Bitcoin breaks through $23,000, is your wallet safe?-web3资讯-ODAILY

In the past month, the value of Bitcoin has risen from $18,000 to $20,000. There is news in the currency circle: before Christmas, Bitcoin is bound to rise sharply.

Last night, BTC rushed to the high level of 23,000 very competitively.

Bitcoin breaks through ,000, is your wallet safe?

Led by the rise of Bitcoin, the currency circle has fallen into a frenzy, and the encrypted digital market is hot. Cryptocurrencies such as Ethereum, Ripple, and Litecoin are also on the rise.

From yesterday evening to today, the currency circle has staged scenes of large-scale true fragrance scenes, and enthusiastic investors in the market have entered the fight one after another.

Compared to 2017s bitcoin frenzy, this rally looks likely to be more stable.

2020 is a special year for everyone. The epidemic broke out and the currency circle was in turmoil. The emergence and development boom of decentralized finance DeFi has made the blockchain start to attract peoples attention again.

With the launch of new blockchain projects, more than 2,000 encrypted assets, more and more encrypted wallets have entered the market, and more and more users have begun to flood into this field.

secondary title

Bitcoin is soaring, is your wallet still safe?

In recent years, digital wallet security incidents have occurred frequently.

On November 19 last year, Ars Technica reported that two cryptocurrency wallet data were leaked and 2.2 million account information was stolen. Security researcher Troy Hunt confirmed that the stolen data came from the accounts of cryptocurrency wallet GateHub and RuneScape bot provider EpicBot.

This isnt the first time Gatehub has suffered a data breach. In June last year, hackers reportedly compromised around 100 XRP Ledger wallets, resulting in the theft of nearly $10 million in funds.

On March 29, 2019, Bithumb was stolen. It is speculated that the incident was caused by hackers stealing the private key of the g4ydomrxhege account owned by Bithumb.

Immediately, the hackers distributed the stolen funds to various exchanges, including Huobi, HitBTC, WB, and EXmo. According to unofficial data and user estimates, Bithumb suffered a loss of more than 3 million EOS coins (about 13 million US dollars) and 20 million XRP coins (about 6 million US dollars).

Due to the anonymity and decentralization of digital currency, it is difficult to recover stolen assets to a certain extent. Therefore, the security of the wallet is of paramount importance.

On August 9, 2020, CertiKs security engineer delivered a speech at the DEF CON Blockchain Security Conference on the topic:Exploit Insecure Crypto Wallet (encrypted wallet vulnerability utilization and analysis)The keynote report shared insights into the security of encrypted wallets.

A crypto wallet is an application that helps users manage their accounts and simplify the transaction process.

Some blockchain projects release encrypted wallet applications to support the development of the chain - such as Deepwallet for CertiK Chain.

Additionally, there are companies like Shapeshift that build wallets that support different blockchain protocols.

From a security point of view, the most important issue for encrypted wallets is to prevent attackers from stealing information such as mnemonic words and private keys of user wallets.

secondary title

Crypto Wallet Basic Audit Checklist

To evaluate an application, you first need to understand its working principle→whether the code implementation follows the best security standards→how to correct and improve the insufficient security.

The CertiK technical team has produced a basic audit checklist for encrypted wallets, which reflects all forms of encrypted wallet applications (mobile, web, extension, desktop), especially how mobile and web wallets generate and store user private keys.

How does the application generate a private key?
How and where does the application store raw information and private keys?
Is the wallet connected to a trustworthy blockchain node?
Does the application allow users to configure custom blockchain nodes? If allowed, what impact would a malicious blockchain node have on an application?
Does the application connect to a centralized server? If yes, what information does the client application send to the server?
Does the application require the user to set a strong password?
Does the application require two-factor authentication when users attempt to access sensitive information or transfer money?
Does the application use vulnerable third-party libraries that can be exploited?
Are there secrets (eg: API keys, AWS credentials) leaked in source code repositories?
Are there obvious bad code implementations (such as misunderstandings of cryptography) appearing in the program source code?
secondary title

Mobile Wallet

Mobile devices such as cell phones are more likely to be lost or stolen than laptops.

When analyzing threats against mobile devices, it is important to consider situations where an attacker has direct access to a users device.

As part of our assessment, we need to seek to identify potential issues that could result in compromised accounts and password assets should an attacker gain access to a users device, or if a users device is infected with malware.

In addition to the basic checklist, here are the audit categories to add to when evaluating mobile wallets:

Does the app warn the user not to take screenshots of sensitive data - Do Android apps prevent users from taking screenshots when displaying sensitive data? Do iOS apps warn users not to take screenshots of sensitive data?
Does the app leak sensitive information in background screenshots?
Does the app detect if the device is jailbroken/rooted?
Does the application lock the background servers certificate?
Does the application record sensitive information in the programs log?
Does the application contain misconfigured deeplinks and intents, and can they be exploited?
Does the application bundle obfuscate the code?
Does the application implement anti-debugging functionality?
Does the application check for application repackaging?
(iOS) Does the data stored in the iOS Keychain have sufficient security properties?
Is the application affected by keychain data persistence?
Does the application disable the custom keyboard when the user enters sensitive information?
secondary title

web wallet

Web applications are slowly becoming a less popular option for a fully decentralized wallet. MyCrypto does not allow users to use the keystore/mnemonic/private key to access the wallet in the web application, and MyEtherWallet similarly advises users not to do so.

