Researchers report that only 13.3% of crypto wallets conduct penetration tests, and only half of them tested the latest versions of their apps.
CER, a company focused on cybersecurity certification, carried out a study of the cryptocurrency wallet sphere. According to the report provided, only 6 out of 45 brands engaged third-party specialists to conduct penetration tests to find vulnerabilities. Of those, only half of them tested the latest versions of their products.
For example, MetaMask, ZenGo, and Trust Wallet all passed the current security audits. Rabby, Bifrost, and Ledger Live wallets conducted penetration tests for older versions of their software. The remaining 39 out of 45 crypto wallet brands didn’t conduct penetration tests at all, even on older versions of their products.
CER analysts believe that the reason is that penetration tests are expensive, while software is updated frequently, and any new upgrade makes the results of an earlier test irrelevant. Analysts note that most brands rely on bounties for detecting vulnerabilities instead of testing, which is also an effective means of preventing hacks.
The report also presents an overall security ranking of crypto wallets, with the top five being:
- MetaMask.
- ZenGo.
- Rabby.
- Trust Wallet.
- Coinbase Wallet.
The CER rating was compiled using a methodology that included several security factors, such as bug bounties, past incidents, password requirements, recovery methods, and others.
The importance of external technical audits was clearly demonstrated by Fireblocks, a company that specializes in infrastructure security for digital asset transactions and storage. Its representatives shared detailed information about a number of critical vulnerabilities, designated as BitForge, identified in more than a dozen popular technical solutions for storing cryptocurrencies.
The company released its research data after waiting 90 days from the time the vulnerabilities were identified. Information about potential hacking methods was immediately shared with the teams responsible for developing the possibly vulnerable projects. According to Fireblocks, all developers promptly responded to the information and made the necessary updates. The specific projects, whose code contained vulnerabilities, include only Coinbase, Zengo, and Binance wallets.
Thus, the potential vulnerability of crypto wallets remains a pressing issue. One of the largest hacker attacks in 2023 in terms of stolen funds is the Atomic Wallet attack, during which cybercriminals stole assets worth over $100 million.