search

RabbyHub / Rabby

The game-changing wallet for Ethereum and all EVM chains
https://rabby.io
Other
1.29k stars 354 forks source link

Supply chain security: do a deep dependency review, remove deps #1922

Open paulmillr opened 6 months ago

paulmillr commented 6 months ago

There needs to be done a deep review of cryptography usage. Even though you're saying you're using scure/bip39 for mnemonics, it is not the case for every other feature.

  1. why is crypto-browserify used? It is a very big module and its parts haven't been maintained for >= 5 years. potentially vulnerable to stuff
  2. why is bignumber.js used? There are native bigints.
  3. ethereumjs-wallet v1.0.2 is outdated, it's using old / bad cryptography
  4. ethers v5 uses outdated, old / bad cryptography

All keyring and sdk modules must also be investigated.

vvvvvv1vvvvvv commented 6 months ago

Sure, need some time to check them, will reply in next week

EroticKlaxon commented 3 months ago

Sure, need some time to check them, will reply in next week

It's next week, how we doin?