Tezoro Snap

1 Executive Summary

This report presents the results of our engagement with Tezoro to review the Tezoro Snap.

The review was conducted over five days, from April 8, 2024 to April 12, 2024, by Valentin Quelquejay. A total of 5 person-days were spent.

The Tezoro snap is designed to communicate with the Tezoro dApp. It is an extension of the main dashboard. Specifically, it monitors user’s token balances every fifteen days and alerts them when their token balance exceeds a certain treshold, suggesting them to backup their assets to Tezoro if they haven’t already done so. Users can link the snap with their Tezoro account via the Tezoro dashboard.

2 Scope

Our review focused on the commit hash 4204075301856f7412f07746c937343fb31cb7b8. The list of files in scope can be found in the Appendix.

2.1 Objectives

Together with the Tezoro team, we identified the following priorities for our review:

1. Correctness of the implementation, consistent with the intended functionality and without unintended edge cases.
2. Identify vulnerabilities particular to the MetaMask Snaps SDK integration in coherence with the MetaMask Snap Threat Model describing a Snap as an extension of the MetaMask Wallet Trust Module.

3 Snap Outline

• The snap communicates and authenticates with the Tezoro API using the user’s token provided by the companion dApp.
• Connected dApps can communicate with the snap via RPC calls.
• The snap triggers a cron job every fifteen days to notify the user about tokens that are not backed up.
• The snap stores data in persistent storage.

3.1 Capabilities

Details

🚜 [snap_dialog]
    ☝️ - snap_dialog - Displays a dialog in the MetaMask UI. There are three types of dialogs with different parameters and return types.
    ⚠️ - this method renders Markdown! check for ctrlchar/markdown/injection
       🔸  src/index.ts
🚜 [snap_notify]
    👌 - snap_notify - Displays a notification in MetaMask or natively in the browser. Snaps can trigger a short notification text for actionable or time sensitive information.
     ⚠️ - this method renders Markdown! check for ctrlchar/markdown/injection
       🔸  src/index.ts
🚜 [snap_manageState]
    🪤 - snap_manageState - snap can store up to 100mb (isolated)
       🔸  src/index.ts
       🔸  src/check-tokens.ts
🚜 [endowment:network-access]
    🌐 - endowment:network-access - snap can access internet
     ⚠️ - this method may leak information to external api
       🔸  src/get-backups.ts
       🔸  src/external/get-price-of-asset-quoted-in-usd.ts
🚜 [endowment:ethereum-provider]
    🔺 - endowment:ethereum-provider - snap can access ethereum API
    ⚠️ - check if the **snap code** (not site) actually accesses the global 'ethereum' object
see https://docs.metamask.io/snaps/learn/about-snaps/apis/#snap-requests
       🔸  src/index.ts
       🔸  src/check-tokens.ts
🚜 [endowment:rpc]
    ❗- endowment:rpc.dapps - snap can communicate with websites/dapps; check origin for internal api calls!
       🔸  src/index.ts
🚜 [endowment:cronjob]
    - Cron Job 0:
      👉 At 12:00 AM, on day 1 and 15 of the month
      used in:
       🔸  src/index.ts
🌲 - Package Dependencies:
      - @metamask/rpc-errors:^6.2.1              (🔺 looks like devDependency 👀)
      - @metamask/snaps-sdk:^3.1.0               (🔺 looks like devDependency 👀)
      - buffer:^6.0.3            (🔺 looks like devDependency 👀)
      - viem:^2.7.22             (🔺 looks like devDependency 👀)
      - zod:^3.22.4              (🔺 looks like devDependency 👀)

4 Findings

Each issue has an assigned severity:

• Minor issues are subjective in nature. They are typically suggestions around best practices or readability. Code maintainers should use their own judgment as to whether to address such issues.
• Medium issues are objective in nature but are not security vulnerabilities. These should be addressed unless there is a clear reason not to.
• Major issues are security vulnerabilities that may not be directly exploitable or may require certain conditions in order to be exploited. All major issues should be addressed.
• Critical issues are directly exploitable security vulnerabilities that need to be fixed.

