1. Home
  2. Penetration testing

Penetration testing

Only 6 out of 45 crypto wallet brands have undergone penetration testing: Report

Cybersecurity certification platform CER said the vast majority of wallets do not hire outside experts to perform penetration tests.

A July report from cybersecurity certification platform CER found that only six of 45, or 13.3%, of cryptocurrency wallet brands have undergone penetration testing to find security vulnerabilities. Of these, only half have performed tests on the latest versions of their products. 

The three brands that have done up-to-date penetration tests are MetaMask, ZenGo, and Trust Wallet, according to the report. Rabby and Bifrost performed penetration testing on older versions of their software and LedgerLive did them on an unknown version (listed as “N/A” in the report). All other brands listed did not provide any evidence of having done these tests.

The report also provided an overall ranking of the security of each wallet, listing MetaMask, ZenGo, Rabby, Trust Wallet, and Coinbase wallet as being the most secure wallets overall.

CER rankings for wallet security. Source: CER.

“Penetration testing” is a method of finding security vulnerabilities in computer systems or software. A security researcher attempts to hack into the device or software and use it for purposes it wasn’t intended. In most cases, a penetration tester is given little to no information about how the product works. This process is used to simulate real-world attempts at hacking to uncover vulnerabilities before the product is released.

CER found that 39 out of 45 wallet brands didn't perform any penetration testing at all, not even on older versions of the software. CER speculated that the reason may be that these tests are expensive, especially if the company makes frequent upgrades to their products, stating, “We attribute it to the amount of updates an average app has, where each new update can disqualify the pentest made earlier.”

They found that the most popular wallet brands were more likely to perform security audits, including penetration tests, as they often had the funds to do so:

“Essentially, popular wallets tend to adopt more robust security measures to protect their increasing user base. This seems logical – a higher user base often corresponds to more significant funds to secure, more visibility, and consequently, more potential threats. It can also result in a positive feedback loop, with more secure wallets attracting new users in higher numbers than the less secure ones.”

CER’s ranking of wallets was based on a methodology that included factors like bug bounties, past incidents, and security features, such as restore methods and password requirements.

Although most wallet brands don’t perform penetration testing, CER stated that many of them do rely on bug bounties to find vulnerabilities, which is often an effective means of preventing hacks. They rated 47 out of 159 individual wallets as “secure” overall, meaning that they had a security score of above 60. These 159 wallets included some that were from the same brands. For example, MetaMask for Edge browser was considered a separate wallet from MetamlMask for Android.

Related: Bug bounties can help secure blockchain networks, but have mixed results

Wallet security has become an urgent issue in 2023 as over $100 million was lost in the Atomic Wallet hack on June 3. The Atomic team has speculated that the breach may have been caused by a virus or injection of malware in the company’s infrastructure, but the exact vulnerability that allowed the attack is still unknown. Web wallet MyAlgo also suffered a security breach in late February, resulting in an estimated loss to users of over $9 million.

Capital Inflows Drive Solana’s Comeback Rally, Glassnode Report Reveals

What is ethical hacking, and how does it work?

Ethical hacking is the practice of identifying and testing vulnerabilities in a system to improve its security and prevent unauthorized access.

Ethical hacking, also known as “white hat” hacking, is the process of identifying and exploiting vulnerabilities in a computer system or network in order to assess its security and provide recommendations for improving it. Ethical hacking is done with the permission and knowledge of the organization or individual that owns the system being tested.

Ethical hacking aims to find flaws in a system before malevolent hackers may take advantage of them. The same tools and methods used by malevolent hackers are also used by ethical hackers, but their objective is to enhance security rather than cause harm.

Here’s how ethical hacking typically works.

Planning and reconnaissance

The target system or network is investigated by the ethical hacker in order to acquire data that could be utilized to find weaknesses. This could consist of information such as IP addresses, domain names, network topology and other pertinent facts.

Scanning

In order to find open ports, services and other details about the target system that could be utilized to launch an attack, the ethical hacker uses scanning tools.

