Syscoin & Pali Wallet

Pali Wallet provides easy access to Syscoin’s robust network and functionality for DApp users and developers. It will also accept Syscoin Platform Tokens, including NFTs and UTXO. Directly from your web browser, users can manage, receive, and send crypto, as well as fungible and non-fungible tokens across various chains.

Now you may be thinking that this sounds very similar to Meta Mask, the cryptocurrency wallet used to interact with the Ethereum blockchain. And, while it’s correct that every blockchain has integration with Meta Mask, Pali is unique in that it not only supports Ethereum-based applications (such as Binance Smart Chain, Matic, Fantom, and others). But, also Bitcoin forked networks such as Syscoin, Bitcoin Cash, and Litecoin. Pali Wallet adds an additional layer of security that Meta Mask doesn’t provide. The wallet also supports Trezor, the most well-known hardware wallet on the market, because it is HD BIP 32 compatible. When using a physical wallet, the user also has the protection of not disclosing their information to third parties at any time.

Challenge

CYRE Enterprise was engaged by Pollum to perform a penetration test to assess the risk of targeted attacks.

Solution for Syscoin & Pali Wallet

Under our white box testing service, Cyrex was granted full access to the application’s source code and user privileges. Our team simulated a malicious attacker and conducted activities to identify potential weaknesses and evaluate the impact of a potential security breach. The main objectives of the test were to determine if the application could be penetrated by a remote attacker and assess the consequences of such an attack.

The Pali Wallet extension offers the convenience of saving your wallet locally, making it more challenging for unauthorised access. While this provides a more secure experience with encrypted passwords safeguarding access in case your device is lost, our penetration tests conducted during the development phase revealed some vulnerabilities. Our testing included analysing exposed methods within the controllers, tampering with different parameters, identifying potential security flaws and injection points, and exploiting them to prove concept.

The most concerning vulnerabilities discovered were: wallet keys exposed to any website, plaintext storage of wallet keys on the system, plaintext storage of wallet password in browser memory, and disclosure of connected websites which poses a privacy threat.

Result

Through our testing, we identified a range of issues and vulnerabilities. Our regression testing ensured that vulnerabilities revealed during the penetration test were secured during patching and that no new vulnerabilities were introduced. Cyrex assessed that the overall security maturity is excellent and will satisfy any end user’s risk appetite. All suggested patches were correctly applied, but more importantly, Our teams security experts extensively evaluated and approved the browser extension.