Wallet Security
Wallets
Cryptocurrency wallets are the primary target for attackers. Understanding wallet architecture and common attack vectors is crucial.
Wallet Types & Attack Surfaces
Hot Wallets
- • Browser extensions (MetaMask)
- • Mobile apps
- • Web wallets
- • Exchange wallets
Cold Wallets
- • Hardware wallets (Ledger, Trezor)
- • Paper wallets
- • Air-gapped computers
- • Multi-sig setups
Common Attack Vectors
text
# Seed phrase theft
# - Phishing sites mimicking wallets
# - Malicious browser extensions
# - Clipboard hijacking malware
# - Social engineering
# Malicious transactions
# - Blind signing (users don't read what they sign)
# - Approval for max uint256 (infinite spend)
# - Contract interactions that drain funds
# Check token approvals
# Use revoke.cash or etherscan token approvals
# Fake token attacks
# - Airdropped tokens with malicious transfer()
# - Token names impersonating real tokens
# Address poisoning
# - Send small amounts from similar address
# - User copies wrong address from historyAnalyzing Wallet Extensions
bash
# Extract browser extension
# Chrome extensions stored in:
# Windows: %LOCALAPPDATA%/Google/Chrome/User Data/Default/Extensions
# Linux: ~/.config/google-chrome/Default/Extensions
# Unpack extension
unzip extension.crx -d extension_unpacked
# Look for:
# - Private key storage method
# - Encryption implementation
# - API endpoints
# - Permission scope
# Test for XSS in wallet UI
# Check if dapp can read wallet state
# Verify transaction signing flow