Not All Wallets Are Equal, Some Will Fail

In early August 2022, more than 9,000 Solana wallets were drained of their contents. It was a widespread attack, which led to widespread alarm, because Solana maxis were waking up to their wallet contents reduced to a neat little zero. It was forced minimalism, austerity, and frugality in Solana land. Eventually, the culprit was found: Slope wallet, a Chrome browser extension, was saving the recovery phrases, and sending them to a server, where they were stored in plain text. Despite being identified as the cause behind the widespread hack, Slope wallet's founders made a statement a few days later, that there was no evidence that the widespread hack was caused by their questionable practice. They claimed that they had conducted an investigation, with the help of TRM (a cybercrime company), and OtterSec and Slowmist (both cybersecurity auditors). Slope wallet's providers, Slope Finance, also said that the server, which stored the recovery phrases, was encrypted and protected with three factor authentication. An estimated USD6 million was lost in the hacks.

In late February 2023, Algorand maxis took their turn to be drained of their wallet's contents. MyAlgo, a leading web wallet for the Algorand ecosystem, and arguably the main wallet provider, had suffered a breach of their infrastructure. Funds were being removed from wallets, without any explanation. The hacks occurred over a few days, during which time, MyAlgo instructed users to withdraw funds or "rekey to new accounts". (It means giving up control of an existing account to a new account.) They pointed to Pera Wallet and DeFly Wallet, and Ledger as well. Nobody mentioned the fact that Pera Wallet was originally Algorand Wallet, and it changed overnight to Pera Wallet - not just online, but also in users' mobile phones. And you might have thought that wallets cannot just upgrade by themselves, but no, they did in this case. How much power and authority does a user have over his or her own funds? Isn't the mantra supposed to be, "Not your keys, not your crypto" ? Which implies the inverse: With your own keys, you control your own crypto. This was a rallying cry which has been disproved and debunked when users lost their funds. It also goes to show that not all wallets are created equally. By the time the MyAlgo vulnerability was identified, around USD 9.2 million had been lost.

In early June 2023, Twitter users woke up to find that their holdings in Atomic Wallet had been drained. Another day, another drainer. But Atomic Wallet was different from Slope or MyAlgo. Atomic Wallet is a multi-chain self-custody wallet. Users could use Atomic Wallet to store Bitcoin, Ethereum, and a large number of other tokens. Atomic Wallet was also "powered" by its own utility token: An ERC20 token called $AWC, presumably standing for "Atomic Wallet Coin". Holding $AWC in your wallet would give you benefits. Those benefits did not include getting your wallet drained (at no charge to you, I might add). It was an alarming development when Atomic Wallet users began reporting that their wallets' balances had gone to zero. What was the reason for the vulnerability? Were recovery phrases being stored online? Atomic Wallet's issuer claimed that only 1% of its users were affected, but media reports show that at least USD35 million in crypto funds have been lost in this hack. The story is still developing and the cause has not yet been identified.

As a user, you should wonder what are the liabilities of the wallet providers who have their security compromised. Will they ever be asked to compensate users? How can users go about making a claim, when these wallet providers have disclaimers which explicitly deny responsibility if anything untoward ever happens to your funds? Put it this way: If you were to go to a highly recommended hotel when you were on a trip, and you saw a disclaimer that, if you died in the room for whatever reason, were burgled for whatever reason, hurt, or raped, for whatever reason, the hotel has no responsibility - despite having guards at the door, and a 5 star reputation on TripAdvisor - what would you do? Most people would check in. After all, hotels should have insurance, and a modicum of security. Shouldn't they? Because hotels are humdrum traditional businesses, governments make sure that a large number of untoward incidents are the responsibility of the hotel operators. And that's because these hotels are run as commercial businesses. Not free, not gratis, but paid, and sometimes even premium. But - and this is important - many wallet providers offer their services to you for free, and disclaim all responsibility. But the fact is, it is a business, and they do make money, from offering services within the wallet. Services such as swaps, and token on-ramps, will yield a profit for the wallet's providers. Not a lot, unless they have a lot of users, but it's not zero either. So, with that in mind, shouldn't wallet providers take some form of responsibility?

