ZenGo Warns of Dapp and Wallet Security Issue; Offers Solution
Keyless crypto wallet maker ZenGo has raised the crypto community to its feet, warning about a security issue that can suck all funds out of users' accounts. The flaw has seemingly been well-known in the decentralized finance (DeFi) developer community, but it was not disclosed to users. ZenGo however, also offers a solution.
"Imagine going to your bank and sending someone USD 1," but later "you discover that by doing so you have allowed this person to empty your account," said ZenGo. Worse yet, your bank knew about this possibility but did nothing to prevent it from happening. Some of the most popular dapps (decentralized apps) and crypto wallets have this precise issue, which ZenGo named "baDAPProve." But it was discussed only in the technical circles of Ethereum developers for years, while the users had no idea that it may happen or how it may affect them, they claim.
ZenGo describes baDAPProve as an exploit, whereby a smart contract can get unlimited access to the entirety of a user's funds, while the user is none the wiser. Alex Manuskin, Blockchain Researcher at ZenGo, explains: DeFi companies build dapps implemented as blockchain smart contracts so that users can access DeFi services. To do so, users have to give permission for the dapp to interact with their wallet. This means that the dapp will ask the user for access to the tokens.
"The security issue is that while most users assume they approve access for a specific transaction of a specific amount, in most dapps users actually grant access to ALL of their holdings in that token. [...] In almost every dapp, when the user connects to it, they unknowingly provide the smart contract associated with the dapp, full access to all of their funds, regardless of their actual usage."
What does this mean for the user? If that dapp which was given permission to access tokens is vulnerable to a security issue or is malicious from the start, attackers can use the permission to take every single one of the approved token at any time, even when the dapp is no longer used - and it will not require any additional consent to do so. Users who decide to move out of DeFi due to recent price drops remain as vulnerable as they were before.
Furthermore, many wallets say nothing about it to their users, claims ZenGo, citing an unnamed wallet that says how communicating this to users in an understandable way would be difficult. Brave, Metamask, and Coinbase wallets display some warnings. Meanwhile, Opera, imToken, and Trust wallet give no warning whatsoever, ZenGo claims, and only Trust wallet is planning to upgrade their wallet as a result of their inquiry. We asked imToken and Opera for their comments as well.
This issue is a known risk and requires user interaction. We— token.eth - imToken (@imTokenOfficial) March 4, 2020
have already clearly notified the user when they are entering a third-party DApp. But we still thank you for your report.
"What is amazing in this is that many players we approached or even publications (won't name) refused to consider it was a big deal," tweeted Ouriel Ohayon, CEO of ZenGo, adding that any dapp is concerned here, not just DeFi. Manuskin writes that, though the problem has been known for years, "some security compromises that might have been acceptable in the era when users were scarce and highly technical are not acceptable when DeFi goes mainstream, acquiring many non-technical users, and handling crypto tokens in the Billions (USD)."
Therefore, the wallet maker built a publicly available, open-source testnet for all to experience baDAPProve risk-free. ZenGo also developed a security solution that they say solves most of the double confirmation issues, writing: "The approved sum is the same as the sum that the user intends to send, the user only approves once and both transactions are sent in parallel so the user does not need to wait any longer than usual." The solution is meant for their Compound-based ZenGo Savings feature, but it's not specific to automated lending platform Compound, meaning that other apps can use it too.