1. Home
  2. Wallet Security

Wallet Security

Dydx Introduces Major Chain Upgrade With New Features

Dydx Introduces Major Chain Upgrade With New FeaturesDecentralized exchange Dydx has announced a significant upgrade to its chain, introducing new features designed to enhance market liquidity and security. The update, set for release this autumn, marks the largest change to the Dydx Chain since its launch. Dydx Introduces Permissionless Market Listings and Megavault in Upcoming Chain Overhaul According to the announcement, the […]

Capital Inflows Drive Solana’s Comeback Rally, Glassnode Report Reveals

Only 6 out of 45 crypto wallet brands have undergone penetration testing: Report

Cybersecurity certification platform CER said the vast majority of wallets do not hire outside experts to perform penetration tests.

A July report from cybersecurity certification platform CER found that only six of 45, or 13.3%, of cryptocurrency wallet brands have undergone penetration testing to find security vulnerabilities. Of these, only half have performed tests on the latest versions of their products. 

The three brands that have done up-to-date penetration tests are MetaMask, ZenGo, and Trust Wallet, according to the report. Rabby and Bifrost performed penetration testing on older versions of their software and LedgerLive did them on an unknown version (listed as “N/A” in the report). All other brands listed did not provide any evidence of having done these tests.

The report also provided an overall ranking of the security of each wallet, listing MetaMask, ZenGo, Rabby, Trust Wallet, and Coinbase wallet as being the most secure wallets overall.

CER rankings for wallet security. Source: CER.

“Penetration testing” is a method of finding security vulnerabilities in computer systems or software. A security researcher attempts to hack into the device or software and use it for purposes it wasn’t intended. In most cases, a penetration tester is given little to no information about how the product works. This process is used to simulate real-world attempts at hacking to uncover vulnerabilities before the product is released.

CER found that 39 out of 45 wallet brands didn't perform any penetration testing at all, not even on older versions of the software. CER speculated that the reason may be that these tests are expensive, especially if the company makes frequent upgrades to their products, stating, “We attribute it to the amount of updates an average app has, where each new update can disqualify the pentest made earlier.”

They found that the most popular wallet brands were more likely to perform security audits, including penetration tests, as they often had the funds to do so:

“Essentially, popular wallets tend to adopt more robust security measures to protect their increasing user base. This seems logical – a higher user base often corresponds to more significant funds to secure, more visibility, and consequently, more potential threats. It can also result in a positive feedback loop, with more secure wallets attracting new users in higher numbers than the less secure ones.”

CER’s ranking of wallets was based on a methodology that included factors like bug bounties, past incidents, and security features, such as restore methods and password requirements.

Although most wallet brands don’t perform penetration testing, CER stated that many of them do rely on bug bounties to find vulnerabilities, which is often an effective means of preventing hacks. They rated 47 out of 159 individual wallets as “secure” overall, meaning that they had a security score of above 60. These 159 wallets included some that were from the same brands. For example, MetaMask for Edge browser was considered a separate wallet from MetamlMask for Android.

Related: Bug bounties can help secure blockchain networks, but have mixed results

Wallet security has become an urgent issue in 2023 as over $100 million was lost in the Atomic Wallet hack on June 3. The Atomic team has speculated that the breach may have been caused by a virus or injection of malware in the company’s infrastructure, but the exact vulnerability that allowed the attack is still unknown. Web wallet MyAlgo also suffered a security breach in late February, resulting in an estimated loss to users of over $9 million.

Capital Inflows Drive Solana’s Comeback Rally, Glassnode Report Reveals

Vitalik Buterin: Ethereum ‘fails’ without these 3 important ‘transitions’

Layer-2 scaling, wallet security and privacy-preserving features are all necessary to secure Ethereum’s future, according to the Ethereum co-founder.

Ethereum co-founder Vitalik Buterin believes the success of Ethereum will come down to three major technical “transitions” that need to happen almost simultaneously — layer-2 scaling, wallet security and privacy-preserving features.

In a June 9 post via his personal blog, Buterin explained that the Ethereum blockchain outright “fails” without sufficient scaling infrastructure to make transactions cheap.

“Ethereum fails because each transaction costs $3.75 ($82.48 if we have another bull run), and every product aiming for the mass market inevitably forgets about the chain and adopts centralized workarounds for everything,” he said.

Another point of failure, according to Buterin, is around wallet security as it relates to smart contract wallets. 

He explained that a move to smart contract wallets has added more complexity for users wishing to obtain the same address across Ethereum and various layer-2s.

Buterin said this issue stands for both Ethereum Virtual Machine (EVM)-equivalent and non-equivalent layer-2s:

“Even when you can have hash equivalence, the possibility of wallets changing ownership through key changes creates other unintuitive consequences.”
Ethereum needs to improve its layer-2 scalability, wallet security and privacy features, according to Buterin. Source: Vitalik Buterin’s website

In addition to wallets securing crypto assets, Buterin explained that wallets would need to secure data in order to truly transition into an on-chain world with zero-knowledge rollups:

“In a ZK world, however, this is no longer true: the wallet is not just protecting authentication credentials, it's also holding your data.”

The last of Buterin’s three transitions — privacy — will need to come in the form of improved identity, reputation and social recovery systems.

“Without the third, Ethereum fails because having all transactions (and POAPs, etc) available publicly for literally anyone to see is far too high a privacy sacrifice for many users, and everyone moves onto centralized solutions that at least somewhat hide your data,” he said.

The Ethereum co-founder suggested that stealth addresses could be implemented to resolve this issue.

Related: Vitalik Buterin reveals 3 ‘huge’ opportunities for crypto in 2023

Buterin said that achieving all three will be “challenging” because of the “intense coordination” involved between them.

He admitted that each of the three transitions “weaken” the “one user — one address” model, which, in turn, may complicate the way transactions are executed.

“If you want to pay someone, how will you get the information on how to pay them?”

“If users have many assets stored in different places across different chains, how do they do key changes and social recovery?" he added.

Buterin concluded by stressing the need to build infrastructure that ultimately improvers user experience:

“Despite the challenges, achieving scalability, wallet security, and privacy for regular users is crucial for Ethereum's future. It is not just about technical feasibility but about actual accessibility for regular users. We need to rise to meet this challenge.”

Magazine: ZK-rollups are ‘the endgame’ for scaling blockchains, Polygon Miden founder

Capital Inflows Drive Solana’s Comeback Rally, Glassnode Report Reveals