DeFi has an open security issue. A team of product designers for ZenGo, a noncustodial wallet company, found an exploit that can drain users’ funds from nearly all dapp wallets. While the security flaw has been known for two years, Ouriel Ohayon, CEO of ZenGo, is sounding the alarm, arguing the flaw poses a risk to users that has not been fully addressed.
The security issue, named BaDApprove, is not a code bug but a problem with how wallets interact with users and set transaction permissions by default.
Researching a number of high-profile wallets – including Metamask, Opera and imToken – Ohayon found that when users approve a specific transaction, they are also often approving all future transactions by default. This opens the doors for malicious decentralized applications to interact with user funds without their knowledge or consent, possibly pilfering entire ether (ETH) holdings.
The bug is well documented, though Ohayon’s complaint rekindles a seminal conflict in crypto: Should crypto companies do what they can to protect users, or should crypto holders take full responsibility for their digital asset wealth?
The ZenGo team set up a dapp demonstration to alert users of this potential exploit. The video shows a user who sends a few FRTs (a testnet currency) to the “rogue swapping app” and permits it to withdraw said tokens and automate transactions. Then, the BaDApprove dapp drains the user’s entire balance.
“It’s like saying, ‘by doing this bank transfer you accept the recipient will receive full access to your bank account,’” Ohayon said over Telegram. The situation is aggravated by the fact that many wallets do not communicate to their users these permissions stand, even if users stop using the dapp.
Contacted by CoinDesk, Sunny Aggarwal, a research scientist at Tendermint and Cosmos, ran the simulation and also saw the consequences.
“Ethereum dapps, if they want to interact with your ERC20 tokens, first need to ask approval to be allowed to move up to some number of them,” Aggarwal said in a direct message. “What happened here is that the dapp asked to approve an extremely high amount of tokens, [without showing] how much is being approved.”
Aggarwal used the popular Metamask wallet, which he said only showed the transaction amount after he clicked "Show More Details." “And even then you'll see it displayed as 1.1579…………e+59,” or in scientific notation, “which is way too easy for someone to misread and accidentally think it's approving like ~1.15 tokens.”
“This is a failure on the part of the wallets,” he said. “Wallets should be showing this information front and center to users, and having alerts if it thinks something sketchy is going on.”
What Ohayon and ZenGo have highlighted has been a known issue in the DeFi (decentralized finance) community for years. The larger question is why it hasn’t been fixed. To some in the dapp world, the answer is it isn’t so much a flaw or a bug as a non-good feature.
In September 2018, Jordan Randolph, a representative of Ethex, a decentralized exchange, outlined the problem in a Medium post. One-time approvals to move “a nearly infinite amount of tokens … can be convenient,” he wrote. “However, having a nearly infinite number of tokens approved means all of [your] token[s are] available to be transferred by the smart contract.”
The wallet preset comes down to a choice between convenience and security, he said. Randolph did not respond to a request for comment.
See also: OPINION: Thanks to Better UX, This Year Dapps Will Go Mainstream
“Dapps that only offer one option – the approval of a huge number of tokens – harbor a fatal security flaw.”
Over the past few weeks, ZenGo has raised the issue with a number of prominent wallets, often receiving pushback.
“This issue is a known risk and requires user interaction. We have already clearly notified the user when they are entering a third-party dapp. But we still thank you for your report,” an imToken representative told Tal Be'ery, ZenGo cofounder, over Twitter.
Reached by CoinDesk, Ben He, imToken CEO, said, “It's not a security exploit, it's a not-good convention to the whole Ethereum ecosystem that most of dapps/DeFi apps request unlimited allowance from users.”
To address the issue, the imToken dapp browser has two popup modals, he said. One is when a first-time user visits the dapp URL, and the second pops up asking for user consent before transacting.
“It's critical a user signs transactions cautiously and we see this is a proper and friendly reminder to the community,” he said, adding the company is “polishing our UI (user interface) to mitigate the concerns.”
Metamask presented a similar response when queried about unlimited permissions. “This is actually a secure feature that users regularly use responsibly. It is not some kind of bug or problem,” an individual from MetaMask's support line said.
“[T]here is not an inherent issue with the ERC-20 standard, but [it] is fundamental to allowing smart contracts to interoperate with tokens,” he said.
The firm has been proactive in adding safeguards, like popup messages that ask for confirmation to send funds and let users adjust the approved sum under advanced settings.
Additionally, according to the representative, Metamask has “plans to give the users even more control,” such as features making it easier to revoke this allowance.
Ohayon also cited Brave and Coinbase as displaying a “meaningful warning,” though this does not remove the risk that malicious actors can exploit dapp users.
“Some security compromises that might have been acceptable in the era when users were scarce and highly technical are not acceptable when DeFi goes mainstream, acquiring many non-technical users, and handling crypto tokens in the billions (USD),” Alex Manuskin, ZenGo researcher, wrote in a blog post.
He believes if crypto is ever to go mainstream, proper safeguards will have to be put in place to make sure new users are not exploited.
A similar issue was raised two weeks ago following the crypto flash, when the question of trading “circuit breakers” came up. For many, these precautions vie against the crypto ethos of decentralization and personal autonomy.
UPDATE: In response to ZenGo's research, imToken representative Philipp Seifert got in touch to say the firm will add push notifications for transactions and a way to edit allowances.
"While this doesn't stop users from setting unlimited allowances, we are sure that it helps to make educated decisions," according to an imToken Medium post.
CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk offers all employees above a certain salary threshold, including journalists, stock options in the Bullish group as part of their compensation.