Metamask Snap Audit Report for Galactica

Management Summary

Galactica contacted Sayfer Security in order to perform a code audit on Galactica’s MetaMask Snap in October 2023.

Before assessing the above services, we held a kickoff meeting with the Galactica technical team and received an overview of the system and the goals for this research.

Over the research period of 2 weeks, we discovered 3 vulnerabilities in the system and added 1 informational note.

In conclusion, several fixes should be implemented following the report, but the system’s security posture is competent.

After a review by the Sayfer team, we certify that all the security issues mentioned in this report have been addressed by the Galactica team.

Risk Methodology

At Sayfer, we are committed to delivering the highest quality penetration testing to our clients. That’s why we have implemented a comprehensive risk assessment model to evaluate the severity of our findings and provide our clients with the best possible recommendations for mitigation.

Our risk assessment model is based on two key factors: IMPACT and LIKELIHOOD. Impact refers to the potential harm that could result from an issue, such as financial loss, reputational damage, or a non-operational system. Likelihood refers to the probability that an issue will occur, taking into account factors such as the complexity of the attack and the number of potential attackers.

By combining these two factors, we can create a comprehensive understanding of the risk posed by a particular issue and provide our clients with a clear and actionable assessment of the severity of the issue. This approach allows us to prioritize our recommendations and ensure that our clients receive the best possible advice on how to protect their business.

Risk is defined as follows:

Vulnerabilities by Risk

High – Direct threat to key business processes.
Medium – Indirect threat to key business processes or partial threat to business processes.
Low – No direct threat exists. The vulnerability may be exploited using other vulnerabilities.
Informational – This finding does not indicate vulnerability, but states a comment that notifies about design flaws and improper implementation that might cause a problem in the long run.

Severity
# of issues
High
0
Medium
1
Low
2
Informational
1

Approach

Introduction

Galactica contacted Sayfer to perform penetration testing on their MetaMask Snap application.

This report documents the research carried out by Sayfer targeting the selected resources defined under the research scope. Particularly, this report displays the security posture review for Galactica’s MetaMask Snap application and its surrounding infrastructure and process implementations.

Our penetration testing project life cycle:

01

Scope Overview

02

Technical Overview

03

Scope Validation

04

Threat Model

05

Security Evaluation

06

Security Assessment

Scope Overview

During our first meeting and after understanding the company’s needs, we defined the application’s scope that resides at the following URLs as the scope of the project:

Galactica’s Snap

Our tests were performed in October 2023.

Don’t let it be too late!

Start your audit with Sayfer

Scope Validation

We began by ensuring that the scope defined to us by the client was technically logical.

Deciding what scope is right for a given system is part of the initial discussion. Getting the scope right is key to deriving maximum business value from the research.

Threat Model

During our kickoff meetings with the client we defined the most important assets the application possesses.

We defined that the largest current threat to the system is stolen user funds.

Don’t let it be too late!

Start your audit with Sayfer

Security Evaluation Methodology

Sayfer uses OWASP WSTG as our technical standard when reviewing web applications. After gaining a thorough understanding of the system we decided which OWASP tests are required to evaluate the system.

Security Assessment

After understanding and defining the scope, performing threat modeling, and evaluating the correct tests required in order to fully check the application for security flaws, we performed our security assessment.

Issue Table Description

Issue title

ID SAY-??: An ID for easy communication on each vulnerability
Status Open/Fixed/Acknowledged
Risk Represents the risk factor of the issue. For further description refer to the Vulnerabilities by Risk section.
Business Impact The main risk of the vulnerability at a business level.
Location The URL or the file in which this issue was detected. Issues with no location have no particular location and refer to the product as a whole.

Description

Here we provide a brief description of the issue and how it formed, the steps we made to find or exploit it, along with proof of concept (if present), and how this issue can affect the product or its users.

Mitigation

Suggested resolving options for this issue and links to advised sites for further remediation.

