Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Pontem Aptos Wallet>Discussion>Potentially insecure function
GeneralOverview
Findings
Medium (1)
Low (3)
DiscussionNew wallet creationPotentially insecure functionTypographical errorUnclear message signing flow
Audit ResultsAudit Results

Key derivation function may be potentially insecure

const iterations = 100

const encrypt = (msg: string, pass: string) => {
  try {
	const salt = CryptoJS.lib.WordArray.random(128 / 8)

	const key = CryptoJS.PBKDF2(pass, salt, {
	  keySize: keySize / 32,
	  iterations: iterations,
	})

OWASP recommends 720,000 iterations for PBKDF2-HMAC-SHA1, which is significantly higher than the 100 used. This may be unfeasible given the implementation in JavaScript. For more assurance, the iterations should be increased to at least 1000.

Remediation

Pontem states that this is currently not in use and will be removed in a future code cleanup.

Zellic © 2024Back to top ↑