Skip to content

Crash: A malicious NFT can make app crash. #2685

New issue
New issue
Open
Open
Crash: A malicious NFT can make app crash.#2685
Milestone
Phase 1
@seabornlee

Description

@seabornlee
seabornlee
opened on Jun 29, 2022

Bug Description
A malicious NFT can make alphawallet(adnroid) crash due to missing parameter validation . if an attacker send a Nft token to a alphawallet address, alphawallet will auto load the nft info in wallet .

step to reproduce:

1.deploy a NFT contract.

2.send a Nft token to any alphawallet user with a malicious tokenUri

3.user open the wallet app ,and click Nft item

4.app will crash.

or you can use this test mnemonic Phrase (ropsten)

federal smile danger mixed palace equal intact wood goat digital patrol relax

Impact
1.make app crash.

2.Let users have a lot of dirty data in their wallets .

you can view this video: https://www.ghostmaze.top/aw/nft_crash.mp4

tx:0xf1f1bf469d43279d4df81b9e66135054b327fae089122b2bde12b5060b7eb3eb (ropsten)

Vulnerability Analysis
alpha-wallet-android-master\app\src\main\java\com\alphawallet\app\widget\NFTImageView.java
loadImage funtion can load the Nft token metainfo from any website.

private void loadImage(String url, String backgroundColor, int corners) throws IllegalArgumentException
   {
       if (!Utils.stillAvailable(getContext())) return;

       setWebViewHeight((int)getLayoutParams().width);

       this.imageUrl = url;
       fallbackLayout.setVisibility(View.GONE);
       image.setVisibility(View.VISIBLE);
       webLayout.setVisibility(View.GONE);

       if (!TextUtils.isEmpty(backgroundColor))
       {
           int color = Color.parseColor("#" + backgroundColor);
           ColorStateList sl = ColorStateList.valueOf(color);
           holdingView.setBackgroundTintList(sl);
       }
       else
       {
           holdingView.setBackgroundColor(ContextCompat.getColor(getContext(), R.color.transparent));
       }

       loadRequest = Glide.with(getContext())
               .load(url)
               .transform(new CenterCrop(), new RoundedCorners(corners))
               .transition(withCrossFade())
               .override(Target.SIZE_ORIGINAL)
               .timeout(30 * 1000)
               .listener(requestListener)
               .into(new DrawableImageViewTarget(image)).getRequest();
   }

when parse Nft BackgroundColor filed from metainfo, due to missing parameter validation , any malicious data can enter the function.

int color = Color.parseColor("#" + backgroundColor);
and in parseColor function , it will use parseLong() to parse backgroundColor parameter , if backgroundColor is not correct , it will crash . look like this:

at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions