Damn Vulnerable Crypto Wallet

by do son ·

Damn Vulnerable Crypto Wallet

DVCW

Damn Vulnerable Crypto Wallet is an extremely insecure Ethereum crypto wallet written in JavaScript. It has three main modules:

  1. Desktop app: built with Electron and Vue
  2. Web API: built with NodeJS using Express, SQLite and Web3
  3. Local Ethereum blockchain: built using Truffle and Ganache-cli with deployed smart contracts written in Solidity

Damn Vulnerable Crypto Wallet

Features

  • Wallet creation
  • Wallet recovery using mnemonic
  • Send Ethereum transactions to other addresses
  • Attach a message to any transaction
  • Two-factor authentication
  • Profile management
  • Interact with smart contracts: DVCToken & DVCTokenSale

List of Vulnerabilities

Vulnerabilities can be found in the Electron application, the web API or in the Ethereum smart contracts deployed to the local blockchain. These include:

  1. Insecure storage (weak ciphers and hashing algorithms, no integrity checking mechanisms)
  2. Stored XSS to RCE
  3. Outdated Electron version
  4. Two-factor authentication bypass
  5. Debug port open vulnerable to DNS rebinding
  6. Protocol handler vulnerability (CVE-2018-1000118)
  7. Log files in packaged app
  8. SQL injection
  9. Wallet takeover
  10. Server-side JavaScript injection
  11. Path traversal
  12. CORS misconfiguration
  13. No session management
  14. Smart contracts vulnerabilities:
    • Arithmetic misuse (Overflows and Underfows)
    • Inadequate access controls
    • Reentrancy
    • Bad randomness

Install

Copyright (c) 2018 BadBounty

Tags: Damn Vulnerable Crypto Wallet