On June 3, multiple Atomic Wallet users posted on social media that their wallet assets had been stolen. According to analysis, the total loss of Atomic Wallet users who had their assets stolen is now approximately $35 million. As the key to opening the Web3 world, Web3 wallets are responsible for securely hosting users’ cryptocurrency assets. Once the wallet program itself is hacked, users’ cryptocurrency assets will be at risk of theft.
Therefore, based on the responsibilities of Web3 wallets themselves, the SlowMist security team launched A Web Front-end Security Guide for Web and browser extension wallets and proposed the best security implementation for the management of the key lifecycle for wallets: generate, store, use, backup, and destroy. At the same time, referring to the OWASP MASVS international standard, we developed relevant security guidelines for the Web3 wallet client security audit items. The SlowMist security team hopes to ensure as much security as possible on the Web3 wallet client and reduce the risk of cryptocurrency asset theft through years of frontline security attack and defense experience and excellent international standards.
Web3 wallets, as the key to the Web3 world, must interact with a variety of DApps in Web3. During users’ interactions, wallets face many security challenges. Hackers are very good at exploiting the design flaws of the interaction process to deceive users’ assets, such as: using UI hijacking and tricking users into signing; using blind signatures to trick users into signing; using Permit signatures to steal users’ assets; using TransferFrom zero transfer to deceive users for phishing; using the same tail number to execute the scam; phishing for NFT and other general phishing techniques. In response to the users’ interaction process and the common phishing techniques used by hackers, the SlowMist security team exclusively proposes a security audit during the users’ interaction process, which includes: WYSIWYS (what you see is what you sign strategy); AML strategy; anti-phishing strategy; pre-execution strategy; and other strategies to defend against hacker attacks, reduce the risk of users being phished, and ensure the security of cryptocurrency assets.
Based on the above, the SlowMist security team has upgraded the security audit items for the Web3 wallet security audit service as follows:
- For the browser extension wallets security audit items:
Note: For browser extension wallets, it is recommended to use a white box audit to ensure as much comprehensive audit coverage as possible.
2. For the mobile and desktop wallets security audit items:
Note: For mobile and desktop wallets, it is recommended that a white box audit be used when the audit cost is sufficient. If the audit cost is insufficient, it is also necessary to ensure that the black box and the gray box are the main audit methods and the white box is the auxiliary audit method, so as to ensure as much comprehensive audit coverage as possible.
The following are some cases of wallet security audits by the SlowMist security team:
As the gateway to the crypto world and the Web3 infrastructure, the security of wallets is an important guarantee for the healthy development of the industry ecology. The wallet security audit is undoubtedly one of the most effective solutions to ensuring security. The SlowMist security team suggests that each project do a security audit before going online. On the one hand, it can better protect user assets and avoid unnecessary losses. On the other hand, it can also make ecological development more healthy and stable.
SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, O3Swap, etc.