Trail of Bits
Audit Open Original ↗

Uniswap Browser Extension

Type

Security review

Client

Uniswap

Date

2024-02

Domain

Blockchain

Effort

6 wks

Section

Uniswap

Trail of Bits's security review of Uniswap (Feb 2024) identified 37 issues: 6 medium, 18 low, 11 informational, and 2 undetermined.

Findings · 37

  1. 1 Sidebar approval screen may be suddenly switched Medium
  2. 2 No password policy enforcement when changing the wallet’s password Low
  3. 3 Race condition with tab IDs in the background component Medium
  4. 4 The clipboard is not cleared when copying the recovery phrase Low
  5. 5 Browser extension crashes when data to be signed does not follow EIP-712 standard Low
  6. 6 Minimum Chrome version not enforced Informational
  7. 7 Data from Uniswap server is weakly validated in Scantastic protocol Low
  8. 8 Wallet information accessible in locked state Low
  9. 9 Scantastic server API does not strictly validate users’ data Informational
  10. 10 Extension’s content script is injected into files Low
  11. 11 Messages with non-printable characters are displayed incorrectly in personal_sign request Low
  12. 12 Ethereum API signing methods do not validate all arguments Low
  13. 13 Not all data is displayed to users for manual validation Medium
  14. 14 URL origin is explicitly constructed Informational
  15. 15 Uniswap dapp name can be spoofed Low
  16. 16 Injected content script and InjectedProvider class are not hardened Informational
  17. 17 Runtime message listeners created by dappRequestListener function are never removed Low
  18. 18 isValidMessage function checks only message type Undetermined
  19. 19 Missing message authentication in content script Medium
  20. 20 Data displayed for user confirmation may dier from actually signed data Medium
  21. 21 Possibility to create multiple OTPs for a specific UUID Low
  22. 22 Missing sender.id and sender.tab checks Informational
  23. 23 Mnemonic and local password disclosed in console Low
  24. 24 Incorrect message in mobile application when wallet fails to pair Informational
  25. 25 Mobile application crash when pubKey in a QR code is invalid JSON Informational
  26. 26 signMessage method is broken for non-string messages Low
  27. 27 Price of stablecoins is hard coded Undetermined
  28. 28 Encrypted mnemonics and private keys do not bind ciphertexts to contexts Medium
  29. 29 Local storage is not authenticated Low
  30. 30 Local storage may be evicted Informational
  31. 31 Password stored in cleartext in session storage Low
  32. 32 Use of RSA Informational
  33. 33 Insucient guidance, lack of validation, and unexpected behavior in Scantastic protocol Low
  34. 34 Local authentication bypass Low
  35. 35 Chrome storage is not properly cleared after removing a recovery phrase Low
  36. 36 Unisolated components in the setupReduxed configuration Informational
  37. 37 Lack of global error listener Informational

Findings extracted from the published report PDF. See the full report below for details and remediation.

Related