Description

A request is automatically sent to the following endpoint /v1/accounts/0x1/resource/0x1::coin::CoinInfo%3C0x1::aptos_coin::AptosCoin%3E during startup. The handler fails to check for errors, leading to a permanent soft lock when malformed data is returned.

There are multiple scenarios where this could happen:

• RPC endpoint encounters an error

• RPC endpoint is malicious

The requests are repeated, so the extension stays bricked as long as the returned data is malformed.

async () => {
    return aptos.getAccountResource(extractAddressFromType(token as string), composeType(network.structs.CoinInfo, [token as string]))
    .then((value: AptosResource<AptosCoinInfoResource>) => {
        const type = token as string;
        const decimals = +value.data.decimals;
        const name = value.data.name;
        const symbol = value.data.symbol;
        const alias = network.tokenAlias[token as string] ?? value.data.symbol;
        addTokenInfo({ name, symbol, decimals });
        return { type, decimals, name, symbol, alias };
    })
},
{
    ...RefetchOptions.INFINITY,
    enabled: !!token
}

Impact

It leads to a permanent soft lock of the whole extension. It can be fixed by directly visiting chrome-extension://<extensionId>/index.html#/settings/ and switching the network or reinstalling the extension.

Recommendations

We recommend additional error handling when handling RPC responses.

Remediation

A fix was introduced in commit 9b4ad36e↗ by incorporating error handling into the function, effectively preventing the wallet extension from experiencing a persistent, endless loop in the event of receiving malformed data.