Understanding the Security Risks of Improper Use of WalletConnect on Web3 Wallets
According to reports, the Slow Fog security team has discovered that improper use of WalletConnect on Web3 wallets may pose a security risk of being phished. This issue exists in s
According to reports, the Slow Fog security team has discovered that improper use of WalletConnect on Web3 wallets may pose a security risk of being phished. This issue exists in scenarios where the DApp Browser+WalletConnect built-in to the mobile wallet app is used.
Slow Fog: Alert to the Risks of WalletConnect Phishing in Web3 Wallets
Introduction
Cryptocurrency usage comes with its own set of security risks. One of the main risks is the possibility of being phished. The Slow Fog security team recently discovered that improper use of WalletConnect on Web3 wallets can pose a risk of being phished. This issue is seen in scenarios where the DApp Browser+WalletConnect built-in to the mobile wallet app is used. In this article, we will explore the issue in detail and understand how to avoid it.
What is WalletConnect?
WalletConnect is a protocol that enables communication between a desktop DApp and a mobile wallet app. The protocol follows a server-client model, where the DApp acts as a server and the mobile wallet app acts as a client. The communication is established by scanning a QR code displayed by the DApp, which establishes a secure connection between the DApp and the wallet.
Understanding the Security Risks
The Slow Fog security team discovered a vulnerability in the WalletConnect protocol that can be exploited by phishers. The vulnerability lies in the DApp Browser+WalletConnect built-in to the mobile wallet app. When a user interacts with a DApp, the DApp Browser+WalletConnect asks the user to sign a transaction. In scenarios where a phisher has manipulated the DApp, the user may unknowingly sign a malicious transaction, leading to loss of funds.
This issue can be avoided by using the standalone WalletConnect app or by manually verifying the transaction details before signing it. However, when using the DApp Browser+WalletConnect on mobile wallets, users need to be extra cautious and verify the transaction details before signing it.
How to Avoid Phishing Attacks?
Prevention is the best way to deal with phishing attacks. Here are some ways to avoid phishing attacks when using WalletConnect:
Use a Standalone WalletConnect App
Using the standalone WalletConnect app is the most secure way to use WalletConnect. The app is available for both Android and iOS devices and can be downloaded from the respective app stores.
Manually Verify the Transaction Details
When using the DApp Browser+WalletConnect built-in to the mobile wallet app, users must manually verify the transaction details before signing it. Ensure that the transaction details match your intended action before proceeding.
Be Cautious of Phishing Emails and Messages
Phishing attacks are initiated through emails and messages. Be extra cautious when receiving emails and messages that ask you to sign a transaction or share your private key. Always verify the source of the email or message before proceeding.
Keep your Private Keys Secure
Private keys are the gateway to your funds. Always keep your private keys secure and avoid sharing them with anyone.
Conclusion
The WalletConnect protocol has revolutionized the way we interact with DApps. However, the recent discovery by the Slow Fog security team highlights the importance of being cautious when using the protocol. Using a standalone WalletConnect app or manually verifying transaction details can help prevent phishing attacks.
Unique FAQs
Q1. What is phishing?
Phishing is a type of cyber attack where a hacker creates a fake website or email to trick users into sharing their private information.
Q2. How can I secure my private keys?
Private keys can be secured by storing them in a hardware wallet or a cold storage wallet. It’s also important to keep your private key backup in a secure location.
Q3. Why is the standalone WalletConnect app more secure?
The standalone WalletConnect app is more secure as it eliminates the risk of using the built-in DApp Browser+WalletConnect that might contain vulnerabilities. Additionally, the app prompts users to verify the transaction details before signing it.
This article and pictures are from the Internet and do not represent Fpips's position. If you infringe, please contact us to delete:https://www.fpips.com/15808/
It is strongly recommended that you study, review, analyze and verify the content independently, use the relevant data and content carefully, and bear all risks arising therefrom.
Recommended articles
-
Central Bank of UAE Launches Its First Financial Infrastructure Transformation Plan to Promote Digital Transactions
On February 13, the Central Bank of the United Arab Emirates (CBUAE) planned to
-
Significant Bitcoin Transfer to Coinbase Raises Questions
It is reported that 1878 BTCs were transferred from unknown wallets to Coinbase at 08:15 today, with a value of about US $44.12 million.
