Web3 Wallet Security Checklist

The world of cryptocurrency is growing at an unprecedented pace. Bitcoin ETFs, which were approved on January 24’ opened ways for institutions and retail investors to access cryptocurrencies. It is safe to say that crypto adoption is increasing rapidly. As of 2024, an estimated 562 million people, representing 6.8% of the global population, own cryptocurrency—a significant increase from 420 million in 2023 (Source: BitPanda).

While this marks a significant milestone for web3, it also opens the floodgates for malicious actors to exploit vulnerabilities.  From mobile wallets to desktop, web, and browser extension-based wallets, ensuring security has never been more critical. Hackers targeting cryptocurrency wallets have caused massive financial losses, emphasizing the urgent need for proactive security measures.

Whether you’re a blockchain company building native wallets or a developer contributing to wallet infrastructure, adopting stringent security practices is important to secure funds and trust.

Mobile-Based Web3 Wallets

Mobile wallets are a convenient way for users to manage their digital assets on the go, but they come with unique security challenges. We ensure safety by having them go through a checklist. This checklist includes the following

• Identify and resolve intent and deeplink issues, secure webview configurations, and enforce platform guidelines.

• Ensure encryption, file-level protection, and safeguard keys and sensitive data during storage and transmission.

• Validate SSL/TLS configurations, enforce HTTPS, and implement certificate pinning to prevent cleartext communication or weak SSL.

• Test session management, rate limiting, 2FA robustness, and enforce strong password policies to enhance authentication security.

• Use secure cryptographic algorithms and protect sensitive operations against method hooking and tampering.

• Prevent insecure direct object references (IDOR), secure hidden endpoints, and validate role-based access control (RBAC).

• Address risks of buffer overflows, tampering, and reverse engineering using code obfuscation, anti-debugging measures, and repackaging checks.

• Ensure production builds are free from unintended functionality, such as backdoors or debug code.

• Protect sensitive data against screenshots, including preventing or warning about sensitive screenshots on Android/iOS and ensuring no background screenshot leaks.

• Detect and block usage on jailbroken or rooted devices to prevent exploitation.

• Disable custom keyboards during sensitive data entry to protect user input.

• Use secure accessibility attributes for iOS keychain data to prevent unauthorized access.

Desktop-Based Web3 Wallets (Electron-Based)

Electron-based desktop Web3 wallets are software applications built using Electron, a framework for building cross-platform desktop applications. Misconfigured Electron settings or outdated dependencies can lead to serious flaws, so along with those the checklist contains: 

• Verify the Electron and bundled Chromium versions are up-to-date to mitigate known vulnerabilities.

• Check that the application does not load remote content unnecessarily.

• Ensure nodeIntegration and enableRemoteModule are disabled in the Electron configuration.

• Validate that contextIsolation, sandbox, and webSecurity are enabled.

• Test for vulnerabilities in navigation logic, such as allowing navigation to arbitrary external web pages, and validate the security of will-navigate and new-window events.

• Inspect preload scripts for exploitable code or unsafe use of Node.js APIs.

• Verify that dangerous functions, such as openExternal, do not process unvalidated user input.

• Ensure custom protocols used by the application are secured against abuse.

• Test for remote code execution (RCE) vulnerabilities through XSS or misconfigured Electron settings.

• Check for insecure file access, such as unauthorized reading of local files through webview or other methods.

• Validate that IPC (Inter-Process Communication) messages are sanitized and securely handled.

• Verify that sensitive data (e.g., mnemonic phrases or keys) is not stored in memory, files, or the clipboard without encryption or protection.

• Assess regex and domain validation in navigation logic to prevent phishing and XSS attacks.

• Use tools like Electronegativity or Node.js scanners to identify misconfigurations and security issues in the Electron app.

• Validate the deployment process to ensure no debug or unnecessary code is included in the production build and third-party libraries are free of known vulnerabilities.