Enumeration

To acquire unauthorized access, the ethical hacker searches the target system for more specific information, such as user accounts, network shares and other specifics.

Vulnerability analysis

To find weaknesses in the target system, such as out-of-date software, incorrectly configured settings or weak passwords, the ethical hacker uses both automated tools and human procedures.

Exploitation

The ethical hacker looks to take advantage of vulnerabilities once found in order to obtain unauthorized access to the target system or network.

Reporting

Ultimately, the ethical hacker records the flaws that were found and offers suggestions for enhancing security. The company or individual will then use this report to resolve the system’s or network’s security flaws and enhance overall security.

For businesses and individuals that want to guarantee the security of their computer networks and systems, ethical hacking can be a useful tool. Ethical hackers can aid in the prevention of data breaches and other security problems by finding vulnerabilities before they can be exploited by criminal hackers.

Can blockchains be hacked?

While the technology behind blockchains is designed to be secure, there are still several ways that attackers can exploit vulnerabilities in the system and compromise the integrity of the blockchain. Here are some ways in which blockchains can be hacked:

  • 51% attack: A 51% attack is one in which the attacker has complete control over the blockchain network’s computer resources. As a result, the attacker may be able to reverse transactions and modify the blockchain, thus spending money twice.
  • Smart contract exploits: If a smart contract has a vulnerability, an attacker can exploit that vulnerability to steal cryptocurrency or manipulate the blockchain.
  • Malware: On the blockchain network, malware can be deployed to jeopardize the security of specific users. The private keys required to access a user’s cryptocurrency wallet, for instance, could be taken by an attacker using malware.
  • Distributed denial of service (DDoS) attack: DDoS is a type of cyberattack where multiple compromised systems are used to flood a targeted website or network with traffic, making it inaccessible to users. A DDoS attack can be used to flood the blockchain network with traffic, effectively bringing it to a complete halt.

Related: What is cryptojacking? A beginner’s guide to crypto mining malware

Therefore, it is important to remain vigilant and take steps to ensure the security of your blockchain-based applications and platforms.

The role of ethical hacking in blockchain security

Blockchain-based ethical hacking is a new field that concentrates on finding weaknesses and potential attacks in blockchain-based systems. Due to its security and decentralization, blockchain technology has grown in popularity, but it is not impervious to security risks. The security of blockchain systems can be tested by ethical hackers using a variety of techniques to find any potential weaknesses.

Here are some ways ethical hacking can be used in blockchain:

  • Smart contract auditing: Smart contracts are automatically executing contracts in which the conditions of the deal between the buyer and the seller are written directly into lines of code. Smart contracts can be audited by ethical hackers to find any defects or weaknesses that might be exploited.
  • Network penetration testing: To find potential holes in the blockchain network, ethical hackers might carry out network penetration testing. They can make use of tools such as Nessus and OpenVAS to find nodes that have known vulnerabilities, scan the network for typical assaults, and spot any possible weak points.
  • Consensus mechanism analysis: The consensus mechanism is a fundamental aspect of blockchain technology. The consensus mechanism can be examined by ethical hackers to find any weaknesses in the algorithm that might be exploited.
  • Privacy and security testing: Blockchain systems are intended to be private and safe, but they are not totally impervious to attacks. The privacy and security of the blockchain system can be tested by ethical hackers to find any potential weak points.
  • Cryptography analysis: Blockchain technology is strongly dependent on cryptography. The blockchain system’s cryptographic protocols can be examined by ethical hackers to find any flaws in the implementation of algorithms.

Related: What is a smart contract security audit? A beginner’s guide

Overall, ethical hacking can be a valuable tool in identifying and addressing security threats in blockchain systems. By identifying vulnerabilities and providing recommendations for improving security, ethical hackers can help ensure the security and integrity of blockchain-based applications and platforms.

Capital Inflows Drive Solana’s Comeback Rally, Glassnode Report Reveals