Ctrl Wallet
π Security Report Available View on Chrome Web StoreChrome will indicate if you already have this installed.
Lets you manage your cryptocurrency assets across multiple networks and thousands of tokens in a secure, universal wallet. Suitable for crypto enthusiasts and investors who need to track their holdings across various blockchain platforms. Benefits most those looking for a centralized hub to monitor and organize their digital assets.
Overview
Ctrl is the only wallet you need to manage cryptocurrencies and NFTs across 2,500+ blockchains.
β Get Started Instantly
Set up your Ctrl Wallet in seconds with email or social loginsβno need to use seed phrases or private keys.
β Effortless Wallet Import
Easily import all your existing wallets from multiple blockchains in seconds.
β Every Asset and NFT on Every Chain
Manage every crypto asset and NFT across 2,500+ blockchains. Ctrl Wallet ensures everything is at your fingertips.
β Simplified Gas Management
Say goodbye to gas fee headaches! Deposit USDC into your Gas Tank, and Ctrl Wallet will automatically handle gas payments across major chains. Focus on what mattersβyour portfolio.
β Security You Can Trust
Ctrl Wallet has been rigorously audited by FYEO and has operated without incident for over four years. Your seed phrases, private keys, passwords, and sensitive data remain 100% privateβaccessible only to you.
It's time to take Ctrl.
Connect with us:
Twitter: @ctrl_wallet
Discord: https://discord.gg/ctrlwallet
Website: https://ctrl.xyz/
Tags
Privacy Practices
Security Analysis
Permissions
Code Patterns Detected
External Connections
Package Contents 301 files Β· 257MB
What This Extension Does
Ctrl Wallet is a browser extension that allows users to manage cryptocurrency assets and NFTs across multiple blockchains.
Permissions
- storageexpected: This lets the extension save your wallet data, settings, and preferences locally in your browser. It's necessary for remembering your accounts and configurations.
- scriptingexpected: This permission allows the extension to inject scripts into web pages. It's needed for interacting with blockchain interfaces and dApps on websites.
- activeTabexpected: This lets the extension access and modify the currently active tab's content when you interact with it directly (like clicking a button). It helps integrate with web pages for wallet actions.
- tabsexpected: This lets the extension view and manage your browser tabsβuseful for switching between wallets or tracking which sites you're visiting.
- commandsexpected: This allows the extension to respond to keyboard shortcuts set by the user, such as opening the wallet panel quickly.
- https://*/*expected: This gives the extension broad access to all HTTPS websites, allowing it to interact with any secure siteβneeded for connecting to blockchain networks and dApps. β 1
- http://*/*expected: This gives the extension access to any HTTP websiteβuseful for older or non-secure web apps, but also increases risk if those sites are untrusted. β 1
Your Data
The extension can access your browsing data and send information to external servers for blockchain interaction and analytics. It may collect details about the websites you visit, especially those related to crypto or finance.
Code Findings
The extension uses a JavaScript function called 'eval' that can run code dynamically. While sometimes necessary, it's risky because malicious actors could inject harmful commands if they gain control over the input.
π‘ Commonly found in extensions that dynamically process configuration or API responses where dynamic evaluation is needed for flexibility.
The extension assigns HTML content directly to page elements. If this content comes from an untrusted source, it could lead to cross-site scripting (XSS) vulnerabilities.
π‘ Used for rendering UI components dynamically, often seen in extensions that build rich interfaces using templating engines.
The extension contains a very long encoded stringβthis is often used to hide code or data within the source. It could be hiding malicious behavior.
π‘ Used in minified code to reduce file size but not typically for hiding malicious behavior unless combined with other indicators.
The extension listens for keyboard events, which could allow it to capture keystrokes or intercept user inputβespecially dangerous if used in phishing attempts.
π‘ Used for implementing shortcuts or hotkeys within the extension itself; however, in this case it appears to be listening globally.
The extension can read what's on your clipboard. While useful for some functions like pasting wallet addresses, it could also be misused to steal copied data.
π‘ Common in extensions that need to paste wallet addresses or tokens into forms automatically.
Trustworthiness
- Developer: Developer name is missing from the Chrome Web Store listing; no clear company or contact information provided.
- Privacy Policy: No privacy policy link visible in the extension metadata or description on CWS.
- Install Base: Installed by 300K+ users with recent updates suggesting ongoing maintenance.
This extension appears consistent with its purpose, but the presence of eval(), global keyboard listeners, and long hex-encoded strings raises concerns about potential misuse or hidden functionality. Users should exercise caution when installing it.
Extension Overview
Ctrl Wallet is a browser extension that allows users to manage cryptocurrency assets and NFTs across multiple blockchains.
Permissions
- storageexpected: Exposes Chrome's storage API allowing read/write access to persistent key-value pairs (sync or local). An attacker with control over this could potentially extract saved credentials, account info, or session tokens if the extension is compromised.
