Synopsis
The Emeris browser extension wallet uses the crypto-js library for deriving an encryption key and encrypting the mnemonic phrase when not in use in local storage. The default key derivation algorithm in this library is not considered to be sufficiently secure and is vulnerable to brute-force attacks.
Impact
Attackers gain a significant advantage in decrypting the mnemonic phrase, which would result in a complete wallet takeover and the loss of funds.
Remediation
We recommend following password-based key derivation best practices and utilizing argon2id as a KDF. In Section 4 of the Argon2 RFC, guidance is provided for the choice of parameters. We suggest selecting t=3 iterations, p=4 lanes and m=2^(16) (64 MiB of RAM), 128-bit salt, and 256-bit tag size (i.e. the second recommended option).
Currently, the WebAssembly (wasm) implementation argon2-browser is not usable in Manifest V3, because wasm execution is not permitted for Manifest V3 extensions. Therefore, we recommend using a different memory-hard KDF, such as scrypt or bcrypt, until either wasm becomes available for Manifest V3 extensions or the argon2-browser package provides a compiled version without wasm. Generally recommended parameters for scrypt are between N=32 768 , r=8 , p=1 for interactive logins (100ms) and N=1 048 576, r=8, p=1 for file encryption (5s) in 2017. We recommend benchmarking so that key derivation takes approximately 500ms on most machines.
Synopsis The Emeris browser extension wallet uses the crypto-js library for deriving an encryption key and encrypting the mnemonic phrase when not in use in local storage. The default key derivation algorithm in this library is not considered to be sufficiently secure and is vulnerable to brute-force attacks.
Impact Attackers gain a significant advantage in decrypting the mnemonic phrase, which would result in a complete wallet takeover and the loss of funds.
Remediation We recommend following password-based key derivation best practices and utilizing argon2id as a KDF. In Section 4 of the Argon2 RFC, guidance is provided for the choice of parameters. We suggest selecting t=3 iterations, p=4 lanes and m=2^(16) (64 MiB of RAM), 128-bit salt, and 256-bit tag size (i.e. the second recommended option). Currently, the WebAssembly (wasm) implementation argon2-browser is not usable in Manifest V3, because wasm execution is not permitted for Manifest V3 extensions. Therefore, we recommend using a different memory-hard KDF, such as scrypt or bcrypt, until either wasm becomes available for Manifest V3 extensions or the argon2-browser package provides a compiled version without wasm. Generally recommended parameters for scrypt are between N=32 768 , r=8 , p=1 for interactive logins (100ms) and N=1 048 576, r=8, p=1 for file encryption (5s) in 2017. We recommend benchmarking so that key derivation takes approximately 500ms on most machines.
Refer to full audit report first - Issue C
https://allinbits.slack.com/archives/C02U9SVJT97/p1652107168347859