Pali Wallet
Cyrex partnered with the Syscoin Foundation to conduct white box penetration testing of Pali Wallet, securing its browser extension architecture, private key handling, and Web3 integrations across Bitcoin and Ethereum-based networks.
The Challenge
Securing a Cross-Chain Browser Wallet Handling Private Keys
Pali Wallet is the official Syscoin browser wallet, supporting Bitcoin-forked networks (Syscoin, Bitcoin Cash, Litecoin) alongside Ethereum-compatible chains. As a browser-based extension storing private keys locally, the wallet operates within a high-risk threat model.
The security surface included:
- Private key storage mechanisms
- Browser memory handling
- DApp interaction logic
- Web3 integrations across multiple chains
- Hardware wallet compatibility (Trezor, BIP32)
Browser extensions are frequent targets for exploitation. Any weakness in key handling, parameter validation, or controller logic can directly expose user funds.
Pollum engaged Cyrex to conduct a comprehensive white box penetration test to determine exposure to targeted attacks and evaluate the wallet’s defensive posture.
The Cyrex Solution
White Box Penetration Testing with Full Source Code Access
Cyrex conducted structured white box penetration testing, reviewing full source code and simulating attacker behavior with regular user privileges.
Our objectives were to:
- Determine whether a remote attacker could penetrate defenses
- Assess the impact of potential breaches
- Identify weaknesses in key storage and interaction logic
Controller & Method Analysis
During the testing lifecycle, Cyrex performed:
- Analysis and testing of exposed controller methods
- Parameter tampering and input manipulation
- Identification of injection points and security flaws
- Controlled exploitation to provide Proof of Concept (PoC) validation
This approach allowed vulnerabilities to be identified at both architectural and implementation levels.
Key Vulnerabilities Identified
The engagement uncovered significant issues, including:
- Exposure of private wallet keys to websites
- Private keys stored in plaintext on the system
- Wallet password stored in browser memory in plaintext
- Disclosure of connected websites (privacy concern)
These findings were documented with prioritized remediation guidance to address risk at its root.
Regression Testing & Validation
Following remediation, Cyrex conducted structured regression testing to:
- Confirm vulnerabilities were fully resolved
- Ensure no new weaknesses were introduced
- Validate secure key handling and memory management practices
The final assessment concluded that security maturity was significantly strengthened post-remediation.
The Outcome
Hardened Private Key Handling & Extension Security
- Identification and remediation of critical key-handling vulnerabilities
- Improved browser extension security controls
- Strengthened private key storage and password management practices
- Approved application security posture following remediation
Don't Let Players Find the Weakness
Your launch is months away. Hackers will find exploits in hours. Let our engineers secure your game before it's too late.
Response time: <24 hours • NDA included • No commitment required