WalleTruth: Visual-Oriented Software Testing for Web3 Wallet Browser Extensions
Xiaohui Hu, Ningyu He, Haoyu WangServing as the first touch point for users to the cryptocurrency world, cryptocurrency wallets allow users to manage, receive, and transmit digital assets on blockchains and interact with emerging decentralized finance (DeFi) applications. Unfortunately, cryptocurrency wallets have always been the prime targets for attackers, and incidents of wallet breaches have been reported from time to time. Although some recent studies have characterized the vulnerabilities and scams related to wallets, they have mostly been studied at a coarse granularity, overlooking potential risks inherent in detailed designs of cryptocurrency wallets, especially from perspectives including user interaction and advanced features. To fill the void, in this paper, we present a fine-grained security analysis of browser-based cryptocurrency wallets. To pinpoint security issues in wallet components, we design WalleTruth, a visual-oriented testing framework specifically for browser-based wallet extensions. We have identified 12 attack vectors that can be abused by attackers to exploit cryptocurrency wallets and exposed 21 concrete attack strategies. By applying WalleTruth on 39 widely-adopted browser-based wallet extensions, we find that all of them can be abused to steal crypto assets from innocent users. Identified potential attack vectors were reported to developers in a timely manner and 26 issues have been patched already. This calls for urgent action from the community to mitigate threats related to cryptocurrency wallets.