Compared with wallets running on the other three platforms, it is relatively easier to phishing wallets in the form of web applications; if an attacker compromises a web server, he can easily inject malicious JavaScript into web pages. Steal user wallet information.

However, a securely built and thoroughly tested web wallet is still the best choice for users to manage their crypto assets.

In addition to the regular basic audit categories above, when we evaluate client web wallets, we also list the following categories that need to be audited:

Is the application vulnerable to cross-site scripting (XSS)?
Is the application vulnerable to clickjacking?
Does the application have a valid Content Security Policy?
Does the application have an open redirection vulnerability?
Is the application vulnerable to HTML injection?
Its rare for web wallets to use cookies these days, but if they do, you should check:

Cookie attribute

Cross Site Request Forgery (CSRF)

Cross-Origin Resource Sharing (CORS) misconfiguration

Does the app contain features other than basic wallet functionality? Are there vulnerabilities in these features that can be exploited?
secondary title

Bitcoin breaks through ,000, is your wallet safe?

extension wallet

Metamask, one of the most famous and used crypto wallets, comes in the form of a browser extension.

An extension wallet works internally much like a web application.

The difference is that it contains unique components called content script and background script.

The website communicates with the extension page by passing events or messages through content script and background script.

One of the most important things during an extension wallet evaluation is to test whether a malicious website can read or write data belonging to the extension wallet without the users consent.

In addition to the basic checklist, the following are the audit categories to be checked when evaluating extension wallets:

What permissions does the extension ask for?
How does the extension app decide which websites are allowed to communicate with the extension wallet?
How does the extension wallet interact with web pages?
Can a malicious website use a vulnerability in the extension to attack the extension itself or other pages in the browser?
Can a malicious website read or modify data belonging to an extension without the users consent?
Are extension wallets vulnerable to clickjacking?
Does the extension wallet (usually background script) check the origin of the message before processing it?
secondary title

Electron desktop wallet

After writing the code for the web application, why not use that code to build a desktop application in Electron?

Among the desktop wallets tested in the past, about 80% of the desktop wallets are based on the Electron framework. When testing an Electron-based desktop application, not only look for possible vulnerabilities in the web application, but also check that the Electron configuration is secure.

CertiK has targetedElectrons desktop application vulnerabilityanalysis, you can click to visit this article to learn more.

The following are the audit categories to be checked when the Electron-based desktop wallet is evaluated:

What version of Electron does the application use?
Does the application load remote content?
Does the application disable nodeIntegration and enableRemoteModule?
Does the application have the contextisolation, sandbox and webSecurity options enabled?
Does the application allow users to jump from the current wallet page to any external page in the same window?
Does the application implement an effective Content Security Policy?
Does the preload script contain code that could be abused?
Does the application pass user input directly into dangerous functions (such as openExternal)?
secondary title

Server-Side Vulnerability Checklist

More than half of the crypto wallet apps we tested had no centralized server, they were directly connected to blockchain nodes.

The CertiK technical team sees this as a way to reduce the attack surface and protect user privacy.

However, if the application wishes to provide customers with more functionality than account management and token transfer, the application may require a centralized server with a database and server-side code.

The items to test for server-side components are highly dependent on application characteristics.

Based on server-side vulnerabilities discovered during our research and engagement with customers, we have compiled the following vulnerability checklist. Of course, it does not cover all possible server-side vulnerabilities.

Authentication and Authorization
KYC and its validity
race condition
Cloud server configuration error
Web server misconfiguration
Insecure Direct Object Reference (IDOR)
Server Side Request Forgery (SSRF)
Insecure file upload
Any type of injection (SQL, command, template) vulnerability
Arbitrary file read/write
business logic error
rate limit
denial of service
Summarize

Summarize

With the development of technology, the fraud and attack methods implemented by hackers are becoming more and more diversified.

The CertiK security technology team hopes that by sharing the security risks of encrypted wallets, users can better understand and understand the security issues of digital currency wallets and increase their vigilance.

At this stage, many development teams pay far less attention to security issues than to business, and do not provide sufficient security protection for their own wallet products. By sharing the security audit categories of encrypted wallets, CertiK hopes that encrypted wallet project parties will have a clear understanding of product security standards, so as to promote product security upgrades and jointly protect the security of user assets.

Digital currency attack is a comprehensive attack of multiple technical dimensions. It is necessary to consider all application security involved in the process of digital currency management and circulation, including computer hardware, blockchain software, blockchain service software such as wallets, and smart contracts.

Encrypted wallets need to pay attention to the detection and monitoring of potential attack methods to avoid multiple attacks by the same method, and strengthen the security protection methods of digital currency accounts, using physically encrypted offline cold storage (cold storage) to save important digital currencies. In addition, it is necessary to hire a professional security team to conduct network-level testing, and to find loopholes through remote simulation attacks.

Welcome to search WeChat [certikchina] and follow CertiKs official WeChat public account, click on the dialog box at the bottom of the public account, leave a message to get free consultation and quotation!