Trail of Bits
Audit Open Original ↗

Tezori (T2)

Type

Security review

Client

Cryptonomic

Date

2020-12

Domain

Blockchain

Effort

4 wks

Section

Tezos

Trail of Bits's security review of Cryptonomic (Dec 2020) identified 17 issues: 7 high, 3 medium, 2 low, and 5 informational.

Findings · 17

  1. 1 Remote code execution via openExternal High
  2. 2 Unencrypted secretes in memory High
  3. 3 Insecure private key in-memory encryption High
  4. 4 Access to raw private key and signing without additional authentication High
  5. 5 Signing valid operation hashes via UI dialog Medium
  6. 6 Wallet file permissions Low
  7. 7 Ignored exceptions Informational
  8. 8 Users can be tricked to blindly sign transactions High
  9. 9 Client-side request forgery through dApp authentication Medium
  10. 10 User interface bugs Informational
  11. 11 Wallet’s password not cleared from a dialog box Low
  12. 12 Operations can be injected by a Tezos node before signing High
  13. 13 Entrypoint not validated, possible injection of data to sign High
  14. 14 URL components not encoded Informational
  15. 15 Arguments to contract’s parameters not encoded Informational
  16. 16 JSONPath argument is not escaped Informational
  17. 17 Discrepancies between master branch and latest release Medium

Findings extracted from the published report PDF. See the full report below for details and remediation.

Related