ScaleBit: Discovered a 0-day vulnerability that can transfer all assets on Uniswap Wallet

PANews reported on January 10 that the ScaleBit security team under BitsLab issued a document stating that in October 2024, the ScaleBit security team under BitsLab discovered a vulnerability in the Uniswap iOS wallet, named "Unauthorized Access to Mnemonic Phrase." The vulnerability allows an attacker with physical access to the device to bypass the wallet's authentication mechanism and directly access the mnemonic phrase stored on the device.

The root cause of this vulnerability lies in flaws in the design of the mnemonic phrase's storage and access mechanism. The mnemonic phrase has not been effectively encrypted at the application layer, and the trigger conditions for the recovery page are unreasonable. This allows an attacker with physical access to the device to easily bypass the wallet's authentication mechanism and directly obtain the mnemonic phrase in the wallet. word.

Currently, this vulnerability still exists in the latest version of Uniswap Wallet (Version 1.42), posing potential risks to all users who use the wallet. Therefore, users need to pay special attention to the physical security of the device during use and avoid leaking the unlock password or lending the device to others.