ZenGo has created test networkto demonstrate a serious security flaw common to dApp applications.
The ZenGo report says that when a transaction is completed, users involuntarily provide smart contracts from dApp applications with full control over the money in the connected wallet.
“As a result, attackers could use this vulnerability to steal ALL user funds from a dApp wallet without the owner’s knowledge. Theft could even occur at any time in the future, even if the user is no longer using the application,” – the report says.
Since the user gives permission to bind the wallet, the smart contract of the application can access the money at any time without validity period.
To prove the vulnerability, the developers created an application called baDAPProve. When they approved a transaction with a certain number of tokens on a test network, baDAPProve successfully stole all remaining tokens.
The developers note that the vulnerability was discovered and remains unresolved several years ago, and the developers of dApp applications do not specifically warn users of the risk of wallet authorization. According to the developers, this vulnerability even exists in Opera, Imtoken and Trust wallets.
At the same time, researchers note that Brave and Metamask wallets have advanced settings that allow you to set the maximum amount a dApp application can access.
The ZenGo report says that when a transaction is completed, users involuntarily provide smart contracts […]