Security Evaluation

The following tests were conducted while auditing the system

Information Gathering

Information Gathering Test Name
WSTG-INFO-01 Conduct Search Engine Discovery Reconnaissance for Information Leakage
WSTG-INFO-02 Fingerprint Web Server
WSTG-INFO-03 Review Webserver Metafiles for Information Leakage
WSTG-INFO-04 Enumerate Applications on Webserver
WSTG-INFO-05 Review Webpage Content for Information Leakage
WSTG-INFO-06 Identify application entry points
WSTG-INFO-07 Map execution paths through application
WSTG-INFO-08 Fingerprint Web Application Framework
WSTG-INFO-09 Fingerprint Web Application
WSTG-INFO-10 Map Application Architecture

Configuration and Deploy Management Testing

Configuration and Deploy Management Testing Test Name
WSTG-CONF-01 Test Network Infrastructure Configuration
WSTG-CONF-02 Test Application Platform Configuration
WSTG-CONF-03 Test File Extensions Handling for Sensitive Information
WSTG-CONF-04 Review Old Backup and Unreferenced Files for Sensitive Information
WSTG-CONF-05 Enumerate Infrastructure and Application Admin Interfaces
WSTG-CONF-06 Test HTTP Methods
WSTG-CONF-07 Test HTTP Strict Transport Security
WSTG-CONF-08 Test RIA cross domain policy
WSTG-CONF-09 Test File Permission
WSTG-CONF-10 Test for Subdomain Takeover
WSTG-CONF-11 Test Cloud Storage

Identity Management Testing

Identity Management Testing Test Name
WSTG-IDNT-01 Test Role Definitions
WSTG-IDNT-02 Test User Registration Process
WSTG-IDNT-03 Test Account Provisioning Process
WSTG-IDNT-04 Testing for Account Enumeration and Guessable User Account
WSTG-IDNT-05 Testing for Weak or unenforced username policy

Authentication Testing

Authentication Testing Test Name
WSTG-ATHN-01 Testing for Credentials Transported over an Encrypted Channel
WSTG-ATHN-02 Testing for Default Credentials
WSTG-ATHN-03 Testing for Weak Lock Out Mechanism
WSTG-ATHN-04 Testing for Bypassing Authentication Schema
WSTG-ATHN-05 Testing for Vulnerable Remember Password
WSTG-ATHN-06 Testing for Browser Cache Weaknesses
WSTG-ATHN-07 Testing for Weak Password Policy
WSTG-ATHN-08 Testing for Weak Security Question Answer
WSTG-ATHN-09 Testing for Weak Password Change or Reset Functionalities
WSTG-ATHN-10 Testing for Weaker Authentication in Alternative Channel

Authorization Testing

Authorization Testing Test Name
WSTG-ATHZ-01 Testing Directory Traversal File Include
WSTG-ATHZ-02 Testing for Bypassing Authorization Schema
WSTG-ATHZ-03 Testing for Privilege Escalation
WSTG-ATHZ-04 Testing for Insecure Direct Object References

Session Management Testing

Session Management Testing Test Name
WSTG-SESS-01 Testing for Session Management Schema
WSTG-SESS-02 Testing for Cookies Attributes
WSTG-SESS-03 Testing for Session Fixation
WSTG-SESS-04 Testing for Exposed Session Variables
WSTG-SESS-05 Testing for Cross Site Request Forgery
WSTG-SESS-06 Testing for Logout Functionality
WSTG-SESS-07 Testing Session Timeout
WSTG-SESS-08 Testing for Session Puzzling
WSTG-SESS-09 Testing for Session Hijacking

Data Validation Testing

Data Validation Testing Test Name
WSTG-INPV-01 Testing for Reflected Cross Site Scripting
WSTG-INPV-02 Testing for Stored Cross Site Scripting
WSTG-INPV-03 Testing for HTTP Verb Tampering
WSTG-INPV-04 Testing for HTTP Parameter Pollution
WSTG-INPV-05 Testing for SQL Injection
WSTG-INPV-06 Testing for LDAP Injection
WSTG-INPV-07 Testing for XML Injection
WSTG-INPV-08 Testing for SSI Injection
WSTG-INPV-09 Testing for XPath Injection
WSTG-INPV-10 Testing for IMAP SMTP Injection
WSTG-INPV-11 Testing for Code Injection
WSTG-INPV-12 Testing for Command Injection
WSTG-INPV-13 Testing for Format String Injection
WSTG-INPV-14 Testing for Incubated Vulnerability
WSTG-INPV-15 Testing for HTTP Splitting Smuggling
WSTG-INPV-16 Testing for HTTP Incoming Requests
WSTG-INPV-17 Testing for Host Header Injection
WSTG-INPV-18 Testing for Server-side Template Injection
WSTG-INPV-19 Testing for Server-Side Request Forgery

Error Handling

Error Handling Test Name
WSTG-ERRH-01 Testing for Improper Error Handling
WSTG-ERRH-02 Testing for Stack Traces

Cryptography

Cryptography Test Name
WSTG-CRYP-01 Testing for Weak Transport Layer Security
WSTG-CRYP-02 Testing for Padding Oracle
WSTG-CRYP-03 Testing for Sensitive Information Sent via Unencrypted Channels
WSTG-CRYP-04 Testing for Weak Encryption

