According to Foresight News, SlowMist said that we need to be alert to the phishing risk of Web3 wallet WalletConnect. On January 30, 2023, the SlowMist security team discovered that improper use of WalletConnect on the Web3 wallet may pose a security risk of being phished. This problem exists in the scenario of using the DApp Browser + WalletConnect built into the mobile wallet app. When some Web3 wallets provide WalletConnect support, they do not restrict the area where the WalletConnect transaction pop-up window should pop up, so the signature request will pop up on any interface of the wallet.

When the user leaves the DApp Browser interface and switches to other wallet interfaces such as Wallet and Discover in the example, the wallet does not disconnect the Wallet Connect connection at this time in order not to affect the user experience and avoid repeated authorization. However, the user may make a mistake due to the signature request pop-up window suddenly initiated by the malicious DApp, resulting in phishing and asset transfer.

The core of this security issue is whether the automatic pop-up window should continue to respond to requests from the DApp Browser interface, especially sensitive operation requests, after the user switches the DApp Browser interface to other interfaces. Because blind pop-up window responses after crossing interfaces can easily lead to user misoperation. This involves a security principle: after WalletConnect is connected, the wallet should not process pop-up window requests from the DApp Browser after detecting that the user has switched the DApp Browser interface to other interfaces.