- A recent study compared the security of open vs. closed source crypto wallets, revealing vulnerabilities in both but slightly higher incidents in closed source wallets.
- Third-party hosted bug bounty programs have proven more effective in identifying vulnerabilities than self-hosted programs.
- Many wallets fall short in providing comprehensive transaction descriptions and backup prompts, but platforms like MetaMask, ZenGo, and Trust Wallet excel in balancing features and security.
A new study by cybersecurity firm CER assesses the choice between open and closed source crypto wallet development. The findings offer illuminating insights into their security features, vulnerabilities, and the balance between them. Most importantly this report delves into what it means for both developers and users.
Deciphering Open and Closed Source Wallets
At the heart of the debate between open and closed source wallets lies the transparency of their codebase. Open source wallets, as per the research, are those where a significant portion of its cryptography and key management is publicly accessible. This facilitates a democratic ecosystem where the codebase is open to review and potential improvements. However, this openness has its pitfalls.
The study reported that fully open source wallets, while benefiting from public scrutiny, saw a significant number of security incidents. High-profile names like Edge, MyEtherWallet, Electrum, Ledger Live, and Trezor have all experienced breaches. In contrast, partially open source wallets haven’t reported such incidents.
Yet, it’s not black and white. Even with these vulnerabilities, open source wallets had an incident rate of 13.87%, only slightly less than closed source wallets, which stood at 18.48%. This nuanced data underscores a vital realization: Transparency doesn’t equate to invulnerability.
The Role of Bug Bounties and Hardware Compatibility
Bug bounty programs emerge as a beacon of hope in this scenario, especially for open source wallets. These programs, which offer contracts between wallet companies and independent security experts, help identify and rectify vulnerabilities. Third-party hosted bug bounty programs, in particular, have demonstrated greater effectiveness. Out of 45 wallets studied, only 1 of the 14 wallets with third-party hosted programs (MyEtherWallet) faced a breach, compared to 4 out of 9 with self-hosted programs. The diverse pool of researchers in third-party programs offers a broader net to catch vulnerabilities.
Another safety net in the cryptocurrency ecosystem is hardware wallet compatibility. Hardware wallets or physical devices securely store a user’s private keys, insulating them from vulnerable online systems. The research suggests that while wallets with hardware compatibility aren’t immune, they are more secure in preventing unauthorized fund access.
Gaps in Wallet Security and User Experience
Despite the emphasis on security, there’s an alarming trend among wallet platforms: inadequate transaction descriptions. Around a third of wallets, particularly in Desktop and Extensions, don’t provide a comprehensive breakdown of transactions. This lack of transparency can be a breeding ground for scams and phishing attempts, given the rising mimicry of genuine Web3 applications. Mobile wallets aren’t free from critique either. A surprising 44.76% of mobile applications don’t prompt users for a mandatory backup upon initiation, a potential vulnerability.
Yet, amidst these security concerns, user experience remains a priority. Token swaps are omnipresent, indicating their importance in today’s wallets. But as the future of cryptocurrency becomes multi-chain, the lack of integrated cross-chain bridges in wallets is concerning, especially given the thefts from bridge exploits.
Despite these challenges, some wallets have managed to strike the right balance. MetaMask and ZenGo on Android, along with Trust Wallet on iOS, stand out as feature-rich platforms that don’t compromise on security.
The crypto wallet landscape is diverse, with each type offering unique features and challenges. The recent study brings to light the paramount need for regular and thorough security assessments. Wallet choice should hinge on its reputation, rigorous security measures, and a track record free of breaches. As the report astutely advises, when in doubt, always prioritize safety.
