Zero Day, Zero Click, Zero Balance

A wallet's whole job is to protect your money. So what happens when opening it, or just visiting the wrong website, is enough to drain it?

This is how I found and responsibly disclosed two critical account takeover vulnerabilities in Octra's webcli, the browser-based wallet shown below.

Critical Vulnerabilities

Zero-click stored XSS where an on-chain token symbol could execute JavaScript inside the wallet process and sign transfers. The victim only had to open their wallet.
One-click CSRF that could make the wallet sign transfers from a single visit to a malicious website.

Disclosure

The issues were reported to Octra and patched shortly after disclosure. Huge thanks to @octralex and @lambda0xE at Octra for the fast response, coordination, and cooperation throughout the disclosure process.

One-click CSRF wallet drain, was disclosed on June 1 at 05:10 PM.

Cross-origin page hijacks the wallet RPC and drains it via /api/send

Zero-click XSS wallet drain, was reported on June 8, with a working PoC demonstrated on June 9 at 12:06 AM.

On-chain token symbol drains the wallet via /api/send

Patch timeline

Both vulnerabilities were patched in octra-labs/webcli shortly after disclosure.

The CSRF vulnerability was patched in commit a667311, titled mini-security improvements, on June 8, 2026.

The XSS vulnerability was patched in commit c743b0b, titled mini security updates, on June 9, 2026

In total

Zero-click XSS through token symbols

Token names and symbols are attacker controlled (obviously). When the wallet fetched and rendered this data, it executed attacker controlled JavaScript.

That meant an attacker could deploy a token with a malicious symbol, send it to a victim, and have the payload execute when the wallet displayed it. The victim only had to open their wallet for this exploit to run.

One-click CSRF against the local wallet API

If a user had their Octra wallet running and unlocked, and visited a malicious site, it could send requests from the browser to the wallet's localhost API. CORS may prevent reading the response, but it does not necessarily prevent sending the request.

For a wallet, sending the request is enough.

In my PoC, when a malicious page was visited, it chained a MITM attack that ultimately triggered a /api/send, causing the wallet to sign and broadcast a transaction.

Acknowledgments

Huge thanks to @lambda0xE and @octralex at Octra for the fast response and cooperation throughout the disclosure process.

Both issues were taken seriously from the first message, triaged quickly, and patched shortly after disclosure.

That kind of response matters a lot when security is on the line.

octra <3