-
Notifications
You must be signed in to change notification settings - Fork 569
Description
Bug Description
A malicious NFT can make alphawallet(adnroid) crash due to missing parameter validation . if an attacker send a Nft token to a alphawallet address, alphawallet will auto load the nft info in wallet .
step to reproduce:
1.deploy a NFT contract.
2.send a Nft token to any alphawallet user with a malicious tokenUri
3.user open the wallet app ,and click Nft item
4.app will crash.
or you can use this test mnemonic Phrase (ropsten)
federal smile danger mixed palace equal intact wood goat digital patrol relax
Impact
1.make app crash.
2.Let users have a lot of dirty data in their wallets .
you can view this video: https://www.ghostmaze.top/aw/nft_crash.mp4
tx:0xf1f1bf469d43279d4df81b9e66135054b327fae089122b2bde12b5060b7eb3eb (ropsten)
Vulnerability Analysis
alpha-wallet-android-master\app\src\main\java\com\alphawallet\app\widget\NFTImageView.java
loadImage funtion can load the Nft token metainfo from any website.
private void loadImage(String url, String backgroundColor, int corners) throws IllegalArgumentException
{
if (!Utils.stillAvailable(getContext())) return;
setWebViewHeight((int)getLayoutParams().width);
this.imageUrl = url;
fallbackLayout.setVisibility(View.GONE);
image.setVisibility(View.VISIBLE);
webLayout.setVisibility(View.GONE);
if (!TextUtils.isEmpty(backgroundColor))
{
int color = Color.parseColor("#" + backgroundColor);
ColorStateList sl = ColorStateList.valueOf(color);
holdingView.setBackgroundTintList(sl);
}
else
{
holdingView.setBackgroundColor(ContextCompat.getColor(getContext(), R.color.transparent));
}
loadRequest = Glide.with(getContext())
.load(url)
.transform(new CenterCrop(), new RoundedCorners(corners))
.transition(withCrossFade())
.override(Target.SIZE_ORIGINAL)
.timeout(30 * 1000)
.listener(requestListener)
.into(new DrawableImageViewTarget(image)).getRequest();
}
when parse Nft BackgroundColor filed from metainfo, due to missing parameter validation , any malicious data can enter the function.
int color = Color.parseColor("#" + backgroundColor);
and in parseColor function , it will use parseLong() to parse backgroundColor parameter , if backgroundColor is not correct , it will crash . look like this:
at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65)