Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[New Snap] Stellar #985

Open
3 of 7 tasks
khanti42 opened this issue Jan 6, 2025 · 1 comment · May be fixed by #948
Open
3 of 7 tasks

[New Snap] Stellar #985

khanti42 opened this issue Jan 6, 2025 · 1 comment · May be fixed by #948
Labels
allowlist allowlist-new-snap

Comments

@khanti42
Copy link
Collaborator

khanti42 commented Jan 6, 2025
edited by Montoya
Loading

Checklist

All items in the list below needs to be satisfied.

  • Is the Snap repository publicly accessible and linked in this ticket: https://github.com/paulfears/StellarSnap
  • Is the Snap distributed on npm and linked in this ticket: https://www.npmjs.com/package/stellar-snap?activeTab=readme
  • Has an audit been performed and the audit report attached or linked in this issue?
  • Is a complete list of discovered vulnerabilities from the audit documented in this issue?
  • For vulnerabilities that have been deemed necessary to be addressed, are the links to the fixes attached to this issue?
  • For vulnerabilities that have been deemed not necessary to be addressed, is a reason for each of them documented in this issue?
  • The corresponding pull request in this repo has been merged.

Audit Details

Audit : https://github.com/paulfears/StellarSnap/tree/main/audits/Cure53%20V1.0.6
Audit Highlights: https://github.com/paulfears/StellarSnap/tree/main/audits/Cure53%20V1.0.6/auditHighlights

Identified Vulnerabilities

1. Critical

  • KYR-01-001: Private key leakage via setCurrentAccount RPC method.
    • Affected file: /src/Wallet.ts.
    • Impact: Potential exposure of private keys to malicious dApps.
    • Status: Fixed during the audit.

2. Medium

  • KYR-01-002: Markdown and control characters allowed in dialogs.
    • Impact: Potential UI manipulation for user spoofing.
    • Status: Fixed.
  • KYR-01-003: Account renaming without user confirmation.
    • Impact: Potential for confusion or trickery by malicious dApps.
    • Status: Fixed.
  • KYR-01-004: Omission of dApp origin in Snap UI dialogs.
    • Impact: Users can be misled into performing unintended actions.
    • Status: Fixed.

3. Low

  • KYR-01-005: Lack of parameter validation for RPC requests.
    • Impact: Potential for misbehavior from malicious input.
    • Status: Fixed.
  • KYR-01-006: clearState altering wallet without confirmation.
    • Impact: Risk of wallet state resets without user consent.
    • Status: Fixed.

Miscellaneous Findings

  • Observed security weaknesses, though not immediately exploitable.
  • Recommendations included strict parameter validation and improved user interaction design.
@khanti42 khanti42 linked a pull request Jan 6, 2025 that will close this issue
Open
@khanti42
Copy link
Collaborator Author

khanti42 commented Jan 6, 2025

We asked if the audit could be put in the official website of Cure53 here: https://cure53.de/#publications. Not sure if this is a requirements to proceed further.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
allowlist allowlist-new-snap
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

New Stellar wallet MetaMask/snaps-registry
1 participant
@khanti42