A July report from cybersecurity certification platform CER found that only six of 45, or 13.3%, of cryptocurrency wallet brands have undergone penetration testing to find security vulnerabilities. Of these, only half have performed tests on the latest versions of their products.
The three brands that have done up-to-date penetration tests are MetaMask, ZenGo, and Trust Wallet, according to the report. Rabby and Bifrost performed penetration testing on older versions of their software and LedgerLive did them on an unknown version (listed as “N/A” in the report). All other brands listed did not provide any evidence of having done these tests.
The report also provided an overall ranking of the security of each wallet, listing MetaMask, ZenGo, Rabby, Trust Wallet, and Coinbase wallet as being the most secure wallets overall.
“Penetration testing” is a method of finding security vulnerabilities in computer systems or software. A security researcher attempts to hack into the device or software and use it for purposes it wasn’t intended. In most cases, a penetration tester is given little to no information about how the product works. This process is used to simulate real-world attempts at hacking to uncover vulnerabilities before the product is released.
CER found that 39 out of 45 wallet brands didn’t perform any penetration testing at all, not even on older versions of the software. CER speculated that the reason may be that these tests are expensive, especially if the company makes frequent upgrades to their products, stating, “We attribute it to the amount of updates an average app has, where each new update can disqualify the pentest made earlier.”
They found that the most popular wallet brands were more likely to perform security audits, including penetration tests, as they often had the funds to do so:
“Essentially, popular wallets tend to adopt more robust security measures to protect their increasing user base. This seems logical – a higher user base often corresponds to more significant funds to secure, more visibility, and consequently, more potential threats. It can also result in a positive feedback loop, with more secure wallets attracting new users in higher numbers than the less secure ones.”
CER’s ranking of wallets was based on a methodology that included factors like bug bounties, past incidents, and security features, such as restore methods and password requirements.