WalletConnect / walletconnect-monorepo

WalletConnect Monorepo
Apache License 2.0
1.47k stars 716 forks source link

WalletConnect Vulnerability in Phishing Attacks #5400

Open TommyVersety opened 1 month ago

TommyVersety commented 1 month ago

WalletConnect Vulnerability in Phishing Attacks Overview of the Vulnerability:

While this technology enhances user experience, it also introduces vulnerabilities, particularly in the context of phishing attacks. Malicious actors can create counterfeit dApps that closely resemble legitimate ones, tricking users into connecting their wallets. Once connected, these fake dApps can request sensitive information or initiate unauthorized transactions, risking the loss of assets.

Technical Details:

Connection Establishment: WalletConnect operates by generating a session between a dApp and a wallet. This is done through a unique bridge server that facilitates communication. If a user scans a QR code from a phishing site, the session can be initiated without proper validation of the dApp's authenticity.

Lack of Domain Verification: Currently, WalletConnect does not enforce strict checks on the domains from which the connection is initiated. A user might inadvertently connect to a malicious dApp that uses a similar name or branding as a legitimate one.

Message Signing: Upon connection, the dApp can send requests to sign messages or perform transactions. If the dApp is malicious, it can craft messages that appear benign but are harmful when executed.

Example of a Phishing Attack: Phishing Site Creation: An attacker creates a fake dApp that mimics a popular DeFi platform. User Interaction: A user, unaware, scans the QR code and connects their WalletConnect wallet. Malicious Request: The fake dApp requests the user to sign a transaction that, when executed, drains the user's wallet. Addressing the Vulnerability To mitigate these risks, several strategies can be employed:

Domain Whitelisting:

Users can maintain a list of trusted domains. The WalletConnect protocol can be enhanced to prompt users to verify that the dApp's domain matches their whitelist before proceeding with the connection. Enhanced User Prompts:

Implement user-friendly alerts that clearly indicate the domain of the dApp requesting the connection and require explicit user confirmation before signing any transactions. Session Timeout and Auto-Disconnect:

Introduce session timeouts that automatically disconnect the wallet after a defined period of inactivity, minimizing exposure to unauthorized access. Integration of a Verification API:

Create an API that checks the reputation of the dApp domain against a known list of phishing sites. If a domain is flagged, the connection should be denied.

Example Code for Domain Verification Below is a simplified example of how to implement domain verification using JavaScript: Domain Verification.txt

const trustedDomains = ['https://trusted-dapp.com', 'https://another-trusted-dapp.com'];

async function connectWallet(dappUrl) { // Check if the dApp URL is in the trusted domains list if (!trustedDomains.includes(dappUrl)) { alert('Warning: You are attempting to connect to an untrusted dApp. Please verify the URL.'); return; // Prevent connection }

// Proceed with WalletConnect connection
const connector = new WalletConnect({
    bridge: 'https://bridge.walletconnect.org',
    qrcode: true,
});

if (!connector.connected) {
    // create a new session
    await connector.createSession();
    const uri = connector.uri;
    console.log(`Scan this QR code: ${uri}`);
}

// Handle session connection
connector.on('connect', (error, payload) => {
    if (error) {
        throw error;
    }
    const { accounts, chainId } = payload.params[0];
    console.log(`Connected with accounts: ${accounts} on chain: ${chainId}`);
});

}

// Example usage connectWallet(window.location.href); // Pass the current dApp URL

linear[bot] commented 1 month ago

CR-542 WalletConnect Vulnerability in Phishing Attacks