[New Snap] Cardano Wallet

MetaMask / snaps-registry

A registry containing metadata about verified and blocked Snaps.

Apache License 2.0

28 stars 16 forks source link

Checklist

All items in the list below needs to be satisfied.

[x] Is the Snap repository publicly accessible and linked in this ticket? https://github.com/nufi-official/nufi-snap

[x] Is the Snap distributed on npm and linked in this ticket? @nufi/cardano-metamask-snap

[x] Has an audit been performed and the audit report attached or linked in this issue? Sayfer : https://sayfer.io/audits/metamask-snap-audit-report-for-nufi/

[x] Is a complete list of discovered vulnerabilities from the audit documented in this issue? 2 minor vulnerabilities: No Warning on Signing Arbitrary Data and Floating Version in package.json

[x] For vulnerabilities that have been deemed necessary to be addressed, are the links to the fixes attached to this issue? audited commit, fixes commit

[ ] For vulnerabilities that have been deemed not necessary to be addressed, is a reason for each of them documented in this issue?

[ ] The corresponding pull request in this repo has been merged.

Note :

Allowlisted commit id : 915079
Fixes commit id : 8bd00d

Diff files between the two :

package.json
packages/cardano-metamask-snap/images/icon.svg
packages/cardano-metamask-snap/package.json
packages/cardano-metamask-snap/snap.manifest.json
packages/cardano-metamask-snap/src/api/cardano__verifyAddress/index.test.ts
packages/site/src/hooks/useRequestSnap.ts
yarn.lock

Most of the changes are no-code change. Only a change in testing on the snap side and a change in the src of the companion dapp, diff is shown below:

diff --git a/packages/site/src/hooks/useRequestSnap.ts b/packages/site/src/hooks/useRequestSnap.ts
index a32623b..b35c9a3 100644
--- a/packages/site/src/hooks/useRequestSnap.ts
+++ b/packages/site/src/hooks/useRequestSnap.ts
@@ -25,12 +25,12 @@ export const useRequestSnap = (
     const snaps = (await request({
       method: 'wallet_requestSnaps',
       params: {
-        [snapId]: { version },
+        [snapId]: version ? { version } : {},
       },
     })) as Record<string, Snap>;

     // Updates the `installedSnap` context variable since we just installed the Snap.
-    setInstalledSnap(snaps[snapId] ?? null);
+    setInstalledSnap(snaps?.[snapId] ?? null);
   };

   return requestSnap;

Detail on the audit report :

The 2 low risk issues identified by the auditor have been corrected.

No Warning on Signing Arbitrary Data (ID SAY-01)
- Risk: Low
- Impact: Increased risk of users unknowingly signing malicious data, potentially leading to security breaches.
- Summary: The process to sign data does not warn users about the nature of the data they are endorsing. This can lead to signing something detrimental without adequate understanding.
- Mitigation: Recommend adding explicit warnings to inform users before they proceed with signing arbitrary data.
Floating Dependency Versions (ID SAY-02)
- Risk: Low
- Impact: Not specifying exact versions of dependencies may expose the software to supply chain attacks, similar to previous attacks like the one on BitPay wallet.
- Summary: Dependencies in the software are set to compatible versions rather than fixed ones, which increases the risk of introducing malicious updates unknowingly.
- Mitigation: Advise pinning dependencies to exact versions to mitigate potential risks from automatic updates.

MetaMask / snaps-registry

[New Snap] Cardano Wallet #658

Checklist