DVCW | Damn Vulnerable Crypto Wallet | extremely insecure Ethereum cryptowallet written in JavaScript | Infosecwithme
DVCW | Damn Vulnerable Crypto Wallet is an extremely insecure Ethereum cryptowallet written in JavaScript.
Damn Vulnerable Crypto Wallet is an extremely insecure Ethereum cryptowallet written in JavaScript.
It has three main modules:
- Desktop app: built with Electron and Vue
- Web API: built with NodeJS using Express, SQLite and Web3
- Local Ethereum blockchain: built using Truffle and Ganache-cli with deployed smart contracts written in Solidity
Setup
- Install Docker and Docker Compose
- Clone this repository
- In the root folder, run
make install
to deploy all backend services - Wait for the "Started DVCW API on localhost:3000" message to appear on the console.
- Download the desktop app latest release and launch it.
Features
- Wallet creation
- Wallet recovery using mnemonic
- Send Ethereum transactions to other addresses
- Attach a message to any transaction
- Two-factor authentication
- Profile management
- Interact with smart contracts: DVCToken & DVCTokenSale
List of Vulnerabilities
Vulnerabilities can be found in the Electron application, the web API or in the Ethereum smart contracts deployed to the local blockchain.
These include:
- Insecure storage (weak ciphers and hashing algorithms, no integrity checking mechanisms)
- Stored XSS to RCE
- Outdated Electron version
- Two-factor authentication bypass
- Debug port open vulnerable to DNS rebinding
- Protocol handler vulnerability (CVE-2018-1000118)
- Log files in packaged app
- SQL injection
- Wallet takeover
- Server-side JavaScript injection
- Path traversal
- CORS misconfiguration
- No session management
- Smart contracts vulnerabilities:
- Arithmetic misuse (Overflows and Underfows)
- Inadequate access controls
- Reentrancy
- Bad randomness
Download Link
https://gitlab.com/badbounty/dvcw
DVCW | Damn Vulnerable Crypto Wallet | extremely insecure Ethereum cryptowallet written in JavaScript | Infosecwithme
Reviewed by BlackHat
on
12:00 PM
Rating:
No comments:
Thanks for Valuable Comment. I will review and get back.