Wallet Authentication Vulnerability

flowchart RL
    U("User")
    C("☁️ </br> Customer </br> Server")
    S("☁️ </br> Custody </br> Server")
    K("🔑 </br> Key Storage")
    
    U -- authenticate --> C
    C -- authenticate --> S
    S -- authenticate --> K

    A1(("😡 </br> Attack"))
    A1 -- ✅ bypass user --> C
    A2(("😡 </br> Attack"))
    A2 -- ✅ bypass user --> S

In digital asset custody systems, authentication is often the most critical line of defense. While cryptographic algorithms and secure enclaves are mathematically strong, the weakest links usually emerge in the layers that sit between the user and the secure signing environment. These are the so-called middle servers—such as exchange backend servers or Wallet-as-a-Service (WaaS) cloud servers—that act as intermediaries for transaction requests.

These middle servers become highly attractive targets for attackers because they serve as central aggregation points for user requests. If compromised, they effectively act as honey pots, holding both the authority to forward transactions and, in many cases, sensitive metadata about users, wallets, and policies.

The primary risk comes from server-side compromise. If an attacker gains control over a middle server, they can initiate fraudulent signing requests directly to the wallet enclave or HSM. Since the enclave itself typically cannot distinguish between a genuine request from a user and a forged request from a compromised server, the attacker gains the ability to submit arbitrary transactions. This bypasses end-user intent entirely, undermining the trust model of the custody solution.

In other words, even if keys remain secure inside an HSM or enclave, the authentication path is broken. A compromised middle server can impersonate any user, turning the wallet enclave into a blind signing machine. This type of vulnerability illustrates that security does not end at cryptography—authentication workflows and trust boundaries must also be hardened.

To mitigate this risk, modern custody architectures must push authentication checks as close as possible to the user and the secure enclave. Techniques such as direct PassKey verification, quorum-based approvals, out-of-band confirmations, and MPC-based distributed signing are designed to prevent compromised servers from unilaterally generating valid signing requests. By ensuring that every signing operation reflects the explicit, authenticated intent of a legitimate user, the attack surface of middle servers can be drastically reduced.