In the days before human readable blockchain addresses, such as ENS (Ethereum Name Service) and SNS (Solana Name Service) and ADA Handle and Unstoppable Domains became popular, vanity addresses were popular. But generating a vanity address was often too technical for the average crypto fan, so they used online services to generate addresses starting with the letters and numbers that they wanted. Those letters and numbers could be human readable words, or a series of numbers. In September 2022, a month after the Slope wallet hack, there were a widespread amount of hacks on the Ethereum blockchain. These involved vanity addresses generated on the Ethereum blockchain using a tool called Profanity. An analysis of the hacking incident identified the vulnerability as stemming from the use of a 32 bit vector to seed a 256 bit private key. Through sheer brute force, by employing thousands of GPU's (think cloud GPUs), the 32 bit vector public key could be discovered - over a period of a few months. A total of nearly USD1 million was lost initially to these hacks. (Some sites identified it as USD3 million.) Then news broke about the Profanity vanity addresses, and Wintermute, which used a Profanity-generated vanity address for authentication of its vault, decided to move funds into its vault. The guys at Wintermust probably forgot that the vanity address, which started with "0x0000000", was used as an authenticator.?And then it happened - Wintermute was hacked, and USD160 million in crypto was drained from its vault.?

(Incidentally, an article that I read claimed that Bitcoin vanity addresses generated with Vanitygen were probably not as easy to hack as the Profanity addresses, because they were not generated using a 32 bit vector.)

There will be future hacks, for sure. There have been so many hacks in crypto that, people grow numb hearing about the news, until it happens to them personally. Despite the community's ethos that self-custody wallets are better than exchanges and hosted wallets (i.e. "hot wallets" or "web wallets"), these incidents show that there is still a degree of centralization amid the quest for decentralization. The centralization happens at the instance of the wallet provider; and if the wallet provider is compromised, or easily compromised, then users funds will be vulnerable to attack. These incidents have led to increased caution against backing up of recovery phrases. For example: A recent initiative by Ledger, a leading hardware wallet provider, to allow seed phrases to be "recoverable" through a backup by three different bodies, was met with skepticism and fear, uncertainty and doubt. It seems that Ledger will eventually have to rollback the firmware for its hardware wallets to appease its users.

Despite everything, the call of decentralization is still an attractive one, but many wallets are closed source, and their functionality is often quite opaque. Hence, users who rely on these "self-custody wallets" are often taking a risk, relying on "Trust me bro" word of mouth, without any recourse if something goes wrong. If something happens to their funds, they only have themselves to blame. But when institutions and large companies start to rely on these "self-custody wallets" to secure their users' funds, the stakes are amplified hundreds of times, because with so much funds under their management, they become targets for phishing and brute force attacks. Importing a wallet through input of recovery phrase does not leave any IP address, and probably does not tip off any authorities. A clever hacker can probably use the command line to quickly recover wallets, many times, in a short period of time. The continued rise of computing power over the years is almost a guarantee, with more and more computing power becoming more and more available to modest users. Not too long ago, there were concerns that supercomputers could crack Bitcoin addresses easily. Those fears were not without reason. But it is a double edged sword: There are legitimate reasons for users to want to recover their funds, not least among them, a genuine user misplacing his recovery phrase. This seems to be the way forward for some blockchains: Ethereum's ERC4337, for example, allows for "social recovery of crypto accounts". This is a fancy way of saying that your friends can confirm you are who you say you are, and then - voila! - you get access to your lost crypto.

This article could drag on, but I will not waste your time. Suffice to say, from a legal perspective, if you rely on "experimental software", especially those where the creators are unknown, where they disclaim all responsibility, you are in effect taking a risk, which you must bear alone, if anything bad happens to your funds. If you are a company, or an institution, it is better to use open source wallets, rather than closed source wallets, because you can then rely on the wisdom of crowds to weed out vulnerabilities. But, in any case, if you are a true believer in crypto, you will still have to get a "self-custody wallet" to manage your own funds. Because the alternative to that is keeping your funds in the care of a hosted wallet, and relying on them to keep your funds safe. If you have ever heard of Mt GOX (Japan), of Cryptopia (NZ), and of QuadrigaCX (to name a few), you'll know that exchanges can crash, taking your funds along with them.?

Disclaimer: This article should not be treated as legal advice, although, the writer is available to provide legal services related to crypto and blockchain projects. The writer is a lawyer, but not your lawyer.?

Thanks for reading! Please share this article with a friend if you found it helpful or entertaining.