ZenGo, the self-described “first keyless crypto wallet,” claims to have found a big security issue within the decentralized finance (DeFi) space. It claims to be able to fix it.
The issue, it claims, is one where a user gains full access to you account should you send them money, with the bad actor being able to drain your funds completely. Allegedly, ZenGo has run into this issue quite often in many of the more popular cryptocurrency wallets. They’re calling it baDAPProve. And they’re using their new platform, ZenGo Savings, to solve it.
Essentially, when a user grants a dApp access to their cryptocurrency wallet, sometimes that means they’re granting access to all holdings within that wallet – not just the ones they’re using to interact with it.
“In almost every DApp, when the user connects to it, they unknowingly provide the smart contract associated with the DApp, full access to all of their funds, regardless of their actual usage. Therefore, even if the user only actually sent a transaction equivalent to $1, an attacker abusing a smart contract vulnerability can withdraw all of the user’s holdings of that specific asset,” the post reads. Also, most dapps fail to communicate this.
ZenGo will solve this by creating a brand new user experience within their application. When they’re sending money, the apps approved sum is only that of which the user intends to send. Essentially, this limited amount is being confirmed twice, rather than entire access to the wallet being confirmed – allowing a bad actor to take advantage of that connection.
It appears that ZenGo will implement this feature not only within their application but within other DeFi applications as well. They’ve already spoken to platforms like Opera about implementation.