DVCW

Damn Vulnerable Crypto Wallet is an extremely insecure Ethereum crypto wallet written in JavaScript. It has three main modules:

1. Desktop app: built with Electron and Vue
2. Web API: built with NodeJS using Express, SQLite and Web3
3. Local Ethereum blockchain: built using Truffle and Ganache-cli with deployed smart contracts written in Solidity

Features

• Wallet creation
• Wallet recovery using mnemonic
• Send Ethereum transactions to other addresses
• Attach a message to any transaction
• Two-factor authentication
• Profile management
• Interact with smart contracts: DVCToken & DVCTokenSale

List of Vulnerabilities

Vulnerabilities can be found in the Electron application, the web API or in the Ethereum smart contracts deployed to the local blockchain. These include:

1. Insecure storage (weak ciphers and hashing algorithms, no integrity checking mechanisms)
2. Stored XSS to RCE
3. Outdated Electron version
4. Two-factor authentication bypass
5. Debug port open vulnerable to DNS rebinding
6. Protocol handler vulnerability (CVE-2018-1000118)
7. Log files in packaged app
8. SQL injection
9. Wallet takeover
10. Server-side JavaScript injection
11. Path traversal
12. CORS misconfiguration
13. No session management
14. Smart contracts vulnerabilities:
    • Arithmetic misuse (Overflows and Underfows)
    • Inadequate access controls
    • Reentrancy
    • Bad randomness

Install

Copyright (c) 2018 BadBounty