Open in app

Sign in

Write

Sign in

Building a Crypto Wallet? Consider These 10 Security Issues

Thesis Defense Team
Thesis Defense
Published in
7 min readMar 12, 2024

By Jehad Baeth
Security Auditor & Engineer

In recent years, crypto wallets have evolved beyond their traditional functionalities — which include storing wallet secrets securely, signing transactions and communicating with dApps — and are now becoming more feature-rich to appeal to their users.

But as their functionalities expand, so do the risks. Specifically, attack surfaces broaden and the sophistication of potential threats to their security increases.

This blog outlines ten security issues developers should keep in mind when designing a feature-rich crypto wallet.

1. Poor Coding Practices

There is no surprise that poor coding practices can leave the door open to security exploits at that application/implementation level. Risks stemming from poor coding practices can include:

  • Cross-site scripting (XSS) attacks
  • Man-in-the-middle (MITM) attacks
  • Remote code execution vulnerabilities
  • Misconfigurations leading to security missteps
  • Using unsafe functions or improper error reporting, potentially triggering leaks of sensitive information

Linting tools like ESLint and SonarQube can help identify potential issues in the source code during development phases. Additionally, regular audits should be conducted on dependencies to ensure they are up-to-date and secure.

2. Improper Cryptography

Cryptography is a critical component of custodial wallets, providing essential security features. Wallets that fail to implement strong cryptographic practices expose users to significant risks.

Community-proven libraries such as WebCryptoAPI and libsodium are recommended for cryptographic operations due to their robustness and widespread use in the industry.

Some common cryptographic issues observed in wallet extensions include:

  • Weak Storage Schemes: Inadequate storage methods for sensitive data expose wallets to significant risks. This applies particularly to browser localStorage, which can be vulnerable to various attacks due to its reliance on web browsers’ native storage systems.
  • Encrypting Multiple Fields with the Same Password: This practice exposes user data if an attacker obtains a single password, as all associated information becomes accessible simultaneously.
  • Poor or Improper Key Derivation Choices: Weak key derivation methods can compromise wallet security, making it easier for hackers to crack the encryption and access sensitive data.
  • Allowing Low-Entropy User Passwords: This practice enables attackers to exploit weak passwords, increasing the risk of unauthorized access. Educating users with tools such as zxcvbn can help improve user password security by encouraging them to use stronger alternatives.

3. Third-Party Vulnerabilities

Denial of Service (DoS) Attacks primarily target third-party sources relied upon by wallet extensions. Properly configuring and maintaining secure relationships with these providers is essential to minimize potential disruptions.

Ensure that your chosen providers have been thoroughly audited, documented, and tested for any known vulnerabilities or weaknesses.

4. User Authentication Issues

Aside from cryptographic security measures, user authentication plays the most critical role in maintaining wallet security. Some important measures to consider include:

  • Password Management Policies: Implementing robust policies that govern password usage can help prevent unauthorized access and improve overall account protection.
  • Authenticating Critical Actions: Ensuring that essential operations, such as transferring funds or executing smart contracts, require multi-factor authentication (MFA) offers added security.
  • Protecting Against Brute Force Attacks: Implementing measures such as account lockouts or delays after multiple failed login attempts can deter attackers from exploiting weak passwords.
  • Support for Two-Factor Authentication (2FA) and Hardware Wallets: Encouraging users to adopt these advanced security features can significantly reduce the risk of unauthorized access.

5. Secure Handling of Data

Since non-custodial wallets need to store sensitive data locally, proper handling of this information is crucial for maintaining user privacy and security. Extensions often use localStorage (e.g., LevelDB), a file-based key-value storage system, to save data on users’ devices.

6. Data Encryption Practices

Data encryption is essential in safeguarding sensitive wallet information. Here are some general guidelines:

  • Always Encrypt Local Data: Ensure that all critical wallet data, such as mnemonics and private keys, are encrypted using strong cryptographic algorithms. Implementing proper encryption methods helps protect users’ financial assets from theft or unauthorized access.
  • Encryption at Rest: For sensitive information stored on devices, utilize robust encryption mechanisms like AES-GCM to safeguard data both in transit and at rest.
  • Key Management: Implement secure key management practices, such as using strong encryption algorithms, regularly rotating keys, and employing proper access controls for sensitive data.
  • Secure Backup and Recovery Options: Offer users safe methods to create backups of their wallets without exposing sensitive information or compromising security.
  • Support for Two-Factor Authentication (2FA) and Hardware Wallets: Encourage users to adopt these advanced security features, which can significantly reduce the risk of unauthorized access.

7. Platform-Specific Issues

The security of a crypto wallet is closely tied to the platform it runs on — whether web, mobile, or desktop. Ensure that the chosen platform follows best practices and offers robust security features. Regularly review platform-related security updates to stay informed about potential vulnerabilities and fixes.

