extension icon indicating copy to clipboard operation
extension copied to clipboard

Published 20 hours ago verified publisher icon leather-wallet

Prevent app from switching network automatically, require explicit user permission

Open kyranjamie opened this issue 3 years ago • 6 comments

Following on from #1280

How it works now Connected apps can open transactions that transparently switch between a network other than the one your wallet is currently set to, provided its in your list.

Why this is a problem

  • It's unexpected: We provide no guidance/feedback that this switching happens (a user can only tell if they select the network switcher, or notice their balance is different)
  • An attack vector exists: Consider you're in mainnet mode. A malicious "testnet" app guides you to switch to testnet. "Great, I'm operating in a safe environment" you think. The app reassures you "You're in testnet mode". Now send me "testnet" STX, and the transaction window opens—the app switches it to a mainnet transaction and you don't notice the network mainnet label ⚠️

Solution We implement the following behaviours:

  1. The wallet can only operate in one network mode at any given time
  2. The user must give their approval for an app to change network (regardless of whether you have it saved)

The flows are then:

image

See EIP-2015 best practices which notes similar function.

cc/ @jasperjansz @fbwoolf @andresgalante @aulneau

kyranjamie avatar Jun 10 '21 14:06 kyranjamie

I'm on board, big improvement. Should we also remove the ability to switch network in the tx signing screen? It will just lead to the contract not being found.

jasperjansz avatar Jun 10 '21 14:06 jasperjansz

big +1 for me. I think the only thing we should really allow is to switch user, but also warn them about that.

Similar to this is an app can be signed into one account, but the user could be on a different account. Do we want to show a warning for this too?

a thing I'd like to avoid is having multiple pop ups in our window

aulneau avatar Jun 10 '21 14:06 aulneau

I definitely agree this is critical to address and like the direction. 👍

fbwoolf avatar Jun 10 '21 14:06 fbwoolf

Connected apps can open transactions that transparently switch between a network other than the one your wallet is currently set to, provided its in your list.

Is this still true these or have we resolved this issue by now?

markmhendrickson avatar Sep 27 '21 06:09 markmhendrickson

True. This remains an issue, we've never built a change network confirmation screen.

kyranjamie avatar Sep 27 '21 09:09 kyranjamie

Coinbase Wallet has added this same functionality/flow

we have also added support for EIP-3085, which allows dapps to suggest a specific network to the user. When a dapp wants to suggest a network that differs from the user’s current network, Coinbase Wallet will ask the user to confirm the switch.

kyranjamie avatar Dec 18 '21 08:12 kyranjamie

Reference UI from MetaMask:

Screenshot 2023-06-15 at 15 07 05

markmhendrickson avatar Jun 15 '23 16:06 markmhendrickson