- scriptingexpected: Grants access to Chrome's scripting APIs (e.g., executeScript, insertCSS) which can run arbitrary JavaScript in contexts like tabs or content scripts. If misused, could enable manipulation of page behavior or data exfiltration from visited sites.
- activeTabexpected: Provides read/write access to the current tabβs DOM, URL, and allows script injection. Could be used by an attacker to capture keystrokes or manipulate page elements if misused during user interaction.
- tabsexpected: Grants access to Chrome's tab management APIs (get, update, query). Allows enumeration of open tabs and potentially monitoring browsing activity. Risk is moderate if combined with other permissions like activeTab or scripting.
- commandsexpected: Enables binding of custom commands (e.g., Ctrl+Shift+W) that trigger background actions. No direct data exposure but could be used in phishing or malicious automation if misconfigured.
- https://*/*expected: Permits network requests to any origin over HTTPS. Allows interception of traffic from any domain including sensitive ones (e.g., banking or email). If compromised, could enable man-in-the-middle attacks or data theft across all sites visited. β 1
- http://*/*expected: Permits network requests over insecure HTTP. This is a significant concern because it allows potential interception of sensitive data (e.g., passwords) and enables exploitation of insecure protocols like HTTP/1.0. If compromised, could allow attackers to capture credentials or manipulate communications on non-HTTPS sites. β 1
Data Exposure (Technical)
Contacts domains including github.com, www.apollographql.com, rpc-proxy.xdefi.services, eips.ethereum.org, en.wikipedia.org, feross.org, floating-ui.com, developer.mozilla.org, docs.swmansion.com. Data transmitted includes potentially sensitive information such as page content (if injected scripts are active), cookies, and possibly keystrokes or wallet state depending on how the extension interacts with dApps. Some endpoints use HTTP instead of HTTPS which introduces risks for data interception.
Code Findings
Detected usage of eval() in background or content scriptsβthis is typically used to execute strings as code at runtime. In this case, it may be triggered by remote data (e.g., fetched from rpc-proxy.xdefi.services). If attacker-controlled inputs are passed into eval(), they can result in arbitrary code execution.
π‘ Commonly found in extensions that dynamically process configuration or API responses where dynamic evaluation is needed for flexibility.
Assignment of innerHTML in a context where the value may be derived from user input or external data sources. This is particularly concerning if used without sanitization and can allow attackers to inject malicious scripts into web pages when rendered by browsers.
π‘ Used for rendering UI components dynamically, often seen in extensions that build rich interfaces using templating engines.
Detected a long hexadecimal string (likely base64 or similar encoding) that may represent obfuscated JavaScript logic. This pattern is frequently associated with anti-analysis techniques and can mask functionality such as keyloggers, credential stealers, or other hidden behaviors.
π‘ Used in minified code to reduce file size but not typically for hiding malicious behavior unless combined with other indicators.
Extension registers a global keydown/keyup handler that can monitor all keystrokes across the browser. If misused, this allows capturing passwords, private keys, or other sensitive inputs entered on any page, particularly during login flows.
π‘ Used for implementing shortcuts or hotkeys within the extension itself; however, in this case it appears to be listening globally.
Uses the Clipboard API (readText) which allows reading of clipboard contents from any tab or page context. If combined with other permissions like activeTab or scripting, this can enable unauthorized access to sensitive information such as private keys or passwords that users have copied.
π‘ Common in extensions that need to paste wallet addresses or tokens into forms automatically.
Code Analysis
- Obfuscation: Heavy obfuscation detected through long hex-encoded strings and likely identifier mangling. Techniques such as control flow flattening, string encoding, and variable renaming are present, making static analysis difficult.
- Content Security Policy: Content Security Policy is defined but allows 'wasm-unsafe-eval' which can be dangerous in a browser extension context due to potential WASM exploitation vectors. Script-src includes 'self', but lacks strict restrictions on external origins or inline scripts that could allow XSS if not properly enforced.
- Architecture: Built as a Manifest V3 extension with background service worker and content script injection into all URLs. This architecture enables broad access across web pages, increasing attack surface. No manifest anomalies detected.
Transparency
- Developer: Developer name is missing from the Chrome Web Store listing; no clear company or contact information provided.
- Privacy Policy: No privacy policy link visible in the extension metadata or description on CWS.
- Code Visibility: Source code appears heavily minified and obfuscated, making independent auditing difficult without reverse engineering efforts.
- Install Base: Installed by 300K+ users with recent updates suggesting ongoing maintenance.
The extension presents a high-risk attack surface due to use of eval() and global key event listeners which can lead to arbitrary code execution and keystroke capture. The obfuscation makes manual inspection challenging, though the presence of insecure HTTP access is particularly concerning for data interception risks. Researchers should prioritize verifying whether these features are truly necessary or if they represent hidden malicious behavior.