DVCW | Damn Vulnerable Crypto Wallet | extremely insecure Ethereum cryptowallet written in JavaScript | Infosecwithme

DVCW | Damn Vulnerable Crypto Wallet is an extremely insecure Ethereum cryptowallet written in JavaScript.

Damn Vulnerable Crypto Wallet is an extremely insecure Ethereum cryptowallet written in JavaScript. It has three main modules:

1. Desktop app: built with Electron and Vue
2. Web API: built with NodeJS using Express, SQLite and Web3
3. Local Ethereum blockchain: built using Truffle and Ganache-cli with deployed smart contracts written in Solidity

Setup

1. Install Docker and Docker Compose
2. Clone this repository
3. In the root folder, run make install to deploy all backend services
4. Wait for the "Started DVCW API on localhost:3000" message to appear on the console.
5. Download the desktop app latest release and launch it.

Features

• Wallet creation
• Wallet recovery using mnemonic
• Send Ethereum transactions to other addresses
• Attach a message to any transaction
• Two-factor authentication
• Profile management
• Interact with smart contracts: DVCToken & DVCTokenSale

List of Vulnerabilities

Vulnerabilities can be found in the Electron application, the web API or in the Ethereum smart contracts deployed to the local blockchain. These include:

1. Insecure storage (weak ciphers and hashing algorithms, no integrity checking mechanisms)
2. Stored XSS to RCE
3. Outdated Electron version
4. Two-factor authentication bypass
5. Debug port open vulnerable to DNS rebinding
6. Protocol handler vulnerability (CVE-2018-1000118)
7. Log files in packaged app
8. SQL injection
9. Wallet takeover
10. Server-side JavaScript injection
11. Path traversal
12. CORS misconfiguration
13. No session management
14. Smart contracts vulnerabilities:
    • Arithmetic misuse (Overflows and Underfows)
    • Inadequate access controls
    • Reentrancy
    • Bad randomness

Download Link

https://gitlab.com/badbounty/dvcw