Feedback
Roadmap
Changelog
Back to all posts

[ECO Bounty] iopay Authentication Bypass During NFT Minting

Description

A security flaw has been identified in the ioPay wallet where the application fails to enforce mandatory authentication (security code or fingerprint) during the final stages of a transaction. Specifically, when interacting with the Rootstock Testnet to mint a "Milestone Badge," the transaction can be broadcast to the blockchain without any biometric or passcode verification from the user.

Severity

Critical – This is a major security vulnerability. Any person with physical access to an unlocked device can execute on-chain transactions and move or mint assets without knowing the wallet's security credentials.

Impact

  • Unauthorized Access: Private keys are effectively exposed to anyone holding the device, bypassing the "Military-Grade Encryption" and "Secure self-custody" claims of the app.

  • Financial Loss: In a mainnet environment, this flaw could lead to the total draining of assets if a malicious actor gains temporary access to the phone.

  • Regulatory Non-compliance: The lack of Strong Customer Authentication (SCA) fails to meet global standards like the UK’s FCA or EU’s MiCA requirements for secure transaction signing.

Reproduce

  1. Open the ioPay app.

  2. Access a minting dApp (e.g., badges.blockscout.com on Rootstock Testnet).

  3. Initiate the Mint process for a badge or NFT.

  4. Proceed through the wallet's transaction confirmation screens.

  5. Observe that the transaction completes and is broadcast to the network without the app requesting a fingerprint scan or security code.

Expectation

Before any transaction is signed and broadcast, the app must require a biometric check Fingerprint or the entry of a manual security code to verify the user's intent and identity.

Actual

The transaction is confirmed and processed immediately upon clicking "Confirm," entirely bypassing the security layer that is supposed to protect the private keys.

Suggest Fix

  • Enforce Global Auth Hook: Ensure that the signTransaction and sendTransaction methods in the core SDK are globally hooked to the system's biometric/security prompt.

  • Validation Check: Add a logic gate that prevents the transaction broadcast if a "Success" token from the local authentication module has not been received.

  • Security Settings Audit: Review the app's default settings to ensure that "Transaction Confirmation" security is enabled by default and cannot be accidentally disabled by dApp interactions.

  • Harden Biometric Integration: Implement "Liveness detection" or multi-factor approvals for sensitive operations like minting and transfers

Wallet Address: io1tkw393kejmxwnd454twc6020sxcyvh5dxqmren

Device & Environment:

-Operating system: Android 13

-Device model: Redmi Note 10 Pro

Please authenticate to join the conversation.

Upvoters
Status

In Review

Board
💡

New Issue

Date

1 day ago

Author

cryptotestnet

Subscribe to post

Get notified by email when there are changes.