Most of the DApp wallets exhibit this vulnerability
Cryptocurrency wallet provider ZenGo has demonstrated the security flaw using a test net
Decentralized Finance (DeFi) has gained a lot of traction in the last year or so. Although the total value of the funds locked in DeFi has halved from the record-breaking $ 1 billion in this market, it is still one of the most important crypto narratives today. This DeFi model works with DApps (Decentralized Applications), which are designed to work with the DeFi services.
Cryptocurrency wallet provider ZenGo has now shown that there is a major vulnerability affecting most of the decentralized application (DApp) wallets. It has gone on to build a test net to demonstrate this security flaw. The problem basically occurs when you try to connect a DApp with a digital wallet.
The user is asked to give permission to the DApp to interact with the user’s wallet. At the face of it, the user might have given access to a specific transaction & amount, but in actuality, DApps users actually grant access to ALL of their holdings in that token.
If the DApp is prone to security issues or is being used by nefarious players, they can easily make use of this privileged access to steal all the funds of the user. According to ZenGo, almost every DApp exhibits this vulnerability, where the smart contracts employed by the DApp provides complete control over the users’ funds.
To demonstrate this vulnerability, ZenGo created a test net with a rogue DApp demo dubbed as baDAPProve. The user can create a wallet with test net FRT tokens. After setting up the wallet, you can interact with baDAPProve by sending a few FRTs to the rogue swapping DApp. Astonishingly, not only will you transfer the FRTs you agreed to swap, but the whole balance of your wallet is gone!
Astonishingly, the security flaw is not a novel one. Ethereum community of developers has known of this vulnerability for years, but not enough was done to either create awareness about it or address the problem. And even now, the wallet providers are not doing nearly enough to let the users know of this weakness.
ZenGo analyzed what current popular wallets were doing and found most of them lacking to address this vulnerability. There are a few exceptions — Brave and Metamask wallets display a meaningful warning to users before calling approve() function and let users adjust the approved sum under advanced settings. Coinbase wallet flashes a similar warning to users. Opera, Imtoken & Trust wallet were contacted by ZenGo, but only the last one has decided to upgrade their wallet in the wake of these findings.
The crypto space is not just the forte of the technically savvy anymore. As DeFi hits the mainstream, the security risks should be addressed forthwith to create a trust factor. ZenGo intends to publish a detailed technical blog soon to address the security vulnerability. In the meantime, you can check whether you have been exposed to the baDAPProve issue using this third party public tool.