Wallet Security Audit

The SlowMist security team specializes in traditional network attacks and defenses. The relevant achievements of team members has been highly recognized by the world's leading institutions. Our wallet security audits is more than just a typical audit, it’s built with a unique private key architecture along with years of extensive practical security knowledge. The related security services provided by SlowMist has covered top wallet platforms in dozens of industries, whether centralized or decentralized. + More Security Audit: Our audits covers penetration testing topics in greater depth and detail than other penetration testing services. Through a combination of black box and gray box security audits, we are able discover vulnerabilities and propose solutions to our clients. As well as providing suggestions for improving security, and best security practices to prevent possible security risks in the future. The security audit will provide a more comprehensive practical basis for the construction of the enterprise security system, and issue a professional Security Audit Report according to the needs of the development team.

Contact Us

As the key to opening the Web3 world, Web3 wallets are responsible for securely hosting users' cryptocurrency assets. Once the wallet program itself is hacked, users' cryptocurrency assets will be at risk of theft.

Therefore, based on the responsibilities of Web3 wallets themselves, the SlowMist Security Team launched A Web Front-end Security Guide for Web and browser extension wallets and proposed the best security implementation for the management of the key lifecycle for wallets: generate, store, use, backup, and destroy. At the same time, referring to the OWASP MASVS international standard, we developed relevant security guidelines for the Web3 wallet client security audit items. The SlowMist Security Team hopes to ensure as much security as possible on the Web3 wallet client and reduce the risk of cryptocurrency asset theft through years of frontline security attack and defense experience and excellent international standards.

Web3 wallets, as the key to the Web3 world, must interact with a variety of DApps in Web3. During users' interactions, wallets face many security challenges. Hackers are very good at exploiting the design flaws of the interaction process to deceive users' assets, such as: using UI hijacking and tricking users into signing; using blind signatures to trick users into signing; using Permit signatures to steal users' assets; using TransferFrom zero transfer to deceive users for phishing; using the same tail number to execute the scam; phishing for NFT and other general phishing techniques.

In response to the users' interaction process and the common phishing techniques used by hackers, the SlowMist Security Team exclusively proposes a security audit during the users' interaction process, which includes: WYSIWYS (what you see is what you sign strategy); AML strategy; anti-phishing strategy; pre-execution strategy; and other strategies to defend against hacker attacks, reduce the risk of users being phished, and ensure the security of cryptocurrency assets.

Processing Flow

Browser Extension WalletMobile & Desktop App WalletHardware Wallet
Audit Class Audit Subclass Black/Grey Box White Box
Transfer security Signature security audit
Deposit/Transfer security audit
Transaction broadcast security audit
Secret key security Secret key generation security audit
Secret key storage security audit
Secret key usage security audit
Secret key backup security audit
Secret key destruction security audit
Insecure entropy source audit
Cryptography security audit
Web front-end security Cross-Site Scripting security audit
HTTP response header security audit
Components security Third-party components security audit
Communication security Communication encryption security audit
Cross-domain transmission security audit
Architecture and business security Wallet lock security audit
Business logic security audit
Architecture design security audit
Denial of Service security audit
User interaction security WYSIWYS
AML
Anti-phishing
Pre-executio
Contact whitelisting
Password complexity requirements

Note: For browser extension wallets, it is recommended to use a white box audit to ensure as much comprehensive audit coverage as possible.

Audit Class Audit Subclass Black/Grey Box White Box
Runtime environment security App runtime environment detection
Source code security Code decompilation detection
Permission security App permissions detection
Storage security File storage security audit
App cache security audit
SQLite storage security audit
Communication security Communication encryption security audit
Server interface security Interface security audit
Business security Business logic security audit
Browser security WebKit security audit
WebView DOM security audit
Application interaction security Deeplinks security audit
Authentication security Client-Based Authentication Security audit
Transfer security Signature security audit
Deposit/Transfer security audit
Transaction broadcast security audit
Secret key security Secret key generation security audit
Secret key storage security audit
Secret key usage security audit
Secret key backup security audit
Secret key destruction security audit
Insecure entropy source audit
Cryptography security audit
Components security Third-party components security audit
Runtime security Screenshot/screen recording detection
Paste copy detection
Keyboard keystroke cache detection
Background obfuscation detection
Suspend evoke security audit
User interaction security WYSIWYS
AML
Anti-phishing
Pre-execution
Contact whitelisting
Password complexity requirements

Note: For mobile and desktop wallets, it is recommended that a white box audit be used when the audit cost is sufficient. If the audit cost is insufficient, it is also necessary to ensure that the black box and the gray box are the main audit methods and the white box is the auxiliary audit method, so as to ensure as much comprehensive audit coverage as possible.

Audit Class Audit Subclass Grey Box White Box
Hardware security Security standards compliance audit
Circuit design security audit
Hardware integrity security audit
Firmware security Firmware storage security audit
Firmware upgrade security audit
Firmware integrity security audit
Firmware decompilation security audit
Firmware configuration security audit
Storage security Data storage security audit
Exception handling security Error handling security audit
Exception logs security audit
Permission security App permissions detection security audit
Communication security Communication encryption security audit
Device interface security Device interface security audit
Business security Business logic security audit
Authentication security Device-Based authentication security audit
Transfer security Signature security audit
Deposit/Transfer security audit
Transaction broadcast security audit
Secret key security Secret key generation security audit
Secret key storage security audit
Secret key usage security audit
Secret key backup security audit
Secret key destruction security audit
Insecure entropy source audit
Cryptography security audit
Components security Third-party components security audit
User interaction security WYSIWYS
Password complexity requirements

Note: For hardware wallet, it is recommended to use a white box audit to ensure as much comprehensive audit coverage as possible.

Security Research

Learn more

Customer Sample

Back To Top

Copyright © SlowMist Limited. All Rights Reserved.