Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Pontem Aptos Wallet>Low findings>RPC responses can overwrite local state
GeneralOverview
Findings
Medium (1)
Low (3)Low password complexityCleartext password in the browser's session storageRPC responses
DiscussionNew wallet creationPotentially insecure functionTypographical errorUnclear message signing flow
Audit ResultsAudit Results
Category: Coding Mistakes

RPC responses can overwrite local state

Low Severity
Medium Impact
Low Likelihood

Description

The extension implicity trusts all the information from the RPC API, even overriding local variables/state. We can see the local chainId has been overwritten with the chainId of the devnet via a malicious API response.

Devnet chainId in localstorage.Devnet chainId in localstorage.

Local chainId set to the same value as the devnet chainId.Local chainId set to the same value as the devnet chainId.

Impact

A malicious RPC can override locally stored variables like chainId, later prompting the users to sign messages with the overriden chainId. This may mislead the user as they would not expect a network to sign messages with a chainId they did not configure.

Recommendations

Users should be prompted for additional network information that should never deviate, such as the chainId. The RPC responses can then be compared with the local variables and rejected if they do not match.

Remediation

A fix was introduced in commit 4f29b735 to only allow the devnet to change the ChainId, since the devnet ChainId may change over time.

Zellic © 2024Back to top ↑