About USD 44.1…
-
ImmutableX-affiliated foundation tries to raise funds by selling IMX tokens
It is reported that the ImmutableX affiliated foundation of Ethereum Layer 2 expansion solution is trying to sell a certain number of IMX tokens to private inv…
-
Dylibso Raises $6.6 Million in Seed Round Financing: Introducing Modsurfer
According to reports, Dylibso, a \”Web Assembly\” company, announced that it had completed a seed round financing of $6.6 million, with Felicis leading the investment, and boldstart
-
Table of Contents:
On April 10th, Xiao Feng, Chairman and General Manager of Wanxiang Blockchain and Chairman of HashKeyGroup, gave a keynote speech detailing several key trends in the Crypto industr
-
Kucoin: The official Twitter account has been hacked, please do not click on suspicious links
On April 24th, Kucoin, a cryptocurrency exchange, announced in a Telegram announcement this morning that its official Twitter account has been hacked and measures are being taken t
-
Reddit Resolves Major Outage, Restores Platform Performance
On March 15th, Reddit, a social media platform, was re launched after identifying and fixing a “significant outage” that prevented desktop and mobile users from browsing for nearly 5 and a half hours. The Reddit Status page shows that the outage occurred at 03:18 Beijing time on March 15, and the issue was resolved at 08:41. The social media platform Reddit has been down for more than 5 hours since the early morning, and has now been repaired Analysis based on this information:Reddit, one of the most popular social media platforms across the globe, recently experienced a significant outage that lasted for nearly 5 and a half hours. Millions of desktop and mobile users worldwide were left stranded and unable to browse the platform, causing widespread frustration and disappointment. However, the site managed to recover from the issue and was relaunched later that day. According to the Reddit Status page, the outage took place on March 15th, at around 03:18…
-
#Table of Contents
According to reports, Ark Invest released a monthly report on Bitcoin called \”THE BITCOIN MONTHLY\”, which showed that the settlement amount of Bitcoin in March reached $650 billion
-
ThirdFi Integrates OKC Chain for Enhanced Interoperability and Performance
On March 22, the Web3 middleware ThirdFi announced that it had integrated OKC (OKX chain), an EVM compatible L1 based on Cosmos, focusing on true interoperability (IBC) and maximiz
-
What does asic miner mean
What does asic miner mean? What does asic miner mean? As shown below Basic concept: What is the principle of ASIC mining machine ASIC equipment? ASIC is a computer technology used for computing and storing data, mainly used to handle a large number of mathematical operations. Such as machine learning, autonomous driving, and so on. Due to the need to use a computer for operation, it is necessary to download and install a dedicated software or system software tool during runtime to achieve this process. For example, if you want to use a micro CPU or other graphics card to dig for Bitcoin, you need to buy a hard drive from your phone. Therefore, most people will place their laptops in their hands for mining. If there is no such special function, memory can be used for programming to obtain more information and better control What does’ asme ‘meanEditor’s note: This article is from Orange Book (ID: chengpishu) and is…
-
The deposit size of all commercial banks in the United States decreased by $125.7 billion again
According to the latest H.8 report released by the Federal Reserve on Friday (March 31), the deposit size of all commercial banks in the United States decreased by $125.7 billion a
-
ApeCoin’s AIP-206 Proposal Rejected: What it Means for the Community
It is reported that according to the information on the snapshot voting page, the AIP-206 proposal of the ApeCoin community to launch two new NFT series failed to pass with an oppo
-
Beosin EagleEye reports attack on LockedDeal contract resulting in $500,000 loss
According to reports, according to the security risk monitoring of Beosin EagleEye, a blockchain security audit company owned by Beosin, the LockedDeal contract of ETH, BSC, and Poolz Finance on the Polygon chain was attacked, resulting in a loss of approximately $500000. An attacker called the vulnerable function CreateMassPools in the LockedDeal contract, and the_ A vulnerability in StartAmount triggers an integer overflow. In addition to obtaining a large number of poolz tokens, the attacker also obtained other tokens. Please raise the alert for related projects. Previously, Beosin EagleEye monitored a 90% drop in Poolz Finance related token $POOLZ Poolz Finance’s Locked Deal contract was attacked and lost approximately $500000 Analysis based on this information:In recent news, Beosin EagleEye, a blockchain security audit company owned by Beosin, released a report stating that the LockedDeal contract of ETH, BSC, and Poolz Finance on the Polygon chain was attacked, resulting in a loss of approximately $500,000. The report revealed that an attacker…
-
Skyland Ventures’ Web3 fund completed approximately $38 million fundraising, with SBI Group participating
On April 14th, Japanese venture capital firm Skyland Ventures announced that its Web3 fund, called \”Skyland Ventures No.4 Fund,\” had completed a total fundraising of 5 billion yen
-
Web3 esports platform Community Gaming announces layoffs of 17 employees
According to reports, the Web3 esports platform Community Gaming announced the layoffs of 17 employees, accounting for more than 17% of the company\’s total workforce. Chris Gonsalv
-
FIL Bullish Run: A Cautionary Tale
According to reports, the market shows that FIL has broken through $7 and is currently trading at $7.01, with a daily increase of 11.27%. The market is volatile, so please do a good job of risk control. FIL breaks through $7 Analysis based on this information:The latest update on the FIL cryptocurrency shows that it has broken through the $7 mark and is currently trading at $7.01, representing a daily increase of 11.27%. This news may undoubtedly excite investors who have placed their bets on this digital asset. However, a closer look at the market trends highlights the inherent volatility of cryptocurrencies and the need for caution in investing. The FIL bullish run reflects the sudden bullish market trend that investors have been waiting for, with positive sentiment driving prices up by over double digit percentages in just a day. For the uninitiated, FIL is the native token of the decentralized cloud storage network Filecoin. It has a finite supply…