ZenGo has released a demo that shows vulnerability present in most of the Ethereum wallets.
This includes Trust wallet, imToken, Opera wallets etc.
Web based DAPPs can ask user for permission to charge some of the user’s funds, ie 0.0001 ETH, and behind the scenes can take more tokens.
This issue remained a private discussion in the technical circles of Ethereum developers for years. So, ZenGo has decided to highlight how it affects users by building an open-source rogue DAPP which runs on Ethereum’s testnet so that no harm is done.
In the process of testing, ZenGo discovered that some wallets are not communicating fact that clicking on the button effectively allows the DAPP to fully control the user’s token forever.
Some security compromises that might have been acceptable in the era when users were scarce and highly technical are not acceptable when DeFi goes mainstream, acquiring many non-technical users, and handling crypto tokens in the Billions (USD).
ZenGo calls this “Bad Approve” and they have shared demo code at github.