Cryptocurrency Wallet Security Report

According to a report published in July by cybersecurity certification platform CER, only six of 45 cryptocurrency wallet brands, or 13.3%, have undertaken penetration testing to identify security flaws.

Only fifty percent have tested the most recent versions of their products.

MetaMask, ZenGo, and Trust Wallet are the brands that have conducted recent penetration tests, according to the report.

Rabby and Bifrost performed penetration testing on prior versions of their software, while Ledger Live performed testing on an unidentified version (“N/A” in the report).

All other brands did not provide evidence that these tests were conducted.

MetaMask, ZenGo, Rabby, Trust Wallet, and Coinbase Wallet were ranked as the most secure wallets overall, according to the report.

“Penetration testing” is a technique to identify security flaws in computer systems or software.

A security researcher attempts to infiltrate a device or piece of software and use it for unintended purposes.

A penetration tester often receives minimal information regarding the product’s operation.

Before a product is released, this procedure is used to simulate real-world attempts at hacking and identify vulnerabilities.

CER discovered that 39 of 45 wallet manufacturers did not conduct penetration testing, not even on older software versions.

CER hypothesized that the reason may be that these tests are costly, mainly if the company frequently upgrades its products, stating, “We attribute it to the number of updates an average app receives, where each new update can disqualify a previously conducted pentest.”

CER discovered that the most popular wallet brands were more likely to conduct security audits, including penetration tests, because they frequently had the financial resources to do so:

“Essentially, popular wallets tend to adopt more robust security measures to protect their increasing user base. This seems logical — a higher user base often corresponds to more significant funds to secure, more visibility, and consequently, more potential threats. It can also result in a positive feedback loop, with more secure wallets attracting new users in higher numbers than the less secure ones.”

CER’s ranking of wallets was based on a methodology that included bug bounties, previous incidents, and security features such as restore methods and password requirements.

CER reported that even though the majority of wallet brands do not conduct penetration testing, many of them rely on bug bounties to find vulnerabilities, which is often an effective method for preventing hacks.

47 out of 159 individual wallets were deemed “secure” by the company, indicating a security score above 60. These 159 wallets included some from the same manufacturer.

MetaMask for Android was considered a distinct wallet from MetaMask for the Edge browser.

As a result of the June 3 breach of Atomic Wallet, which resulted in a loss of over $100 million, wallet security has become an urgent issue in 2023.

The team at Atomic hypothesizes that the breach may have been caused by a virus or the injection of malicious software into the company’s infrastructure. Still, the precise vulnerability that enabled the attack remains unknown.

The online wallet MyAlgo also experienced a security compromise in late February, resulting in over $9 million in estimated user losses.