Coinspect discovered a vulnerability in over 27 software wallets

A UI Flaw in Top Crypto Wallets

--

Coinspect discovered a vulnerability in over 27 software wallets which could allow malicious websites to deceive users into sending all their funds to attackers. The root cause was a lack of input validation that allowed arbitrary text, including empty lines and Unicode characters, to be displayed as part of the signature request. This flaw made it feasible for attackers to craft and present misleading messages that appeared as genuine elements of the wallet’s user interface.

In the example screenshot below, the wallet displays a fake transaction simulation, impersonating the wallet. This hides a ‘Permit’ message (unlimited allowance) concealed beneath several whitespace lines.

Interested in learning more about the vulnerability technical details and which wallets were affected ?

Check out our detailed blog post.

--

--

Coinspect Security

You Build. We Defend. Since 2014 protecting critical decentralized systems: L1 nodes, smart contracts audits, wallets, web3 dApps, exchanges, bridges.