Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Family Wallet>Discussion>Address and transactions privacy
GeneralOverview
Findings
High (3)
Medium (2)
DiscussionPrivate key material storagePotential key leaks in screenshotsAddress and transactions privacySandboxed iframesUnsafe handling of text input
Audit ResultsSummary

Address and transactions privacy

We note that Family Wallet uses RPC servers managed by the developers to push transactions and obtain information about the network. Additionally, in order to perform some operations, the wallet needs to authenticate to the backend using information that includes the hash of the user wallet address. Devices perform a remote attestation using iOS DeviceCheck APIs in order to prove to the backend that a real iOS device is performing the requests.

This implies that the Family backend gets some information that could potentially be correlated to associate wallet addresses and transactions to the device and IP address that originated them. While this does not constitute a vulnerability in and of itself, it is important that users are aware of the potential privacy implications.

Zellic © 2024Back to top ↑