Business logic Testing

Business logic Testing Test Name
WSTG-BUSL-01 Test Business Logic Data Validation
WSTG-BUSL-02 Test Ability to Forge Requests
WSTG-BUSL-03 Test Integrity Checks
WSTG-BUSL-04 Test for Process Timing
WSTG-BUSL-05 Test Number of Times a Function Can be Used Limits
WSTG-BUSL-06 Testing for the Circumvention of Work Flows
WSTG-BUSL-07 Test Defenses Against Application Mis-use
WSTG-BUSL-08 Test Upload of Unexpected File Types
WSTG-BUSL-09 Test Upload of Malicious Files

Client Side Testing

Client Side Testing Test Name
WSTG-CLNT-01 Testing for DOM-Based Cross Site Scripting
WSTG-CLNT-02 Testing for JavaScript Execution
WSTG-CLNT-03 Testing for HTML Injection
WSTG-CLNT-04 Testing for Client Side URL Redirect
WSTG-CLNT-05 Testing for CSS Injection
WSTG-CLNT-06 Testing for Client Side Resource Manipulation
WSTG-CLNT-07 Test Cross Origin Resource Sharing
WSTG-CLNT-08 Testing for Cross Site Flashing
WSTG-CLNT-09 Testing for Clickjacking
WSTG-CLNT-10 Testing WebSockets
WSTG-CLNT-11 Test Web Messaging
WSTG-CLNT-12 Testing Browser Storage
WSTG-CLNT-13 Testing for Cross Site Script Inclusion

API Testing

API Testing Test Name
WSTG-APIT-01 Testing GraphQL

Order audit from Sayfer

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

    Security Assessment Findings

    Non-functional Demo Samples

    ID SAY-01
    Status Fixed
    Risk Medium
    Business Impact Incorrect operation of Snap features implemented in the demo example may mean that individual functionalities are not working properly, which may impact Snap operation in production mode and require fixes.
    Location

    Description

    A few of the examples available in the demo version of the dApp do not work properly. They return errors related to incorrect function calls, gas calculations, as well as messages that are not obvious to non-technical users.

    • simple zkKYC test (repeatable):

    • Import zkCert:

    Mitigation

    We suggest that you verify the reason for the errors in the console as well as in the demo example screen. It’s important to verify whether similar errors crop up in production and disrupt normal functionality.

     

    Unused Functions

    ID SAY-02
    Status Fixed
    Risk Low
    Business Impact Unused functions can reduce code readability and may be perceived as unprofessional by readers if present in production code.
    Location – packages/snap/src/utils.ts:8-10; shortenAddrStr(string)

    Description

    The utility function specified in the location field does not appear to be used anywhere.

    Mitigation

    Consider removing it from production code if you don’t intend to use it.

     

    Commented Code and Leftover TODOs

    ID SAY-03
    Status Fixed
    Risk Low
    Business Impact TODOs in production code may be perceived as unprofessional by readers.
    Location -packages/snap/src/proofGenerator.ts:82
    -packages/snap/src/merkleProofSelection.ts:100

    Description

    We found a few commented lines of code, including old TODOs, in the specified locations.

    Mitigation

    If you do not intended to use these lines, remove them from the code, at least in production environment.

     

    Missing URL Validation

    ID SAY-04
    Status Fixed
    Risk Informational
    Business Impact Changing the URL to an incorrect value may break snap functionality without an informative error message.
    Location snap/src/index.ts:458; processRpcRequest()

    Description

    RpcMethods.UpdateMerkleProofURL() accepts the URL value as a string and does not perform any validation of its correctness. Theoretically, any string of characters will be qualified as a URL and saved in state. When invoked, JavaScript will of course return an unhandled error, because the format of this string will not be compatible with the function sending the request, e.g. fetch().

    Mitigation

    We suggest implementing basic validation for urlUpdateParams.url. For example, by verifying that it starts with https:// and ends with /.

    You can find more information about it on our Blog

    Sayfer’s blog focuses on web3, security, and vulnerability research. We believe that in the cybersecurity industry it’s crucial to stay up to date on the latest trends and advancements. Currently, our team of experienced researchers enjoys researching cutting-edge blockchain and web3 technologies.
    Contact us

    Keep In Touch

    Location
    Tel Aviv, Israel
    Messengers:
    Please feel free to contact us, we will be happy to respond!

      This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
      Skip to content