.

Despite the vulnerability having been identified several years ago, ZenGo believes that wallet providers are not doing enough to ensure that users are aware of the security risks associated with authorizing DApps to access their wallets.

The firm claims that popular wallets Opera, Imtoken and Trust wallet do not offer any warnings identifying the security risk. However, Trust wallet indicated it will upgrade their wallet after being contacted by ZenGo.

ZenGo found that the wallets offered by Brave and Metamask provide users with advanced settings that allow them to choose the sum that a DApp is able is to access, while Coinbase provides a warning to users emphasizing the risks.

Wallet vulnerability unacceptable as decentralized finance grows

ZenGo also identified that even if a user no longer uses a DApp, the smart contract is still able to access their tokens as a result of previously granted permission.

While ZenGo concedes that certain security compromises “might have been acceptable in the era when users were scarce and highly technical,” the firm argues that the increasing popularity of decentralized finance protocols necessitate security upgrades as it attracts a growing number of non-technical users.

Cointelegraph has reached out to several of the aforementioned wallets but has not received a comment as of press time.

Tags
Technology
Defi
Smart Contracts
Wallet
Security
Erc-20
Dapp
Related Posts
This blockchain protocol is creating a front end for every smart contract
Before new technologies become widely adopted, the market must first learn to incorporate them into their everyday lives. While the technology continues to make leaps and bounds in the world of cryptocurrency, some obstacles still stand in the way before businesses and individuals may start incorporating them in frequent practice. Smart contracts and their underlying technology have become widely popularized for their ability to execute secure business transactions. Complicated smart contracts are designed to execute logic based on triggering events that will result in an automatic payment upon completion. With the ability to create more complex smart contracts, uses will …
Technology / Sept. 20, 2021
​​Cream Finance DeFi platform loses $19M in a flash loan hack
Cream Finance, a major decentralized finance (DeFi) protocol focused on lending, has suffered a severe exploit, with a hacker stealing nearly $19 million from its platform. An unknown hacker has managed to gain $18.8 million in the latest flash loan exploit of the Cream Finance protocol through a reentrancy bug introduced by the Amp token, according to an investigation by blockchain security firm PeckShield. Announcing the news Monday, Cream Finance said that the protocol has stopped the exploit by pausing supply and borrow contracts on the Amp token. “No other markets were affected,” Cream Finance stated. C.R.E.A.M. v1 market on …
Decentralization / Aug. 30, 2021
Pioneering hardware wallet brings enhanced staking to cold storage
Twelve months ago, the total value of cryptocurrency locked in staking programs was barely more than $1 billion. Today, there is $58 billion locked in decentralized finance, or DeFi. The adoption of DeFi has been a sea change that’s helped push the crypto industry into the mainstream, but it’s hardly the only one. Mainstream institutions including MicroStrategy and Tesla have poured billions of dollars into Bitcoin — and some have been buying the dip — while nonfungible tokens have evolved from CryptoKitties and CypherPunks to an artistic medium pulling in millions in bids for a new generation of digital artists …
Technology / June 8, 2021
Staking for Waves' Neutrino Dollars Comes to the Ethereum Network
The Neutrino protocol, a price-stable multi-asset protocol running on major blockchain platform Waves, is introducing the Neutrino dollar (USDN) on Ethereum. The Neutrino dollar, an algorithmic stablecoin collateralized by the Waves (WAVES) native token, is now available for all Ethereum users as the token has been ported to the Ethereum blockchain, Waves announced on Aug. 18. With the porting, Neutrino USD becomes accessible on Ethereum, enabling Ethereum users to stake rewards by just holding USDN in their Ethereum wallets, Waves CEO and founder Alexander Ivanov told Cointelegraph. The new integration also allows Ethereum developers to use USDN in their decentralized …
Decentralization / Aug. 18, 2020
Cardano ERC-20 converter nears testnet phase
Decentralized finance on the Cardano blockchain is drawing closer to becoming a reality, with a token migration bridge soon to enter the testing phase. According to Francisco Landino, project manager at Input Output Hong Kong, or IOHK — the research and development arm responsible for Cardano — the platform’s ERC-20 migration tool is nearing testnet deployment. In a blog post published on Monday, Landino said that the ERC-20 converter tool will allow the migration of Ethereum-based tokens to the Cardano chain. The planned ERC-20 converter bridge will follow Cardano’s highly anticipated Alonzo hard fork, which is touted to bring smart …
Technology / May 18, 2021