Trust wallet, imToken, Opera vulnerability demonstrated by ZenGo – “Bad Approve” vulnerability

ZenGo has released a demo that shows vulnerability present in most of the Ethereum wallets.

This includes Trust wallet, imToken, Opera wallets etc.

Web based DAPPs can ask user for permission to charge some of the user’s funds, ie 0.0001 ETH, and behind the scenes can take more tokens.

Imagine going to your bank and sending someone $1. Later, you discover that by doing so you have allowed this person to empty your account.

That’s the issue that we have encountered in many popular #dapp s & #crypto wallets.

Learn about #baDAPProve https://t.co/jIzhq8Bx6w pic.twitter.com/WMHaHLT1F8

— ZenGo (@ZenGo) March 23, 2020

This issue remained a private discussion in the technical circles of Ethereum developers for years. So, ZenGo has decided to highlight how it affects users by building an open-source rogue DAPP which runs on Ethereum’s testnet so that no harm is done.

In the process of testing, ZenGo discovered that some wallets are not communicating fact that clicking on the button effectively allows the DAPP to fully control the user’s token forever.

Some security compromises that might have been acceptable in the era when users were scarce and highly technical are not acceptable when DeFi goes mainstream, acquiring many non-technical users, and handling crypto tokens in the Billions (USD).

ZenGo calls this “Bad Approve” and they have shared demo code at github.

You click “approve”/”unlock” on your #Defi #Dapp.
If the Dapp is compromised, it can steal ALL of your token funds. Regardless of how secure your private key is, without requiring further interaction.

Kudos @amanusk_ and team. https://t.co/mUHpBiZoCt

— Oded Leiba (?) (@odedleiba) March 23, 2020