As the key to opening the Web3 world, Web3 wallets are responsible for securely hosting users' cryptocurrency assets. Once the wallet program itself is hacked, users' cryptocurrency assets will be at risk of theft.
Therefore, based on the responsibilities of Web3 wallets themselves, the SlowMist Security Team launched A Web Front-end Security Guide for Web and browser extension wallets and proposed the best security implementation for the management of the key lifecycle for wallets: generate, store, use, backup, and destroy. At the same time, referring to the OWASP MASVS international standard, we developed relevant security guidelines for the Web3 wallet client security audit items. The SlowMist Security Team hopes to ensure as much security as possible on the Web3 wallet client and reduce the risk of cryptocurrency asset theft through years of frontline security attack and defense experience and excellent international standards.
Web3 wallets, as the key to the Web3 world, must interact with a variety of DApps in Web3. During users' interactions, wallets face many security challenges. Hackers are very good at exploiting the design flaws of the interaction process to deceive users' assets, such as: using UI hijacking and tricking users into signing; using blind signatures to trick users into signing; using Permit signatures to steal users' assets; using TransferFrom zero transfer to deceive users for phishing; using the same tail number to execute the scam; phishing for NFT and other general phishing techniques.
In response to the users' interaction process and the common phishing techniques used by hackers, the SlowMist Security Team exclusively proposes a security audit during the users' interaction process, which includes: WYSIWYS (what you see is what you sign strategy); AML strategy; anti-phishing strategy; pre-execution strategy; and other strategies to defend against hacker attacks, reduce the risk of users being phished, and ensure the security of cryptocurrency assets.
Business Communication
Project Evaluation
Pay for Expenses
Security Audit
Issue a Report
Web3 hardware wallets are physical devices used to store cryptocurrencies and digital assets, typically offering greater security than web/app wallets because they provide a way to store private keys offline. This means that when interacting with DApps using a hardware wallet, the private key is never exposed to the internet, thus protecting it from hacker attacks.
Recently, some victims contacted the SlowMist security team for assistance after experiencing asset loss while using the online programming platform Replit to create wallets for the Atomicals protocol. These victims had deposited ATOM, an ARC20 token minted by the Atomicals protocol, into their wallets in multiple transactions. However, they discovered a total of 90,000 ATOM tokens had been stolen. According to the victims, the leakage of their private keys or mnemonic phrases occurred during the process of copying and pasting on a webpage.
On June 3, multiple Atomic Wallet users posted on social media that their wallet assets had been stolen. According to analysis, the total loss of Atomic Wallet users who had their assets stolen is now approximately $35 million. As the key to opening the Web3 world, Web3 wallets are responsible for securely hosting users’ cryptocurrency assets. Once the wallet program itself is hacked, users’ cryptocurrency assets will be at risk of theft.