Abstract:Cryptocurrency wallets, acting as fundamental infrastructure to the blockchain ecosystem, have seen significant user growth, particularly among browser-based wallets (i.e., browser extensions). However, this expansion accompanies security challenges, making these wallets prime targets for malicious activities. Despite a substantial user base, there is not only a significant gap in comprehensive security analysis but also a pressing need for specialized tools that can aid developers in reducing vulnerabilities during the development process. To fill the void, we present a comprehensive security analysis of browser-based wallets in this paper, along with the development of an automated tool designed for this purpose. We first compile a taxonomy of security vulnerabilities resident in cryptocurrency wallets by harvesting historical security reports. Based on this, we design WALLETRADAR, an automated detection framework that can accurately identify security issues based on static and dynamic analysis. Evaluation of 96 popular browser-based wallets shows WALLETRADAR's effectiveness, by successfully automating the detection process in 90% of these wallets with high precision. This evaluation has led to the discovery of 116 security vulnerabilities corresponding to 70 wallets. By the time of this paper, we have received confirmations of 10 vulnerabilities from 8 wallet developers, with over $2,000 bug bounties. Further, we observed that 12 wallet developers have silently fixed 16 vulnerabilities after our disclosure. WALLETRADAR can effectively automate the identification of security risks in cryptocurrency wallets, thereby enhancing software development quality and safety in the blockchain ecosystem.

What problem does this paper attempt to address?

### What problems does this paper attempt to solve? This paper aims to solve the security vulnerability problems existing in cryptocurrency wallets in the form of browser extensions (i.e., non - custodial cryptocurrency wallets based on browsers). Specifically, the paper focuses on the following aspects: 1. **Lack of Systematic Security Analysis**: - Although the number of users of cryptocurrency wallets in the form of browser extensions is huge, the current security analysis of these wallets is still insufficient, and there is a lack of systematic security assessment tools. 2. **Absence of Automatic Detection Tools**: - Existing vulnerability detection tools mainly focus on mobile applications, and there are very few automated detection tools specifically for cryptocurrency wallets in the form of browser extensions. 3. **Identification of Emerging Vulnerabilities**: - With the rapid development of blockchain technology and cryptocurrency wallets, new security vulnerabilities keep emerging. These vulnerabilities may be different from those in traditional Web applications and require special attention and research. 4. **Lack of Security Awareness**: - Many wallet developers overlook crucial security mechanisms, such as password policies and credential storage, resulting in a large number of users being at risk of information leakage and financial loss. To solve these problems, the paper proposes the following tasks: - **Create a Vulnerability Classification System**: Through a comprehensive analysis of existing security reports and technical literature, a classification system containing 6 types of vulnerabilities is constructed, covering traditional Web vulnerabilities (such as click - jacking, cross - site scripting attacks, unreasonable password policies) and emerging cryptocurrency wallet vulnerabilities (such as redundant storage, demon vulnerabilities, defective encryption). - **Develop an Automated Detection Framework**: Design and implement an automated detection framework named WalletRadar, which combines static analysis and dynamic analysis techniques and can accurately identify various security vulnerabilities in cryptocurrency wallets in the form of browser extensions. - **Systematic Characterization Analysis**: By evaluating 96 popular cryptocurrency wallets in the form of browser extensions, the common security problems in these wallets are revealed, and the scope of influence and severity are analyzed. Through these tasks, the paper hopes to fill the current gap in the security analysis of cryptocurrency wallets in the form of browser extensions, provide an effective tool and method, help developers improve the security and quality of wallets, and thus enhance the security of the entire blockchain ecosystem.

WALLETRADAR: Towards Automating the Detection of Vulnerabilities in Browser-based Cryptocurrency Wallets

WalletRadar: towards automating the detection of vulnerabilities in browser-based cryptocurrency wallets

Smart Contract Vulnerability Detection Technique: A Survey

SoK: Design, Vulnerabilities, and Security Measures of Cryptocurrency Wallets

CoinWatch: A Clone-Based Approach For Detecting Vulnerabilities in Cryptocurrencies

Navigating the digital currency landscape: A comprehensive examination from blockchain foundations to website security

A Security Analysis of Cryptocurrency Wallets against Password Brute-Force Attacks

SOK: On the Analysis of Web Browser Security

Research on Security Vulnerability Detection of Smart Contract

Making Smart Contract Development More Secure and Easier.

Stealing Trust: Unraveling Blind Message Attacks in Web3 Authentication

Break the Wall from Bottom: Automated Discovery of Protocol-Level Evasion Vulnerabilities in Web Application Firewalls

Vulnerability Scanners for Ethereum Smart Contracts: A Large-Scale Study

Detection of Vulnerabilities of Blockchain Smart Contracts

A Vulnerability Detection Method for Blockchain Smart Contract: Review

Characterizing Cryptocurrency-themed Malicious Browser Extensions

D-WAV: A Web Application Vulnerabilities Detection Tool Using Characteristics of Web Forms

Artemis: An Improved Smart Contract Verification Tool for Vulnerability Detection

An Empirical Assessment of Security Risks of Global Android Banking Apps

A Review of Approaches for Detecting Vulnerabilities in Smart Contracts within Web 3.0 Applications

Exploring Security Practices of Smart Contract Developers