8. Supply Chain Risks

These attacks target the integrity of a wallet’s development pipeline, often focusing on third-party dependencies or libraries. To mitigate supply chain risks:

  • Assess Dependencies Carefully: Manually review dependencies and their transitive dependencies to identify potential vulnerabilities in the codebase. Even devDependencies can cause a lot of damage. (E.g. Copay)
  • Pin Dependencies: Pinning dependencies helps prevent unauthorized changes that could introduce security flaws or malicious code into the wallet application.
  • Use Automated Tools for Auditing Dependencies: Implement continuous integration (CI) and continuous delivery (CD) pipelines to automatically scan and audit third-party libraries during development phases, ensuring they are up-to-date and secure.
  • Follow Best Practices: Follow guidelines from organizations such as OWASP for best practices in securing your wallet’s supply chain.

9. Communication with dApps

As noted previously, one of the primary functions of a crypto wallet is interacting with decentralized applications (dApps). The following steps can help ensure there are secure communication channels and proper authentication processes between wallets and dApps:

  • Secure Communication Protocols: Use encryption protocols to protect data in transit, preventing unauthorized access or tampering during transmission.
  • Authenticating dApp Interactions: Establish robust authentication mechanisms between the wallet and connected dApps to verify their legitimacy and prevent potential phishing attacks.
  • Regularly Update Integrated dApp Lists: Keep track of known security vulnerabilities in popular dApps — and update your wallet’s integration list accordingly — to protect users from exploitation or financial loss due to malicious activities.
  • Monitor dApp Activity: Continuously monitor wallet interactions with integrated dApps for suspicious patterns that might indicate fraudulent behavior or attacks targeting user assets.
  • User Education: Educate users about safe practices to follow when interacting with dApps, such as verifying dApp URLs before connecting, spotting and avoiding phishing attempts, and keeping their private keys secure.

10. User-Error Prone UI/UX Design

Non-custodial crypto wallets are only as secure as the users who operate them. Implement user-friendly interfaces that guide users towards making informed choices about security practices. These include:

  • Security Tips and Hints: Provide clear instructions, tool tips, or prompts to help users understand best practices for securing their wallets effectively.
  • Authenticated Actions: Ensure that critical operations, such as fund transfers or the modification of account settings, are secured by clear authentication steps such as multi-factor authentication (MFA).
  • Educate Users on Security Threats: Inform users about common attack vectors, such as phishing, social engineering tactics, or malware attacks, and provide guidance on how to safeguard against and mitigate these risks.
  • Implement Strong Password Policies: Enforce robust password policies, such as minimum length requirements and a mix of characters, to prevent users from choosing weak or easily guessable passwords.
  • Support Security Features: Encourage users to adopt advanced security features like hardware wallet integration, biometric authentication, or two-factor authentication (2FA).
  • Regularly Update User Education Materials: Stay informed about emerging threats and trends in the cryptocurrency landscape, updating your wallet’s educational resources accordingly to ensure that users are aware of potential risks and best practices for maintaining their security posture.
  • Test User Interface and Experience: Conduct thorough usability testing to identify any design flaws or inconsistencies that could lead to user errors in securing their wallets effectively.
  • Provide Detailed Documentation: Offer comprehensive documentation, guides, and tutorials that show users how to use your wallet securely, including step-by-step instructions for setting up security features, backing up wallet data, or troubleshooting common issues.
  • Avoid Using Storage Mediums Accessible by Other OS Processes: Wallets often offer users the option of copying mnemonics into the clipboard, which can be monitored by other processes.

In sum, to secure a crypto wallet effectively, it’s crucial to tackle various attack vectors across the system, including application logic, platform integration, and user practices. Implementing comprehensive security measures, like the ten outlined in this blog, and educating users about threats can drastically minimize attack success.

Beyond this, it is important to stay vigilant and up-to-date on emerging trends in crypto security, as well as new vulnerabilities or attack patterns that may target wallets specifically.

Finally, in line with security best practices, it is advised to engage expert auditors to rigorously assess and scrutinize every aspect of wallet security. In that way, developers have a better chance at identifing and mitigating potential vulnerabilities long before they become a threat. This proactive approach not only enhances the security of a crypto wallet but also fortifies user trust and bolsters a project’s reputation, leading to broad adoption. Win, win, win.

At Thesis Defense, we pride ourselves on our expertise. Our team of security auditors have carried out hundreds of security audits for decentralized systems across a number of technologies including smart contracts, wallets + browser extensions, bridges, node implementations, cryptographic protocols, and dApps. We offer our services within a variety of ecosystems including Bitcoin, Ethereum + EVMs, Stacks, Cosmos / Cosmos SDK, NEAR and more.

To learn more about our services and get a free quote, schedule a call or email us @ defense@thesis.co. For more information about Thesis Defense, visit us on our website, blog and X (Twitter).

Security
Cyprocurrencies
Cryptowalletdevelopment
Crypto
Audit

--

--

Thesis Defense Team
Thesis Defense

Written by Thesis Defense Team

6 Followers
Editor for

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams