Noob Ecosystem Info
The fastest multi-chain trading wallet. Execute trades in milliseconds across Ethereum, BSC, Base, and Solana directly from your browser.
Team and KYC Verification
The team has securely submitted their personal information to SolidProof.io for verification.
In the event of any fraudulent activities, this information will be promptly reported to the relevant authorities to ensure accountability and compliance.
TrustNet Score
The TrustNet Score evaluates crypto projects based on audit results, security, KYC verification, and social media presence. This score offers a quick, transparent view of a project's credibility, helping users make informed decisions in the Web3 space.
Real-Time Threat Detection
Real-time threat detection, powered by Cyvers.io,
is currently not
activated
for this project.
This advanced feature provides continuous monitoring and instant alerts to safeguard your assets from potential security threats. Real-time detection enhances your project's security by proactively identifying and mitigating risks.
For more information, click here.
Security Assessments
Summary and Final Words
No crucial issues found
The contract does not contain issues of high or medium criticality. This means that no known vulnerabilities were found in the source code.
Contract is upgradeable
The contract uses a proxy pattern or similar mechanism, enabling future upgrades. This can introduce risks if the upgrade mechanism is not securely managed.
Scope of Work
This audit encompasses the comprehensive evaluation of the NoobWallet browser extension codebase as provided at the start of this engagement. The assessment was conducted on the complete extension architecture, including React frontend components, background scripts, content scripts, blockchain integrations, and manifest configuration built with modern JavaScript/TypeScript frameworks and Vite bundling.
The auditing process consists of the following systematic steps:
- Architecture and Extension Structure Review: Analyze the project's extension architecture, dependencies (package.json, manifest.json), component hierarchy, and service integrations to understand the overall browser extension design, multi-chain wallet functionality, and intended DeFi features including token detection, swapping, and wallet management across Ethereum, BSC, Solana, and BASE networks.
- Static Code Analysis: Conduct comprehensive automated analysis using ESLint, manual code inspection, and pattern matching to identify potential security vulnerabilities, cryptographic flaws, unsafe operations, and browser extension-specific security anti-patterns across 100+ source files totaling thousands of lines of JavaScript/React code.
- Cryptographic Implementation Assessment: Systematically review all cryptographic operations including PIN-based encryption, private key management, mnemonic generation, and key derivation functions, with particular focus on encryption key handling, salt usage, and secure random number generation practices.
- Authentication and Session Security Assessment: Analyze PIN-based authentication mechanisms, session management, timeout handling, and privilege escalation vulnerabilities, ensuring authentication systems meet security standards for protecting user funds and sensitive wallet data.
- Browser Extension Security Patterns: Evaluate the extension against browser security best practices, including content script injection safety, message passing security, permission usage, cross-origin request handling, and content security policy compliance specific to Chrome extension security model.
- Blockchain Integration and Transaction Security: Assess multi-chain wallet implementations for security vulnerabilities, including private key exposure, transaction signing safety, RPC endpoint security, smart contract interaction patterns, and potential attack vectors that could compromise user funds across supported blockchains.
- Input Validation and Data Sanitization: Review all user input processing, external API response handling, token metadata processing, and HTML injection points to identify XSS vulnerabilities, injection attacks, and ensure robust sanitization throughout the application data flow.
- Storage Security and Data Protection Assessment: Evaluate Chrome storage usage, localStorage fallbacks, sensitive data encryption, clipboard handling, and data persistence patterns to ensure user privacy and prevent unauthorized access to wallet credentials and transaction data.
- Third-Party Integration Security Review: Analyze external API integrations, remote configuration fetching, token detection services, and DEX platform interactions to identify man-in-the-middle vulnerabilities, data validation issues, and secure communication practices.
- Comprehensive Risk Classification: Categorize all findings by severity (Critical, High, Medium, Low, Informational) based on potential impact to user funds, wallet security, and operational integrity, providing detailed exploitation scenarios, proof-of-concept demonstrations, and specific remediation guidance for each vulnerability.
This audit reflects the state of the browser extension codebase at a specific point in time (version 1.0.7) and current browser security model. Any modifications made to the extension code, manifest permissions, external dependencies, or underlying browser APIs after this review may introduce new conditions or vulnerabilities that were not within the scope of this assessment. All critical and high-severity findings must be addressed and re-tested before production deployment to browser extension stores.
Final Words
The following provides a concise summary of the audit report, accompanied by insightful comments from the auditor. This overview captures the key findings and observations, offering valuable context and clarity.
Browser Extension Security Analysis Statement
Extension Analysis
The NoobWallet extension implements a multi-chain cryptocurrency wallet supporting Ethereum, BSC, Solana, and BASE networks with automated token detection and swap functionality. Following comprehensive security improvements, the extension now demonstrates robust cryptographic practices and secure architecture. Key security enhancements include:
- Cryptographic implementation completely overhauled with proper PBKDF2 key derivation (310,000 iterations) and Web Crypto API usage
- Session-based security architecture with ephemeral keys and automatic cleanup mechanisms
- Comprehensive input validation and sanitization across external API integrations
- Elimination of hardcoded encryption keys and direct PIN usage vulnerabilities
Extension Permissions & Privileges
The extension operates with appropriately scoped browser extension permissions including storage, tabs, and activeTab access. The extension maintains reasonable privileged access to:
- Chrome storage for persistent wallet data with proper encryption practices
- Active tab content for token detection limited to DexScreener and DexTools
- Cross-origin requests to external APIs with signature verification for configurations
- Clipboard access for mnemonic phrase operations (automatic clearing recommended)
- Permissions are appropriately scoped and avoid excessive browser access
- Content script injection is limited to specific trading platforms
- No access to sensitive browser APIs like downloads or bookmarks
- Host permissions are restricted to specific domains rather than all URLs
Security Architecture Features
The extension implements several robust security design patterns:
- PIN-based authentication with secure session management and 3-hour automatic timeout
- Hierarchical deterministic (HD) wallet generation using established bip39 libraries with secure entropy
- Separation of concerns with dedicated chain implementations for each blockchain
- Use of established blockchain libraries (viem) for transaction handling and cryptographic operations
- Proper token address validation and sanitization preventing injection attacks
- Cryptographic signature verification for remote configuration updates
Current Security Status
All critical security vulnerabilities have been resolved, with the extension now implementing industry-standard cryptographic practices. Remaining issues are primarily operational improvements including race condition handling in token detection and clipboard security enhancements. The extension demonstrates significant security improvements and is suitable for production use with standard cryptocurrency security precautions.
Note - This Audit report consists of a comprehensive security re-analysis of the NoobWallet browser extension codebase. This analysis focused on security vulnerabilities, cryptographic implementations, and architectural security patterns. The audit did not include economic analysis of supported tokens, smart contract security of integrated DEXs, or blockchain protocol security. We examined the extension code, manifest permissions, and client-side security practices. The extension has undergone substantial security improvements and now implements proper cryptographic practices, though users should continue to exercise standard cryptocurrency security precautions.
Files and details
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Findings and Audit result
critical Issues | 4 findings
Resolved
#1 critical Issue
Hardcoded Session Key for PIN Encryption
The application uses a hardcoded session key 'hyperbolt_session_2024' for PIN encryption, which provides no actual security. Since this key is visible in the source code, any attacker can extract it and decrypt stored PIN data. The vulnerability allows complete bypass of PIN protection by simply using the hardcoded key to decrypt data from Chrome storage. This affects all users as their PINs become accessible to anyone with source code access. The fix requires removing hardcoded keys entirely and implementing proper key derivation using PBKDF2 with random salt and at least 100,000 iterations.
Resolved
#2 critical Issue
PIN Used Directly as Encryption Key
The wallet uses 6-digit PINs directly as AES encryption keys without any salt or key derivation functions. This makes brute force attacks trivial since there are only 1,000,000 possible PIN combinations. An attacker can iterate through all possible PINs and attempt to decrypt the stored mnemonic phrase, validating success using bip39.validateMnemonic(). The attack can be completed in seconds on modern hardware. This vulnerability compromises all encrypted wallet data including private keys and mnemonic phrases, leading to complete wallet takeover. The solution requires implementing proper key derivation using PBKDF2 with random salt and minimum 100,000 iterations, or using Web Crypto API's crypto.subtle.deriveKey().
