Security Audit Report for Hiro’s Stacks Wallet for Web

Given the sensitive nature of cryptocurrency wallets, we considered a thorough code audit a prerequisite to publishing the Stacks Wallet on the Chrome and Firefox stores.

Hiro's Stacks Wallet for Web is your portal to managing assets and using decentralized apps

In this post, we share the results of the audit, detailing some of the key findings and the changes made to remedy them.

Initial Audit Findings

The results of the review indicated a handful of security improvements to be made. Mostly notably, one abuse vector was found whereby the extension could be embedded into any website. This behavior should be prohibited to prevent sophisticated clickjacking attacks.

The Hiro team swiftly patched this by enabling the frame-ancestors content security policy directive. A new version was published, and the findings were disclosed in a forum post, requesting that users upgrade.

As this vulnerability was found during the development of the Stacks Wallet, and the wallet had only been released as a developer preview, we don’t believe it was ever exploited.

Other items from the initial report we’d like to highlight are:

Key derivation

Our initial implementation used PBKDF2 a CPU-bound key derivation function, which is natively available to the browser, as part of the WebCrypto API spec.

Key derivation is an important mechanism needed to secure encrypted keys against brute force attacks. Rather than using the password directly, it is used to derive an encryption key. This process is, by design, computationally expensive (slow).

While PBKDF2 is recommended by OWASP, a newer key derivation library, Argon2, has properties that makes it even more resistant to brute force attacks. We implemented this library in our key derivation logic, resolving suggestion. Learn more about Argon2 →

Pinning dependencies

NPM packages versions by default are described with a caret, such as ^3.11.8. This tells NPM to pull the latest patch version, according to semver, when installing dependencies. It’s possible a bug may be released in one of these versions. For this reason, Least Authority recommended that npm packages be pinned to specific versions, without the caret. This is done by using the --exact flag when installing the packing. To enforce this, a CI task was added to validate the project’s package.json for exact versions. Check out the Github Action →

Here are other issues we’ve solved related to the initial report

Final report

On April 29th 2021, after addressing the major concerns described in the initial findings, as well as a concluding sign off from the Least Authority team, a final report was delivered. We then felt confident in making the Stacks Wallet live to the public on the Firefox and Chrome stores opening the door for our big release.

Download and read the full report here

Start building on Stacks
Create apps and smart contracts that inherit all of Bitcoin’s powers, or join thousands of other builders on the Stacks Discord

In Q1 2021, Hiro partnered with Least Authority, a leading security consultancy with experience in the crypto space, to audit Hiro's Stacks Wallet for Web, a browser extension for managing your STX holdings securely and connecting with Stacks apps using your digital assets and identity.