- Hacken
- Audits
- orange-crypto
- [PT] Orange Crypto | Web | Feb2024
Introduction
We express our gratitude to the Orange Crypto team for the collaborative engagement that enabled the execution of this Security Assessment.
Orange Wallet is a browser extension software wallet that simplifies managing Bitcoin, BRC20 tokens, Stacks, and Ordinals NFTs. It features integration with Orange Assistant and AI for instant access to crypto industry insights. Orange Wallet stands out for its user-friendly, decentralized, non-custodial, and anonymous nature, offering direct Bitcoin blockchain access without third-party involvement. Your private key remains exclusively yours, ensuring your Bitcoin is securely stored on the blockchain without collecting any personal data. Supporting a variety of protocols like BRC20, Ordinals, Stacks, and Bitcoin itself, Orange Wallet is your all-in-one solution for diverse crypto assets management.
| title | content |
|---|---|
| Platform | Crypto Wallet |
| Language | TypeScript |
| Timeline | 16/02/2024 - 22/03/2024 |
| Methodology | https://hackenio.cc/dApp_methodology→ |
Review Scope | |
|---|---|
| Repository | https://github.com/orangecryptohq/orangewallet/tree/release/v1.0.4,→ |
| Commit | n/a |
Review Scope
- Commit
- n/a
Audit Summary
The system users should acknowledge all the risks summed up in the risks section of the report
Document Information
This report may contain confidential information about IT systems and the intellectual property of the Customer, as well as information about potential vulnerabilities and methods of their exploitation.
The report can be disclosed publicly after prior consent by another Party. Any subsequent publication of this report shall be without mandatory consent.
Document | |
|---|---|
| Name | Decentralized Application (dApp) Code Review and Security Analysis Report for Orange Crypto |
| Audited By | Stephen Ajayi |
| Approved By | Stephen Ajayi |
| Website | https://hacken.io→ |
| Changelog | 25/02/2024 - Preliminary Report |
Document
- Name
- Decentralized Application (dApp) Code Review and Security Analysis Report for Orange Crypto
- Audited By
- Stephen Ajayi
- Approved By
- Stephen Ajayi
- Website
- https://hacken.io→
- Changelog
- 25/02/2024 - Preliminary Report
System Overview
Orange Wallet is a browser extension software wallet that simplifies managing Bitcoin, BRC20 tokens, Stacks, and Ordinals NFTs. It features integration with Orange Assistant and AI for instant access to crypto industry insights. Orange Wallet stands out for its user-friendly, decentralized, non-custodial, and anonymous nature, offering direct Bitcoin blockchain access without third-party involvement. Your private key remains exclusively yours, ensuring your Bitcoin is securely stored on the blockchain without collecting any personal data. Supporting a variety of protocols like BRC20, Ordinals, Stacks, and Bitcoin itself, Orange Wallet is your all-in-one solution for diverse crypto assets management.
Asset:
Executive Summary
Documentation quality
The total Documentation Quality score is 10 out of 10.
Comprehensive functional requirements were outlined.
Detailed technical specifications were provided.
Complete documentation for setting up, building the wallet, and integrating it with a browser was made available.
Code quality
The total Code Quality score is 10 out of 10.
The code has been structured with clarity and coherence.
The coding style maintained throughout is uniform.
The development environment has been properly configured.
Security score
Upon auditing, the code was found to contain 0 critical, 4 high, 5 medium, and 5 low severity issues, leading to a security score of 10 out of 10.
All identified issues are detailed in the “Findings” section of this report.
Summary
The comprehensive audit of the customer's dapp yields an overall score of 10. This score reflects the combined evaluation of documentation, code quality, test coverage, and security aspects of the project.
Findings
Code ― | Title | Status | Severity | |
|---|---|---|---|---|
| F-2024-1036 | Plaintext User Password Exposure in Memory | fixed | High | |
| F-2024-1035 | Plaintext Secret Keyphrase Exposure in Memory | fixed | High | |
| F-2024-0871 | Insecure Random Number Generation | fixed | High | |
| F-2024-0862 | Use of Password Hash Directly as Key | fixed | High | |
| F-2024-0951 | Potential Mismanagement of Sensitive Information | fixed | Medium | |
| F-2024-0876 | Insecure Default Configuration (CORS) | fixed | Medium | |
| F-2024-0874 | Overly Broad Host Permissions | fixed | Medium | |
| F-2024-0847 | Insecure Deserialization | fixed | Medium | |
| F-2024-0822 | Open Redirect Vulnerability in Wallet Redirection Logic | fixed | Medium | |
| F-2024-1033 | Sensitive Data Exposure through Clipboard | accepted | Low |
Appendix 1. Severity Definitions
Severity | Description |
|---|---|
Critical | These issues present a major security vulnerability that poses a severe risk to the system. They require immediate attention and must be resolved to prevent a potential security breach or other significant harm. |
High | These issues present a significant risk to the system, but may not require immediate attention. They should be addressed in a timely manner to reduce the risk of the potential security breach. |
Medium | These issues present a moderate risk to the system and cannot have a great impact on its function. They should be addressed in a reasonable time frame, but may not require immediate attention. |
Low | These issues present no risk to the system and typically relate to the code quality problems or general recommendations. They do not require immediate attention and should be viewed as a minor recommendation. |
Severity
- Critical
Description
- These issues present a major security vulnerability that poses a severe risk to the system. They require immediate attention and must be resolved to prevent a potential security breach or other significant harm.
Severity
- High
Description
- These issues present a significant risk to the system, but may not require immediate attention. They should be addressed in a timely manner to reduce the risk of the potential security breach.
Severity
- Medium
Description
- These issues present a moderate risk to the system and cannot have a great impact on its function. They should be addressed in a reasonable time frame, but may not require immediate attention.
Severity
- Low
Description
- These issues present no risk to the system and typically relate to the code quality problems or general recommendations. They do not require immediate attention and should be viewed as a minor recommendation.
Appendix 2. Scope
The scope of the project includes the following endpoints from the provided repository:
Scope Details | |
|---|---|
| Repository | https://github.com/orangecryptohq/orangewallet/tree/release/v1.0.4,→ |
| Commit | n/a |
| Whitepaper | https://docs.orangecrypto.com→ |
| Requirements | https://docs.orangecrypto.com→ |
| Technical Requirements | https://docs.orangecrypto.com→ |
Scope Details
- Commit
- n/a
- Whitepaper
- https://docs.orangecrypto.com→
- Requirements
- https://docs.orangecrypto.com→
- Technical Requirements
- https://docs.orangecrypto.com→