ZenGo wallet developers using a test network and a specially crafted malicious application for them baDAPProve token exchanges have demonstrated the widespread exploit of decentralized wallets. The details of the experiment at ZenGo revealed on his blog.
According to ZenGo, when some decentralized applications (DApps) request approval for a transaction for a certain amount, the user involuntarily gives access to the token for all available funds.
If the Dapp was Malicious Or Initiallyturned out to be a similar vulnerability, the user may lose all coins, even if he stops using the decentralized application. In the future, attackers will be able to gain access to all the funds in this token without the need for authorization.
“In almost every decentralized application,when it starts, the user unknowingly provides the DApp-related smart contract with full access to all of its funds, regardless of their actual use ”, - explained in the blog.
A similar exploit, called ZenGo baDAPProve, has been discovered, including in popular wallets such as Opera, imToken, and Trust Wallet.
To illustrate vulnerabilities incompanies have created a test network and a malicious application for exchanging tokens. After authorizing a transaction with a number of virtual FRT tokens, baDAPProve withdraws all FRT coins from the wallet.
According to representatives of ZenGo, only Trust Wallet planned an update, while other companies did not dare to do this, despite the awareness of the presence of this problem.
As a result, the company released a patch that is available.for applications of various decentralized services. The solution is also integrated in the recently launched ZenGo Savings feature for the Compound's DeFi protocol.
The developers promise to release a blog post with detailed information about the problem.
Recall that on March 12, against the backdrop of a market collapse, the largest Ethereum landing services MakerDAO and Compound experienced many liquidations of debt positions.