Non-Custodial Signer Solution - Crossmint

1. Summary

2. Introduction

Crossmint engaged Halborn to perform a security assessment of the Signer-Frames, Crossmint-SDK, Crossbit-main, and TEE-ts repositories. The assessment scope included these repositories, although only specific paths within some were included. Halborn was granted access to the source code to conduct security testing using automated tools and manual techniques to identify, detect, and validate potential vulnerabilities within the application.

3. Assessment Summary

The Halborn team was provided a timeline for the engagement and assigned a dedicated full-time security engineer to evaluate the security of the scoped assets. This engineer is a penetration testing expert with advanced expertise in web, mobile, reconnaissance, discovery, and infrastructure penetration testing.

The security assessment uncovered multiple vulnerabilities across the repositories, varying in severity. It is strongly recommended to remediate these issues promptly to mitigate unnecessary risks.

Seven (7) high-impact issues were identified during the assessment:

• Host MitM and Insecure Default targetOrigin. The application accepts messages from any origin, allowing a man-in-the-middle attacker to inject or steal cross-origin data and compromise user sessions.

• Environment Parameter Tampering via URL Override. An attacker can override configuration parameters through query strings, causing the backend to operate in an unintended environment and exposing sensitive functionality.

• Lack of Content Security Policy and Frame-Ancestor Protection. The absence of a Content Security Policy (CSP) and clickjacking protections permits hostile iframes and arbitrary script execution, potentially leading to malware injection and data theft.

• Potential Arbitrary JavaScript Injection. Unescaped user input is reflected into HTML, enabling execution of attacker-supplied JavaScript and full compromise of the victim’s browser session.

• Potential Authentication Bypass with ACCESS_SECRET Unset. When the shared secret is missing, the server skips verification, allowing an unauthenticated caller to impersonate any user.

• Log Injection and Use of X-Forwarded-For. User-controlled strings are logged without sanitization, enabling attackers to forge IP addresses, insert fake entries, and mislead incident responders.

• Excessive Exposure of Key Shares. Key fragments are exposed in the browser memory allowing a potential attacker that has compromised the computer to extract them.

Nine (9) medium-impact issues were identified during the assessment:

• Insecure Storage of Cryptographic Keys in localStorage. Persisting keys client-side exposes them to theft via cross-site scripting (XSS) or physical device access, undermining encryption guarantees.

• Hard-coded and Weak Secret. The use of a static, low-entropy secret enables attackers to brute-force credentials offline within minutes.

• Potential XSS and Reverse-Tabnabbing. Unsanitized URL parameters and unguarded target="_blank" links allow script injection and phishing attacks through malicious tabs.

• IDOR in Public Key Derivation. Predictable identifiers permit one tenant to request another tenant’s key material, resulting in horizontal privilege escalation.

• Lack of Rate Limiting. Unlimited authentication attempts and API requests facilitate credential-stuffing attacks and resource exhaustion.

• Attestation Response Replay Attack. Previously captured attestation tokens can be replayed to gain illegitimate trust and bypass integrity checks.

• Potential Timing Attack on Shared-Secret Comparison. Measurable processing time differences reveal partial key bytes, enabling gradual recovery of the secret.

• Lack of Message Origin Validation. The application processes postMessage events without verifying the sender’s domain, allowing cross-site request forgery of privileged actions.

• Master Keys Not Explicitly Removed from Memory. Keys remain in RAM after use, so memory dumps or crash reports could expose them to attackers.

Five (5) low-impact issues were identified during the assessment:

• Excessive Data Shared in Attestation. The attestation payload includes unnecessary user attributes, increasing privacy risks if intercepted.

• Missing event.source Validation Allows Same-Origin Message Spoofing. Attackers executing code within the same domain can forge trusted messages and manipulate application state.

• Weak Randomness. Non-cryptographic random generators produce predictable tokens, reducing the effort required for brute-force attacks.

• Excessive Error Information Exposed to Caller. Detailed stack traces and configuration values leak internal implementation details that could aid attackers.

• Sensitive Data Logged to Console. Debug logging outputs secrets to browser consoles and monitoring tools, risking inadvertent disclosure.

Five (5) informational findings were identified during the assessment:

• Denial of Service (DoS) via Uncontrolled Memory Allocation. Very large input sizes can cause high memory consumption, potentially crashing the service under stress conditions.

• Documentation Issues. Incomplete or outdated security documentation may lead to insecure operational practices.

• Potential Production DoS Bug. Concurrency flaws could allow a high-rate attacker to exhaust worker threads and degrade availability.

• Over-Privileged ACCESS_SECRET. The shared secret grants broader access than necessary, increasing the blast radius if leaked.

• Deterministic Generation of Master Keys (Risk Accepted). Reproducible key generation facilitates development but may weaken uniqueness across deployments; this risk has been formally accepted by stakeholders.

4. Test Approach and Methodology

Halborn employed both whitebox and blackbox methodologies according to the scope, combining manual and automated security testing to balance efficiency, timeliness, practicality, and accuracy. Manual testing is essential to uncover flaws in logic, processes, and implementation, while automated techniques enhance coverage and quickly identify infrastructure vulnerabilities. The assessment methodology included, but was not limited to, the following phases and tools:

• Mapping Content and Functionality of APIs and SDKs

• Application Logic Flaws

• Access Handling

• Authentication and Authorization Flaws

• Rate Limiting Tests

• Input Handling

• Source Code Review

• Fuzzing of All Input Parameters

• Logic Errors

5. Out of Scope

• In the Signer-Frames repository, all contents except /test and /src/lib are in scope.

• In the Crossmint-SDK repository, all contents except packages/client/rn-window and packages/client/window are in scope.

• In the Crossbit-main repository, only the contents of libraries/products/wallets/ncs and apps/crossmint-nextjs/src/api/wallets/ncs.controller.ts are in scope.