1. Home
  2. ZenGo

ZenGo

Only 6 out of 45 crypto wallet brands have undergone penetration testing: Report

Cybersecurity certification platform CER said the vast majority of wallets do not hire outside experts to perform penetration tests.

A July report from cybersecurity certification platform CER found that only six of 45, or 13.3%, of cryptocurrency wallet brands have undergone penetration testing to find security vulnerabilities. Of these, only half have performed tests on the latest versions of their products. 

The three brands that have done up-to-date penetration tests are MetaMask, ZenGo, and Trust Wallet, according to the report. Rabby and Bifrost performed penetration testing on older versions of their software and LedgerLive did them on an unknown version (listed as “N/A” in the report). All other brands listed did not provide any evidence of having done these tests.

The report also provided an overall ranking of the security of each wallet, listing MetaMask, ZenGo, Rabby, Trust Wallet, and Coinbase wallet as being the most secure wallets overall.

CER rankings for wallet security. Source: CER.

“Penetration testing” is a method of finding security vulnerabilities in computer systems or software. A security researcher attempts to hack into the device or software and use it for purposes it wasn’t intended. In most cases, a penetration tester is given little to no information about how the product works. This process is used to simulate real-world attempts at hacking to uncover vulnerabilities before the product is released.

CER found that 39 out of 45 wallet brands didn't perform any penetration testing at all, not even on older versions of the software. CER speculated that the reason may be that these tests are expensive, especially if the company makes frequent upgrades to their products, stating, “We attribute it to the amount of updates an average app has, where each new update can disqualify the pentest made earlier.”

They found that the most popular wallet brands were more likely to perform security audits, including penetration tests, as they often had the funds to do so:

“Essentially, popular wallets tend to adopt more robust security measures to protect their increasing user base. This seems logical – a higher user base often corresponds to more significant funds to secure, more visibility, and consequently, more potential threats. It can also result in a positive feedback loop, with more secure wallets attracting new users in higher numbers than the less secure ones.”

CER’s ranking of wallets was based on a methodology that included factors like bug bounties, past incidents, and security features, such as restore methods and password requirements.

Although most wallet brands don’t perform penetration testing, CER stated that many of them do rely on bug bounties to find vulnerabilities, which is often an effective means of preventing hacks. They rated 47 out of 159 individual wallets as “secure” overall, meaning that they had a security score of above 60. These 159 wallets included some that were from the same brands. For example, MetaMask for Edge browser was considered a separate wallet from MetamlMask for Android.

Related: Bug bounties can help secure blockchain networks, but have mixed results

Wallet security has become an urgent issue in 2023 as over $100 million was lost in the Atomic Wallet hack on June 3. The Atomic team has speculated that the breach may have been caused by a virus or injection of malware in the company’s infrastructure, but the exact vulnerability that allowed the attack is still unknown. Web wallet MyAlgo also suffered a security breach in late February, resulting in an estimated loss to users of over $9 million.

Capital Inflows Drive Solana’s Comeback Rally, Glassnode Report Reveals

Multichain Wallet Bitkeep Raises $30 Million From Bitget to Strengthen Links Between Defi and Cefi

Multichain Wallet Bitkeep Raises  Million From Bitget to Strengthen Links Between Defi and CefiOn Wednesday, the multichain wallet Bitkeep announced it raised $30 million from the crypto derivatives platform Bitget. Bitkeep now has an overall valuation of $300 million, with goals aimed at strengthening the links between decentralized finance (defi) and centralized finance (cefi). Bitget Invests $30 Million in Bitkeep; Wallet Firm Is Now Valued at $300M Crypto […]

Capital Inflows Drive Solana’s Comeback Rally, Glassnode Report Reveals

ZenGo uncovers ‘red pill attack’ vulnerability in popular Web3 apps

The vulnerability has since been patched, although it affected several leading transaction simulation vendors.

According to a blog post published by developers of crypto wallet ZenGo, the firm said it had uncovered security vulnerabilities in transaction simulation solutions used by popular decentralized applications, or dApps. Dubbed the "red pill attack," this vulnerability allowed malicious dApps to steal user assets based on opaque transaction approvals offered to and approved by users. The vulnerability derives its name from the iconic "red pill" scene from The Matrix movie series. 

"If malware is able to detect its actually being executed in a simulated environment or living in the matrix, it can behave in a benign manner, thus deceiving the anti-malware solution, and reveal its true malicious nature only when actually executed in a real environment."

ZenGo claimed its research revealed that many leading vendors, including Coinbase Wallet, were at one point in time vulnerable to such attacks. "All vendors were very receptive to our reports," said ZenGo, "and most of them were quick to fix their faulty implementations."

The vulnerability is possible due to a programming oversight in "Special Variables" among smart contracts storing general information on the blockchain functionality, such as timestamp of the current block. During simulations however, ZenGo says there is no correct value for Special Variables and claims developers "take a shortcut" and set them to an arbitrary value.

"For example, the "COINBASE" instruction contains the address of the current block miner. Since during simulation there is no real block and hence no miner, some simulation implementations just set it to the null address (all zeros address)."

In a video, ZenGo developers demonstrated how a smart contract simulation on Polygon (MATIC) asks users to send native coins in exchange for another could be compromised via this method:

"When the user actually sends the transaction on-chain, COINBASE [Wallet] is actually filled with the non-zero address of the current miner and the contract just takes the sent coins."

ZenGo said the fix for the vulnerability was straightforward: "instead of populating these vulnerable variables with arbitrary values, the simulations need to populate them with meaningful values." The firm presented redacted screenshots of bug bounties, apparently awarded by Coinbase, for solving the issue. The Ethereum Foundation has also awarded ZenGo a $50,000 grant for its research on transaction simulations.

Capital Inflows Drive Solana’s Comeback Rally, Glassnode Report Reveals