Crypto Wallet Security Assessment Checklist

The fundamentals:

  • How does the application generate the seed phrase and private key?
  • How and where does the application store the seed phrase and private key?
  • Does the wallet connect to a trustworthy blockchain node?
  • Does the application allow users to configure a custom blockchain node, if so, what can a malicious blockchain node do to the application?
  • Does the application utilize a cartelized server, what information is sent from the client to the server?
  • If the server stores sensitive data, how are they stored?
  • Does the application enforce a strong password policy?
  • Does the application require 2FA or pin code when users attempt to access sensitive information or transfer a token out?
  • Does the application use vulnerable third-party libraries?
  • Any secret(ex. API keys, AWS credentials) leaks in the source code repository?
  • Any notable bad coding practice(ex. misuse cryptography) in the codebase?
  • Does the application server enforce TLS connection?

Mobile wallet:

  • (Android) Does the application stop users from taking screenshots while displaying sensitive data? (iOS) Does the application warn users not to take screenshots of sensitive data?
  • Does the application leak sensitive information in the background screenshots?
  • Does the application detect jailbreak/root?
  • Does the application implement certificate pinning?
  • Does the application log any sensitive information?
  • Does the application contain misconfigured deeplink and intent, can they be exploited?
  • Does the application package protected by code obfuscation?
  • Does the application implement anti-debugging?
  • Does the application check for app repackaging?
  • (iOS)Does data stored in the iOS keychain have the secure accessible attribute?
  • (iOS)Does the application suffer from keychain data persistence?
  • Does the application disable the custom keyboard when users enter sensitive information?
  • Does the application securely use “webview” to load an external website?

Web Wallet:

  • Is the application vulnerable to cross-site scripting(XSS)?
  • Is the application vulnerable to clickjacking?
  • Does the application have an effective content security policy?
  • Is the application vulnerable to open redirect?
  • Is the application vulnerable to HTML injection?
  • It’s rare to see web wallets use Cookies nowadays, but if they do, we check for:
  • Cookie attribute
  • Cross-site request forgery(CSRF)
  • CORS misconfiguration
  • Does the application contain additional features other than basic wallet functionalities and can they be exploited?
  • Does the application vulnerable to any of the OWASP Top 10 vulnerabilities not mentioned above.

Extension Wallet:

  • What permissions does the extension require?
  • How does the extension decide which website is allowed to communicate with the extension?
  • How does the extension interact with the web page?
  • Can a malicious website exploit vulnerability such as XSS(cross-site scripting) in the extension page or other active tabs in the browser by exploiting a vulnerability in the extension?
  • Can a malicious website read or modify data that belongs to the extension without the user’s consent?
  • Is the extension vulnerable to clickjacking?
  • Does the extension(often the background script) correctly check the origin of the message before processing it?
  • Does the application implement an effective content security policy?

Electron(Desktop) Wallet:

  • What version of Electron does the application use?
  • Does the application load remote content?
  • Does the application disable “nodeIntegration” and “enableRemoteModule”?
  • Does the application enable contextisolation, sandbox and webSecurity?
  • Does the application allow users to navigate away from the current wallet page to another arbitrary external web page in the same window?
  • Does the application implement an effective content security policy?
  • Does the preload script contain code that can be abused?
  • Does the application pass user input into dangerous functions such as “openExternal”?
  • Does the application use any insecure custom protocols?

Server Side:

  • Authentication and authorization
  • KYC and its effectiveness
  • Race conditions
  • Cloud misconfiguration
  • Web server misconfiguration
  • Insecure direct object references(IDOR)
  • Server-side request forgery(SSRF)
  • Insecure file upload
  • Any type of injection(SQL, commend, template) vulnerability
  • Arbitrary file read/write
  • Business logic error
  • Rate limiting
  • Denial of service(check out our article for more information about DoS attack)
  • Information leakage

--

--

--

Official Website: https://certik.com

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Cryptography in the Banking Industry

The Spread of Privacy Legislation

The Holovictory HR Tech Campaign

BankIslami’s 2018 ATM theft hacker gets 11 years in prison

{UPDATE} Dig Dug Turnpike Race Hack Free Resources Generator

The 3rd of the 3 “-ISHINGS” of Cybersecurity Fraud — 𝙋𝙃𝙄𝙎𝙃𝙄𝙉𝙂

Liferay Portal RCE | CVE-2020–7961| JSON Web Service Deserialization |Unauthenticated RCE (Blind)

Access control in the GDPR era

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
CertiK

CertiK

Official Website: https://certik.com

More from Medium

Here we go!! Another article all about my experience with STEPN…

STEPN: Introduction to Tokenomics, Sneaker Features, and GST Earnings

(EN) Mad’s Crypto Corner #AMArathon with Battle Saga Recap

Hell Hounds Use Cases — A Quick Overview