Audit name:

[dApp] Vital Wallet / Snap Audit / Aug2024

Date:

Sep 2, 2024

Table of Content

Introduction

Audit Summary

System Overview

Findings

Appendix 1. Severity Definitions

Appendix 2. Scope

Disclaimer

Introduction

We express our gratitude to the Vital Wallet team for the collaborative engagement that enabled the execution of this dApp Security Assessment.

NEO is a blockchain platform that supports the development of digital assets and smart contracts.

  • Document

    Name
    dApp Code Review and Security Analysis Report for Vital Wallet
    Audited By
    Stephen Ajayi
    Approved By
    Stephen Ajayi
    Changelog
    02/09/2024 - Final Report
    Platform
    Ethereum
    Language
    TypeScript, JavaScript
    Tags
    Metamask Snap, dApp

Audit Summary

20Total Findings
17Resolved
3Accepted
0Mitigated

The system users should acknowledge all the risks summed up in the risks section of the report

Documentation quality

  • Each package has its own README, providing clear and detailed information on setup and usage.

  • Code comments are present to explain complex logic and important functions.

  • The project is well-organized into packages, making it easy to navigate and understand.

Code quality

  • Code is divided into packages and modules, promoting reusability and maintainability.

  • Presence of test files indicates a focus on verifying functionality.

  • Configuration files for ESLint and Prettier ensure consistent code style and formatting.

  • Separate environment files for development and production enhance security and flexibility.

System Overview

NEO is a blockchain platform that supports the development of digital assets and smart contracts. It is often referred to as a "smart economy" platform because it integrates digital assets, digital identities, and smart contracts into a unified ecosystem.

Key Features:

  • NEO supports smart contracts written in multiple programming languages, making it accessible to a wide range of developers.

  • NEO integrates digital identity, providing verifiable digital certificates for identity verification.

  • NEO uses the Delegated Byzantine Fault Tolerance (dBFT) consensus mechanism, which is designed to be fast and efficient.

  • NEO aims to provide interoperability across different blockchains, allowing seamless interaction and data exchange.

  • The platform utilizes two native tokens, NEO and GAS, which serve different purposes within the ecosystem.

Project Structure Overview

Root Files

  • .editorconfig: Configuration for code editors to ensure consistent coding styles across different IDEs and editors.

  • .gitignore: Specifies intentionally untracked files to ignore in Git.

  • .prettierrc.js: Configuration file for Prettier, a code formatting tool.

  • .yarnrc.yml: Yarn configuration file for managing dependencies.

  • LICENSE: Contains the terms and conditions for using the project.

  • README.md: Provides a high-level overview of the project, including setup instructions and usage details.

  • lerna.json: Configuration for Lerna, a tool for managing JavaScript projects with multiple packages.

  • nx.json: Configuration file for Nx, a set of extensible dev tools for monorepos.

  • package.json: Lists the project's dependencies and scripts.

  • tsconfig.json: TypeScript configuration file specifying compiler options.

  • yarn.lock: Lock file for ensuring consistent installations across environments.

VSCode Configuration

  • .vscode/settings.json: Workspace settings for Visual Studio Code, specifying editor preferences for this project.

Snap Package packagessnap

  • README.md: Documentation specific to the snap package.

  • jest.config.js: Configuration for Jest, a JavaScript testing framework.

  • package.json: Dependencies and scripts specific to the snap package.

  • snap.config.ts: Configuration file for snap.

  • snap.manifest.json: Metadata about the snap, such as permissions and initial data.

Source Code packagessnapsrc

  • getAccount.ts: Retrieves account information.

  • getNetworks.ts: Fetches network data.

  • index.ts: Entry point of the snap package.

  • invoke.ts: Contains functionality to invoke blockchain operations.

  • invokeMulti.ts: Handles multi-invocation of blockchain transactions.

  • signMessage.ts: Logic for signing messages.

  • signMessageWithoutSalt.ts: Signs messages without a salt value.

  • signTransaction.ts: Handles transaction signing.

  • state.ts: Manages state within the snap package.

  • types.ts: Defines TypeScript types for the snap package.

Admin and UI

  • admin/switchNetwork.ts: Allows switching between different networks.

  • ui/customUI.ts: Contains custom UI components.

