Found serious bug in the portfolios of Dapp DeFi

A team of product designers for ZenGo, a non-portfolio company, has discovered a flaw that can drain user funds from almost all dapp wallets. This security bug has been known for two years. Ouriel Ohayon, CEO of ZenGo, is now sounding the alarm claiming that it poses a risk to users who do not face it directly.

How the bug works

The security problem, called BaDApprove, is not a code bug but a problem in the way users select transaction permissions in the default settings. Ohayon found that when users approve a specific transaction, they are also approving all future transactions by default.

This opens the door to decentralized malware applications that interact with users' funds without their knowledge.

Because it hasn't been resolved before

What Ohayon and ZenGo have highlighted has been a known problem in the DeFi community for years. The question is, then, why it hasn't been resolved before. For some in the industry, the answer is that it's not so much a flaw or bug as bad functionality.

In September 2018, Jordan Randolph, a representative of Ethex, a decentralized exchange, categorized the problem as being of medium severity. One-off authorizations to move "an almost infinite amount of tokens ... can be convenient," he wrote.

"However, having an almost infinite number of approved tokens means that all [your] tokens could be transferred with a smart contract." The portfolio preset then boils down to a choice between convenience and security, he said.

Ben He, CEO of imToken, said: "It's not a security bug, it's a bad convention for the entire Ethereum ecosystem that most Dapps / DeFi apps require unlimited user approvals."

Metamask presented a similar response regarding unlimited authorizations. “This is actually a secure feature that users regularly use responsibly. It's not a kind of bug or problem. "

Both ImToken and MetaMask have been proactive in adding guarantees, such as pop up messages asking for confirmation for sending funds and allowing users to change the approved amount in advanced settings. Ohayon also cited Brave and Coinbase for their warnings complementary to those of the Dapps.

Dapps need to be adapted to a mainstream DeFi

"Certain security compromises that may have been acceptable in an era where users were few and highly technically trained are no longer acceptable as DeFi goes mainstream, acquiring many technically poorly trained users and managing billions of dollars in crypto tokens ( USD) ”, Alex Manuskin, ZenGo researcher, wrote in a post.

He believes that if ever the cryptocurrency that is already possible to trade on platforms like Bitcoin Pro it will become mainstream, adequate guarantees must be put in place to prevent new users from being exploited. A similar problem was raised two weeks ago after the crypto flash, when the issue of circuit breaker trading emerged.

For many, these precautions run counter to the crypto ethos of decentralization and personal autonomy.