Resolved
#3 critical Issue
Sensitive Data Logged to Console
The referral code processing functionality logs sensitive user data and API responses directly to the browser console. This includes referral codes, user addresses, and API responses that may contain private information. Console logs are accessible to any script running on the page and persist in browser developer tools. Malicious websites or browser extensions could potentially access this logged information. The vulnerability affects user privacy and could expose referral relationships or other sensitive data. The fix requires removing all console logging of sensitive data and implementing proper error handling that doesn't expose private information.
Resolved
#4 critical Issue
Private Keys Stored in Memory as Class Properties
Private keys are stored as class properties (this._privateKey) in memory for extended periods, making them accessible through browser debugging tools or memory inspection. An attacker with access to the browser's developer tools can inspect the EVMChain class instances and extract private keys directly from memory. This vulnerability also exposes private keys to memory dumps and heap analysis tools. The risk is particularly high because private keys remain in memory throughout the application lifecycle rather than being cleared after use. Complete wallet compromise occurs if private keys are extracted. The mitigation involves minimizing private key lifetime in memory, clearing sensitive data immediately after use, and implementing secure memory management practices.
high Issues | 2 findings
Resolved
#1 high Issue
Unsigned Remote Configuration Updates
The application fetches configuration data from a remote server without cryptographic signature verification. This allows attackers to perform man-in-the-middle attacks and inject malicious configuration data. An attacker intercepting network traffic or compromising the configuration server could modify chain configurations, RPC endpoints, or contract addresses. This could redirect users to malicious smart contracts, steal funds through fake DEX addresses, or compromise wallet functionality. The vulnerability affects all users during configuration updates and could lead to widespread fund loss. The solution requires implementing asymmetric cryptography to sign configuration data server-side and verify signatures client-side before applying any configuration changes.
Resolved
#2 high Issue
Unvalidated External API Responses
External API responses from token services are processed without validation for malicious content or data integrity. The application trusts data from third-party APIs without sanitization, which could lead to various injection attacks or data corruption. Malicious API responses could contain crafted data designed to exploit parsing vulnerabilities, inject malicious content into the UI, or cause application crashes. This affects token information display, pricing data, and metadata processing. An attacker controlling or compromising external APIs could manipulate displayed information, potentially leading users to make incorrect trading decisions or exposing them to further attacks. The fix requires implementing comprehensive input validation, response sanitization, and schema validation for all external API responses.
medium Issues | 2 findings
Resolved
#1 medium Issue
Hardcoded API Keys in RPC URLs
RPC URLs containing API keys are hardcoded directly in the configuration files, exposing sensitive credentials in the source code. These API keys for services like QuickNode are visible to anyone with access to the codebase, including in version control systems, build artifacts, and deployed code. Exposed API keys can be misused by attackers to make unauthorized requests, potentially leading to service abuse, quota exhaustion, or additional charges for the legitimate account holder. This also creates a single point of failure where compromised keys affect all users. The vulnerability impacts the reliability and security of blockchain connectivity. The solution requires moving API keys to environment variables, implementing secure configuration management, or using key rotation mechanisms with proper access controls.
Resolved
#2 medium Issue
Integer Overflow in parseUnits Function
The parseUnits function is called without proper validation of decimal precision parameters, which could lead to integer overflow or underflow conditions. Invalid decimal values or extremely large numbers could cause unexpected behavior in transaction amount calculations. This vulnerability could result in incorrect token amounts being processed, potentially leading to failed transactions, loss of funds, or exploitation by attackers who craft specific input values to trigger overflow conditions. The issue affects swap calculations and could be exploited to manipulate transaction amounts. Users might unknowingly approve transactions with incorrect values due to calculation errors. The fix requires implementing proper bounds checking, validating decimal precision against token specifications, and using safe arithmetic operations that handle overflow conditions gracefully.