Utilities packagessnapsrcutils

  • asserts.ts: Helper functions for assertions.

  • constants.ts: Defines constants used throughout the snap package.

  • convertors.ts: Functions to convert between different data formats.

  • env.ts: Manages environment variables.

  • errors.ts: Error handling utilities.

  • keyPair.ts: Functions related to key pair management.

  • logger.ts: Logging utility functions.

  • serializer.ts: Handles data serialization.

  • signingProvider.ts: Manages signing providers.

  • url.ts: URL manipulation utilities.

  • wallet.ts: Wallet management utilities.

Tests packagessnaptest

  • constants.test.ts: Unit tests for constants.

  • invoke.test.ts: Unit tests for invocation functionality.

Wallet Adapter Package packageswalletadapter

  • README.md: Documentation for the wallet adapter.

  • package.json: Lists dependencies for the wallet adapter.

  • tsconfig.json: TypeScript configuration for this package.

Source Code packageswalletadaptersrc

  • custom.d.ts: Custom TypeScript declarations.

  • index.ts: Entry point for the wallet adapter package.

  • snapOrigin.ts: Handles origin verification for snaps.

  • types.ts: Defines TypeScript types for wallet adapter.

Wallet Site Package packageswalletsite

  • .env.development / .env.production: Environment variables for different environments.

  • .eslintrc.js: ESLint configuration for code linting.

  • .gitignore / .prettierrc.js: Similar purpose as root, specific to this package.

  • README.md: Documentation for the wallet site package.

  • i18n.json: Internationalization configuration file.

  • next.config.js: Configuration for Next.js framework.

  • package.json: Dependencies for the wallet site.

  • postcss.config.js: Configuration for PostCSS, a tool for transforming CSS.

  • tailwind.config.ts: Configuration for Tailwind CSS framework.

  • tsconfig.json: TypeScript configuration file.

Locales and Assets

  • locales/en/common.json: English translations for localization.

  • src/assets: Contains images and icons used in the project.

Application Code packageswalletsitesrc

  • react-app-env.d.ts: React environment TypeScript declarations.

  • app/: Contains main application components, pages, and styling.

    • components/: Reusable UI components.

    • history/: Components related to transaction history.

    • wallet/: Wallet-specific components and pages.

  • config/: Configuration files for environment and snap.

  • dapi/: DAPI (Decentralized API) integration.

  • hooks/: Custom React hooks for various functionalities.

  • store/: State management using stores.

  • types/: TypeScript type definitions.

  • utils/: Utility functions for various operations.

Findings

Code
Title
Status
Severity
F-2024-5217
Insecure Private Key Handling in SigningNetworkProvider
Fixed

High
F-2024-5216
Insecure Private Key Handling
Fixed

High
F-2024-5005
Non-literal Regular Expression (ReDoS)
Fixed

Medium
F-2024-5213
Improper Environment Configuration
Fixed

Low
F-2024-5006
Insufficient Input Validation
Fixed

Low
F-2024-5004
Vulnerable Dependencies
Fixed

Low
F-2024-5365
Improve TypeScript Configuration Settings
Accepted

Observation
F-2024-5233
Imprecise Dependency Versioning
Fixed

Observation
F-2024-5228
Missing Author Information in Package Metadata
Fixed

Observation
F-2024-5226
Unhandled Promise Rejection
Fixed

Observation
1-10 of 20 findings

Appendix 1. Severity Definitions

  • Severity

    Critical

    Description

    These issues present a major security vulnerability that poses a severe risk to the system. They require immediate attention and must be resolved to prevent a potential security breach or other significant harm.

    Severity

    High

    Description

    These issues present a significant risk to the system, but may not require immediate attention. They should be addressed in a timely manner to reduce the risk of the potential security breach.

    Severity

    Medium

    Description

    These issues present a moderate risk to the system and cannot have a great impact on its function. They should be addressed in a reasonable time frame, but may not require immediate attention.

    Severity

    Low

    Description

    These issues present no risk to the system and typically relate to the code quality problems or general recommendations. They do not require immediate attention and should be viewed as a minor recommendation.

Appendix 2. Scope

The scope of the project includes the following files from the provided repository:

Assets in Scope

Snap - Snap

Disclaimer