As the key to opening the Web3 world, Web3 wallets are responsible for securely hosting users' cryptocurrency assets. Once the wallet program itself is hacked, users' cryptocurrency assets will be at risk of theft.
Therefore, based on the responsibilities of Web3 wallets themselves, the SlowMist Security Team launched A Web Front-end Security Guide for Web and browser extension wallets and proposed the best security implementation for the management of the key lifecycle for wallets: generate, store, use, backup, and destroy. At the same time, referring to the OWASP MASVS international standard, we developed relevant security guidelines for the Web3 wallet client security audit items. The SlowMist Security Team hopes to ensure as much security as possible on the Web3 wallet client and reduce the risk of cryptocurrency asset theft through years of frontline security attack and defense experience and excellent international standards.
Web3 wallets, as the key to the Web3 world, must interact with a variety of DApps in Web3. During users' interactions, wallets face many security challenges. Hackers are very good at exploiting the design flaws of the interaction process to deceive users' assets, such as: using UI hijacking and tricking users into signing; using blind signatures to trick users into signing; using Permit signatures to steal users' assets; using TransferFrom zero transfer to deceive users for phishing; using the same tail number to execute the scam; phishing for NFT and other general phishing techniques.
In response to the users' interaction process and the common phishing techniques used by hackers, the SlowMist Security Team exclusively proposes a security audit during the users' interaction process, which includes: WYSIWYS (what you see is what you sign strategy); AML strategy; anti-phishing strategy; pre-execution strategy; and other strategies to defend against hacker attacks, reduce the risk of users being phished, and ensure the security of cryptocurrency assets.
Business Communication
Project Evaluation
Pay for Expenses
Security Audit
Issue a Report
On June 3, multiple Atomic Wallet users posted on social media that their wallet assets had been stolen. According to analysis, the total loss of Atomic Wallet users who had their assets stolen is now approximately $35 million. As the key to opening the Web3 world, Web3 wallets are responsible for securely hosting users’ cryptocurrency assets. Once the wallet program itself is hacked, users’ cryptocurrency assets will be at risk of theft.
A Wintermute wallet was recently attacked, resulting in a loss of approximately $160 million dollars. The root cause of this incident was Wintermute’s use of the Profanity tool to create a vanity wallet (beginning with 0x0000000) in an attempt to save on gas fees. This follows the recent announcement by 1inch, a DeFi exchange, that some Ethereum addresses created through Profanity contained severe vulnerabilities. We conducted a thorough investigation into this incident, and the following are our findings.
Celer Network officials stated on August 18 that between 3:45 and 6:00 Beijing time, certain cBridge users were directed to malicious smart contracts. Initially, the cBridge front-end interface was suspected of being compromised by DNS hijacking.