Researchers have found a severe vulnerability in the Everscale blockchain wallet “Ever Surf.” Exploiting this bug could allow an adversary to steal crypto assets from the target wallet. Users should ensure use of the updated wallet version to avoid losing their assets due to potential exploits.
Serious Ever Surf Wallet Vulnerability Discovered
Check Point Research found a vulnerability in the web version of Ever Surf – an Everscale blockchain wallet.
As described in their report, the Ever Surf wallet web version is meant to facilitate users accessing their wallets from any device. Users can access the wallet site via their browsers without signing in.
While it sounds convenient, it also poses a security risk as accessing the wallet entirely depends on the respective device. Explaining this “non-custodial” implementation, the researchers stated,
…the keys required to sign transactions are only stored on the user’s device. Operations with the blockchain are performed entirely on the client’s side. Therefore, like other non-custodial wallets, it doesn’t have a registration using login names and passwords.
Hence, accessing the wallet requires entering the 6-digit PIN code that the users generated while creating the wallet. This PIN, together with the seed phrase, remains stored locally in the browser, thus enabling the user to easily access the wallet web version.
That’s where the bug existed –an adversary could easily access the wallet either by physical access to the device or remotely, such as via a malicious browser extension.
Describing how CPR checked the exploit, the researchers stated,
CPR roughly re-implemented the key derivation and keystore decryption in NodeJS and performed a brute-force attack on the PIN code.
This resulted in a performance of 95 passwords per second on 4-core Intel Core i7 CPU. Although this is not a very high speed, it is sufficient for the attack on a 6-digit PIN code.
Besides, the salt of the encrypted data from different users remained the same. Thus, an adversary could decrypt and brute-force multiple PIN codes quickly (for instance, 10^6 possible variants within ~175 minutes).
Technical details about the attack are available in their report.
Patch Deployed
Following this study, CPR reported the matter to Ever Surf, after which the vendors decided to deprecate the web version. Instead, they introduced the wallet desktop version.
Explaining this necessity in a post, Ever Surf stated that the new desktop should address the vulnerability by hashing the unique device identifier for key derivation.
Besides, the vendors have urged all users to update to the desktop version at the earliest to remain safe.
Let us know your thoughts in the comments.