In brief

  • Crypto wallet maker ZenGo has highlighted a purportedly widespread dapp exploit.
  • The company publicly shared a solution it created to overcome the issue.
  • ZenGo makes a keyless crypto wallet with a Compound-based savings feature.

Ever connected an Ethereum dapp to your crypto wallet? You might not have run into any issues with unauthorized access to your tokens, but according to ZenGo, some decentralized apps and wallets leave that door wide open.

In a post published today, ZenGo—makers of a keyless crypto wallet—detailed what the company claims is a common oversight in such dapps. According to ZenGo, when some dapps ask for approval for a transaction in a certain amount, what you’re actually authorizing is access to all of your holdings of that token. And if attackers gain access via a security flaw or if the dapp hails from a nefarious source, those holdings could be accessed again without need for further approval.

“In almost every dapp, when the user connects to it, they unknowingly provide the smart contract associated with the dapp full access to all of their funds, regardless of their actual usage,” reads the post. “Therefore, even if the user only actually sent a transaction equivalent to $1, an attacker abusing a smart contract vulnerability can withdraw all of the user’s holdings of that specific asset. The situation is aggravated by the fact that many wallets do not communicate that fact to their users.”

ZenGo calls the oversight “baDAPProve,” and claims that it encountered such issues while researching wallets including Opera, imToken, and Trust Wallet—none of which made it clear to users that they were allowing access to all holdings of a particular token. The company created an interactive demo of the problem using a testnet to show the problem in action. According to ZenGo, when it told the companies about the issue, all three were aware but “only Trust Wallet is planning to upgrade their wallet as a result of our inquiry.”

Ultimately, the company implemented a solution for its newly launched, Compound-based ZenGo Savings feature, and has issued a fix that’s available for other apps to use—even those that don’t utilize Compound. The solution approves an amount for the same exact amount that you plan to send, and you’ll only need to approve it once before both transactions are sent simultaneously. A technical blog will follow soon with further details for developers.

“Some security compromises that might have been acceptable in the era when users were scarce and highly technical are not acceptable when #DeFi goes mainstream, acquiring many non-technical users, and handling crypto tokens in the billions (USD),” the company tweeted.