low Issues | 8 findings
Resolved
#1 low Issue
Decryption Errors Logged to Console
Decryption errors logged to console could provide information to attackers about encryption failures
Resolved
#2 low Issue
CSS Injection via Inline Styles
Inline styles injection without proper sanitization could allow CSS-based attacks
Resolved
#3 low Issue
Token Address Validation Bypass
Token addresses normalized to lowercase without proper validation could accept invalid addresses
Resolved
#4 low Issue
Internal System Details in Error Messages
Comprehensive error logging exposes internal system details that could aid attackers
Resolved
#5 low Issue
Insecure localStorage Fallback in Development
The application falls back to localStorage when Chrome storage is unavailable, typically during development. localStorage is less secure than Chrome extension storage as it's accessible to any script on the same origin and persists indefinitely without proper cleanup. Sensitive wallet data stored in localStorage could be accessed by malicious scripts injected into the development environment or persist longer than intended. While primarily a development issue, it could affect users if the production build inadvertently uses localStorage. The risk includes exposure of encrypted wallet data, session information, and user preferences. The fix requires implementing secure alternatives even in development mode, such as using sessionStorage with automatic cleanup or implementing a secure fallback storage mechanism.
Acknowledged
#6 low Issue
Mnemonic Phrase Exposed in Clipboard
The application copies mnemonic phrases to the clipboard without implementing automatic clearing mechanisms. This leaves sensitive seed phrases in clipboard memory where they can be accessed by other applications, malware, or clipboard managers. The mnemonic phrase remains accessible until the user copies something else or restarts their system. Clipboard access is available to many applications and services, creating a significant attack vector for seed phrase theft. Compromised seed phrases lead to complete wallet compromise across all supported blockchains. The risk is particularly high on shared or compromised systems where clipboard monitoring malware might be present. The fix requires implementing automatic clipboard clearing after a short timeout (30-60 seconds) or warning users about clipboard security risks and providing manual clear options.
Acknowledged
#7 low Issue
Cross-Site Scripting in Token Metadata Display
The token detector dynamically injects HTML content using user-controlled token metadata without proper sanitization. Malicious tokens can include JavaScript code in their metadata (name, symbol, or description) that gets executed when the widget is displayed. This creates a stored XSS vulnerability where malicious token creators can execute arbitrary JavaScript in users' browsers. The attack vector involves creating a token with malicious metadata on supported DEXs, which then gets displayed in the extension's interface. This can lead to session hijacking, credential theft, or unauthorized transactions. The fix requires implementing proper HTML sanitization using DOMPurify or similar libraries, and using safe DOM manipulation methods like textContent instead of innerHTML.
Pending
#8 low Issue
Race Conditions in Token Detection Handling
The background script handles concurrent token detection events without proper synchronization, creating race conditions that could corrupt application state. When multiple tabs detect tokens simultaneously or rapid navigation occurs, concurrent calls to handleTokenDetected() can interfere with each other. This can result in inconsistent wallet state, incorrect token information being stored, or loss of detection data. The race condition affects the reliability of token detection and could cause user confusion when wrong token information is displayed. In severe cases, state corruption could lead to transaction errors or incorrect swap parameters. The fix requires implementing proper synchronization mechanisms such as mutex locks, queuing systems, or atomic state updates to ensure only one token detection operation processes at a time.
informational Issues | 2 findings
Resolved
#1 informational Issue
Excessive Session Timeout Duration
12-hour session timeout is quite long for a financial application, consider shorter duration
Resolved
#2 informational Issue
Excessive Console Logging with Sensitive Data
The codebase contains 298 console.log and console.error statements across 44 files, many of which potentially log sensitive information including user data, API responses, and internal system details. Console logs in production builds are accessible through browser developer tools and could expose private information to anyone with access to the user's browser. This includes wallet addresses, transaction details, API keys, error messages with internal paths, and debugging information that could aid attackers in understanding system vulnerabilities. The extensive logging creates an information disclosure risk and could help attackers profile the application for further attacks. The fix requires implementing conditional logging that is completely disabled in production builds, auditing all existing console statements for sensitive data, and establishing logging guidelines for future development.