Extension-Based Web3 Wallets

Extension wallets are browser-based add-ons that integrate with decentralized applications (dApps), enabling seamless interaction but exposing users, these go through the following checks

• Verify that the extension’s permissions and host permissions are limited to the minimum necessary.

• Check if the extension correctly validates the origin of messages before processing.

• Assess whether malicious websites can exploit XSS, clickjacking, or other injection vulnerabilities within the extension.

• Verify that sensitive information is not stored unprotected in memory, files, or the codebase.

• Analyze the manifest.json file for appropriate configurations, permissions, and web-accessible resources.

• Test for secure communication between content scripts, background scripts, and native messaging, ensuring proper input validation and sanitization.

• Ensure no insecure PostMessage or DOM-based communication vulnerabilities exist.

• Test for secure storage and retrieval of sensitive data, such as mnemonic phrases or private keys.

• Confirm the extension cannot be exploited to compromise the browser or host system.

• Validate that the extension resists tampering, such as code modifications or unauthorized installations.

• Test APIs for proper input validation, rate limiting, and secure data handling.

• Assess the extension for vulnerabilities in its core components, such as content scripts, background scripts, and native binaries.

Web-Based Web3 Wallets

Web wallets provide online platforms for accessing and managing crypto assets, with vulnerabilities typically stemming from web-based threats, so the checklist:

• Validate the application architecture and ensure security is incorporated into functional requirements, prototypes, and design.

• Perform network security checks, including scanning for open ports, running services, and sniffing for data exposure or weaknesses.

• Test for cloud misconfigurations in critical services such as IAM, S3, EC2, RDS, and Lambda.

• Test for injection vulnerabilities, including code, SQL, XSS, LDAP, OS command, and HTML injections.

• Validate session management, rate limiting, strong password hashing, and 2FA implementations for secure authentication.

• Identify and mitigate sensitive data exposure risks, such as hardcoded API keys, unprotected secrets, and misconfigured S3 buckets.

• Test for XML external entities (XXE) vulnerabilities that could lead to SSRF, file retrieval, or image upload exploitation.

• Assess access control to prevent privilege escalation, IDOR, and multi-step process vulnerabilities.

• Detects security misconfigurations, including verbose errors, default credentials, unnecessary services, and unpatched flaws.

• Test for insecure deserialization vulnerabilities and improper handling of serialized data.

• Identify and mitigate risks from components with known vulnerabilities in the application stack.

• Ensure proper logging, secure data storage, and incident response mechanisms are in place.

• Test APIs for broken object-level and function-level authorization, excessive data exposure, and improper asset management.

• Check for vulnerabilities like XSS, clickjacking, open redirects, and HTML injection.

• Verify security headers, CORS configurations, CSRF protections, and cookie attributes where applicable.

• Validate the application against all OWASP Top 10 vulnerabilities and ensure comprehensive coverage.

• Mitigate risks of phishing attacks and malicious JavaScript injection specific to web wallets.

Testing Approach

We adopt a grey-box testing methodology that blends both black-box and limited white-box testing approaches. The following activities are undertaken as part of the testing process:

Setup & Execution

• Set up the provided wallets (Mobile, Extension, Desktop) in secure local testing environments across all platforms.

• Ensure all configurations and dependencies provided by the client are correctly aligned with the target environments.

Black Box Testing

• Conduct penetration testing for core functionalities, APIs, and communication mechanisms using industry-standard tools.

• Evaluate the wallet’s resilience against common vulnerabilities, including injection attacks, data leaks, and privilege escalations.

About BlockApex

BlockApex is a thesis-driven, high-conviction blockchain consulting company dedicated to shaping the future of finance, governance, and digital infrastructure.

At BlockApex, we specialize in comprehensive crypto wallet audits to protect your assets and enhance user trust. Whether it’s mobile, desktop, extension-based, or web wallets, our expert team identifies vulnerabilities and fortifies your wallet against potential threats. Our expertise expands to blockchain security, smart contract audits, infrastructure development, and strategic consulting.

Join the many projects that trust BlockApex to secure their platforms and pave the way for a safer blockchain ecosystem.