The Risks Of Crypto Wallets: What You Need To Know

unnamed

Crypto wallets are designed to keep a user’s private keys – which give them access to tokens on the blockchain such as Bitcoin and Ethereum – accessible and safe. They also provide a way for users to send and receive crypto. 

There are many different kinds of crypto wallets, including mobile wallets such as Coinbase Wallet and BRD, as well as hardware wallets such as the Nano Ledger.  Unlike traditional wallets that hold physical cash, crypto wallets don’t actually store crypto within them. Rather, they can be thought of as a portal that enables access to assets on the blockchain with the aid of a private key. It means that if someone loses their private key, or if that private key is stolen, they will lose their crypto forever.  

It’s also important to note the distinction between custodial wallets, where the wallet provider holds the private keys (hence the user is required to trust a third-party), and non-custodial wallets, where only the user can access them.

Can Crypto Wallets Be Trusted?

So-called “cold wallets” (including hardware and paper wallets) that are not connected to the Internet are among the safest ways to store cryptocurrency as they cannot be accessed until they come online. However, for convenience most people tend to use “hot wallets” – which can be mobile or web wallets – that remain online all of the time so they can make transactions on the go. Anyone who wants to use a hot crypto wallet needs to be aware of the inherent security flaws in their design. 

Lack of anonymity

One of the biggest problems with blockchain technology is that all transactions are public. Thus, it becomes possible for anyone using deanonymization techniques based on transaction graph analysis and the observation of nodes’ connections to tie a specific user to an IP address and very possibly identify who that person is. 

Deanonymization is a risk even with privacy-oriented coins such as Monero and Zcash, as this traceability analysis of Monero shows. 

The issue is that most crypto wallet developers typically overlook the threat of deanonymization, increasing the risk of “over-the-shoulder” attacks where a hacker might simply obtain someone’s private key by spying on them. 

Application Security Risks

Crypto wallets are essentially just like any other kind of application found on a smartphone or a PC, meaning they are susceptible to all of the same security flaws and vulnerabilities as traditional apps are, including phishing attacks, reverse engineering, malicious third-party libraries, brute-force attacks and so on. 

Two of the most important app security considerations are user authentication. Unfortunately, some crypto wallets lack crucial controls around authentication and password flow, including password policies and rotation, defense against brute-force attacks, biometric authentication, extra authentication when performing sensitive actions, and tying authentication to the Keychain/Keystore where the keys are stored. If a crypto app skips out on any one of these controls, it significantly lowers the bar for attackers hoping to steal someone’s credentials. 

A second app-related weakness is local data storage. Non-custodial wallets store the private key needed to access the user’s tokens locally, on the device itself. There is a danger that this information could be accessible as a common file type, or worse, stored unencrypted. 

Platform Risks

Many mobile crypto wallets also make the fatal mistake of not checking to see if the device it’s running on is trusted. For example, if a smartphone has been rooted or jailbroken, it could have potentially harmful reverse engineering tools or apps installed on it. Such malware might be able to steal the user’s private keys when they enter them, or access the wallet’s memory and steal it from there. Thankfully, mobile platforms such as Android and iOS do provide device-level security features such as requiring a passcode to access certain apps, which can present a big obstacle for an attacker. 

Web-based wallets have different issues. The biggest weakness here is that most web apps rely too heavily on browser security, making the assumption that data stored within it is safe. However, web extensions have critical flaws as they have no notion of runtime code integrity, meaning that whatever app is currently up and running can easily be modified by someone who knows what they’re doing. 

Malware affecting browsers has almost unlimited possibilities, such as replacing the content on a clipboard when the user is trying to copy-paste an address to send crypto, or sending users to a malicious version of a “send transaction” page. Malware risks are very real too – a recent study by Google found that 70% of browser security bugs are related to memory issues. 

Cryptography Flaws

The people who design crypto wallets are not necessarily cryptographic security experts. Rather, the vast majority are regular developers that, while maybe having some understanding of cryptography, are far from being experts in the field. Coassack Labs warns in its own analysis of crypto wallet security that many developers’ code therefore contains numerous cryptographic implementation issues and design flaws. 

DeFi Communications

A crypto wallet with multiple features will have a much wider attack surface. Some of the more advanced crypto wallets these days provide numerous ways to interact with so-called DeFi (decentralized finance) apps to enable people to stake tokens and earn rewards, loan and borrow crypto, buy and sell NFTs and more. 

By communicating with DeFi apps, crypto wallets that lack proper authentication methods, encryption for data-in-transit and secondary authorizations for transactions significantly increase user risk, leaving opportunities for hackers to intercept and modify those communications. 

Other risks include simply interacting with a malicious dApp or one that has been compromised – such as what happened with BadgerDAO recently. 

The User

Perhaps the biggest risk of all is the user themself. Non-custodial wallets are inherently secure, but only if the user keeps it that way. Unfortunately, there have been many instances of users being tricked by phishing attacks and giving away their credentials, or simply forgetting their private keys and losing access to their assets. 

Place Your Trust In An Authentication Layer

Crypto wallet security is a delicate issue requiring innovative solutions and one of the most promising yet could well be Avarta – a multichain wallet with biometric security and user ID credentials that aims to become a complete cybersecurity platform for the growing DeFi industry. 

Avarta combines decentralized transparency and a biometric crypto authentication layer with its innovative cross-chain credit scoring system, guaranteeing a private key-less experience. Instead, users’ own biometrics – in this case, their face scan – become the key access point to their wallets, eliminating the need to store or remember a long password phrase. 

Avarta is particularly useful for DeFi apps, helping to improve issues around whitelisting, authentication on multiple blockchains and collateralization in DeFi lending. In essence, Avarta replaces password phrases as the most fundamental security layer on Level-1 blockchain layers, DeFi applications and on centralized exchanges.  

The Avarta wallet envisages itself becoming a single-sign on platform for the entire web3 ecosystem, enabling users to easily interact with metaverses, DeFi, NFTs and other ecosystems. One of the key enablers of this is its multi-chain support, which means users can store all of their crypto assets from every blockchain in a single wallet with no passwords or seed phrase to worry about storing. 

Another unique feature is its trust scoring capability, which makes it possible for users to show they are a reliable borrower, lender or investor and gain access to services based on trust. With Avarta Trust Score, users can create an avatar that allows them to join communities, build a reputation and interact with other users within the metaverse. What’s more, users stay in full control of their data too, allowing them to decide how and when to share their information. 

Avarta does have a number of respectable rivals in the super-secure crypto wallet space, including ZenGo, XDefi, Spectral Finance, Trust Wallet and Degen Score, but none of those solutions provide the same combination of decentralized transparency with trust scoring. Uniquely, Avarta’s multi-chain wallet also uses data collected by the user’s mobile device to heighten security even more. 

Avarta’s wallet is primarily aimed at investors wanting to interact with DeFi applications, acting as a kind of certified credential for each user whenever they wish to invest, borrow, lend or trade in cryptocurrency.