export const onRpcRequest: OnRpcRequestHandler = async ({ request }) => {
  switch (request.method) {
    case 'requestAccounts': {
      const data = await ethereum.request({
        method: 'eth_requestAccounts',

case 'getToken': {
  const state = await snap.request({

case 'saveToken': {
  const result = await snap.request({

if (assetName.startsWith('W')) {
  // Assume this is a wrapped token
  assetName = assetName.slice(1); // remove W
}
try {

const response = await fetch(
  `https://api.binance.com/api/v3/ticker/price?symbol=${assetName.toUpperCase()}USDT`,
);
const json = await response.json();

if (!token) {
  return {
    isStatePresent: true,
    isTokenPresent: true,
  };
}

export const stateSchema = z.object({
  token: z.string().optional(),
});

[...tokensList].map(async (token) => {
  await snap.request({
    method: 'snap_notify',
    params: {

case 'deleteToken': {
  await snap.request({
    method: 'snap_manageState',

    params: {
      operation: ManageStateOperation.UpdateState,
      newState: {},
      encrypted: true,
    },
  });
  return true;
}

return {
  data,
  error,
};

[...tokensList].map(async (token) => {
  await snap.request({
    method: 'snap_notify',
    params: {
      type: 'native',
      message: `Protect ${token} from loss with on-chain backup & will`,
    },
  });
});

  const { params } = request;

  await snap.request({
    method: 'snap_manageState',

    params: {
      operation: ManageStateOperation.UpdateState,
      newState: {
        token: params.token,
      },
      encrypted: true,
    },
  });
  return true;
}
return false;

Appendix 1 - Files in Scope

This audit covered the following files:

Appendix 2 - Disclosure

Consensys Diligence (“CD”) typically receives compensation from one or more clients (the “Clients”) for performing the analysis contained in these reports (the “Reports”). The Reports may be distributed through other means, including via Consensys publications and other distributions.

The Reports are not an endorsement or indictment of any particular project or team, and the Reports do not guarantee the security of any particular project. This Report does not consider, and should not be interpreted as considering or having any bearing on, the potential economics of a token, token sale or any other product, service or other asset. Cryptographic tokens are emergent technologies and carry with them high levels of technical risk and uncertainty. No Report provides any warranty or representation to any third party in any respect, including regarding the bug-free nature of code, the business model or proprietors of any such business model, and the legal compliance of any such business. No third party should rely on the Reports in any way, including for the purpose of making any decisions to buy or sell any token, product, service or other asset. Specifically, for the avoidance of doubt, this Report does not constitute investment advice, is not intended to be relied upon as investment advice, is not an endorsement of this project or team, and it is not a guarantee as to the absolute security of the project. CD owes no duty to any third party by virtue of publishing these Reports.

A.2.1 Purpose of Reports

The Reports and the analysis described therein are created solely for Clients and published with their consent. The scope of our review is limited to a review of code and only the code we note as being within the scope of our review within this report. Any Solidity code itself presents unique and unquantifiable risks as the Solidity language itself remains under development and is subject to unknown risks and flaws. The review does not extend to the compiler layer, or any other areas beyond specified code that could present security risks. Cryptographic tokens are emergent technologies and carry with them high levels of technical risk and uncertainty. In some instances, we may perform penetration testing or infrastructure assessments depending on the scope of the particular engagement.

CD makes the Reports available to parties other than the Clients (i.e., “third parties”) on its website. CD hopes that by making these analyses publicly available, it can help the blockchain ecosystem develop technical best practices in this rapidly evolving area of innovation.

A.2.2 Links to Other Web Sites from This Web Site

You may, through hypertext or other computer links, gain access to web sites operated by persons other than Consensys and CD. Such hyperlinks are provided for your reference and convenience only, and are the exclusive responsibility of such web sites’ owners. You agree that Consensys and CD are not responsible for the content or operation of such Web sites, and that Consensys and CD shall have no liability to you or any other person or entity for the use of third party Web sites. Except as described below, a hyperlink from this web Site to another web site does not imply or mean that Consensys and CD endorses the content on that Web site or the operator or operations of that site. You are solely responsible for determining the extent to which you may use any content at any other web sites to which you link from the Reports. Consensys and CD assumes no responsibility for the use of third-party software on the Web Site and shall have no liability whatsoever to any person or entity for the accuracy or completeness of any outcome generated by such software.

A.2.3 Timeliness of Content

The content contained in the Reports is current as of the date appearing on the Report and is subject to change without notice unless indicated otherwise, by Consensys and CD.