CertiK has shared a security assessment focused on Web3 desktop wallets.
As explained in an extensive update by the team at CertiK, desktop wallets play a key role in the Web3 ecosystem, providing users with a means to manage their digital assets within decentralized networks.
According to a detailed research report, blockchain industry analysts from cryptocurrency exchange Bitfinex had pointed out that, by Dec 1, 2023, the number of cryptocurrency holders had “reached 575 million, up from 432 million at the start of last year.”
As Web3 evolves, the importance of desktop wallets in ensuring the security of user assets has become “increasingly apparent.”
However, after conducting a thorough technical analysis of several desktop wallets, the CertiK team identified potential security “vulnerabilities that could expose users to heightened risks while using these wallets.”
Desktop wallets are essential tools for Web3 users to “manage and protect their digital assets.”
But the security of these wallets is often “overlooked,” especially in the context of supply chain attacks, in which cybercriminals “compromise a third-party vendor, supplier, or service provider on which the target organization relies.”
To prevent such attacks, users are advised to perform Hash verification on installation packages, even when downloading “directly from official websites.”
Only packages that pass this verification can be “deemed safe.”
But not all users possess the capability to conduct such verification, which is particularly “evident in the usage of certain desktop wallets, further increasing the risk of attacks.”
And some desktop wallets may inadvertently use modules or algorithms similar to those found in “backdoor software, leading to false positives from certain antivirus programs.”
While official websites typically provide explanations for these false alarms, users lacking Hash verification abilities may “accept these justifications without question, viewing antivirus warnings as normal.”
According to the update from CertiK, this “misplaced” trust can give malicious software opportunities to disguise itself as “legitimate wallet installation packages, putting users at greater risk.”
For instance, 65 antivirus programs on VirusTotal analyzed a common desktop wallet’s download file, “resulting in 19 flags identifying the sample as malicious.”
This analysis demonstrates that supply chain attacks are not merely theoretical risks; for the average user, the “lack of technical means to verify the authenticity of software can lead to inadvertently downloading and installing malicious software.”
The fact that installation packages downloaded from official websites may trigger warnings “from antivirus programs complicates the user’s ability to discern safety, exposing them to more severe security threats.”
During research, they found that some desktop wallets allow users to store private keys in “plain text for certain business purposes.”
This practice increases the risk to users’ digital assets, as plain text private keys become directly “exposed to attackers if the user’s computer is infected with a virus or malware, jeopardizing the security of their digital assets.”
CertiK identified another security concern: Many desktop wallets employ flawed methods for file encryption, which make it “easier for attackers to access and decrypt users’ encrypted data.”
Notably, these wallets do not bind file encryption to the hardware information of the device, meaning that, even if the files are “encrypted, attackers can transfer them to other devices for offline decryption, thereby circumventing the device’s inherent security protections.”
Further analysis revealed that some wallets exhibit “weaknesses in their brute-force protection algorithms when using PIN codes.”
Many wallets utilize encryption algorithms with a “hash iteration count far below industry standards.”
However, some desktop wallets only use 5,000 iterations — “significantly lower than these security benchmarks. In such cases, even simple numeric passwords can be easily compromised by attackers employing brute-force techniques to obtain users’ PIN codes.”
Additionally, their audit revealed that the password protection mechanisms of some wallet software “perform poorly against sophisticated attacks.”
Malicious attackers often first steal users’ “encrypted data and then utilize powerful computing resources to decrypt them in an offline environment.”
Due to flaws in the encryption algorithm selection of certain desktop wallets, this encrypted data “becomes more susceptible to cracking.”
This exposes users’ digital assets to risks, and “presents new challenges to the overall security of the Web3 ecosystem.”
When utilizing desktop wallets, it is advisable to opt for MPC wallets or hardware wallets due to the “inherent security vulnerabilities of desktop systems compared to mobile devices.”
While desktop wallets are convenient for operation and access, their constant internet connectivity exposes them to “greater risks of hacking and malware threats.”
Therefore, for users requiring higher security, “selecting alternative wallet types is a prudent choice.”
MPC wallets offer advantages in enhancing asset security and recovery functionality.
Utilizing secure multi-party computation (MPC) tech, these wallets split private keys into multiple fragments, which are then “stored across different participants or nodes.”
This design eliminates single points of failure, ensuring that “no single entity possesses the complete private key.” As a result, even if a user’s desktop system is compromised, attackers “cannot utilize any individual key fragment to steal assets. Only when fragments from multiple participants are combined can a valid transaction signature be generated. Thus, as long as not all key fragments are simultaneously exposed, the user’s assets remain secure.”
Furthermore, the distributed key management of MPC wallets provides greater “operational flexibility and lower transaction costs. It enables hidden signatures and off-chain accountability, further enhancing privacy and security.”
In this manner, MPC wallets ensure that, even in cases of “partial system compromise, the safety of digital assets is not jeopardized.”
Additionally, some MPC wallets offer “social recovery features, allowing emergency contacts to assist users in regaining access to their wallets in extreme situations.”
Desktop hardware wallets provide a physically “isolated solution by storing private keys within a hardware device.”
CertiK also stated that this design ensures that all signing operations occur offline within the hardware, preventing attackers from “accessing the stored private keys, even if the user’s desktop system is compromised. Such physical isolation significantly enhances asset security, as private keys are never exposed to the internet, thus reducing the risk of hacking and theft.”
Modern hardware wallets offer recovery functionalities to safeguard against “asset loss in the event of hardware damage or loss.”
This recovery process involves “creating a backup mnemonic or private key fragments, which users can securely store in various locations.”
CertiK pointed out that if the hardware device is lost or damaged, users can utilize these backup details in order to “regain access to their wallets and control over their assets.”
To ensure asset safety, private key fragments are strongly bound to the account, meaning that the “assets are only at risk if both the private key fragments and the account are lost simultaneously.”
Moreover, some hardware wallet manufacturers, such “as Ledger, offer ID-based key recovery services.”
Due to the inherent limitations of hardware wallets — such as restricted CPU power, limited networking capabilities, and minimal user interface — displaying “detailed transaction information is challenging.”
CertiK added that this makes it difficult for users to “fully verify transaction content, particularly in cases requiring thorough validation of transaction details.”
As a result, MPC emerges as a relatively “better alternative in such scenarios.
MPC enables multiple parties to jointly “compute and verify transaction data without exposing sensitive information, providing a more robust framework for verifying the purpose and integrity of a transaction.”
CertiK further noted that unlike hardware wallets, MPC-based solutions can leverage the processing and networking “environments in mobile or other platforms, allowing a closer alignment to the backend and mitigating risks associated with transaction verification.”
It’s now clear to see that desktop hardware wallets provide users with a secure and reliable means of “asset protection through physical isolation and recovery functionalities.”
The introduction of biometric tech strengthens this protection, ensuring that users’ assets remain safeguarded, even “under extreme circumstances.”
Based on the risk and security analysis, the team at CertiK claims that they conducted a comparative assessment of several desktop wallets.
As mentioned in the analysis from CeriK desktop wallets, as crucial tools for managing digital assets, face a “multitude of security challenges.”
False positives from antivirus software, “lack of sandbox protection, and deficiencies in encryption algorithms can all expose user assets to theft risks.”
This is concerning for users with “limited” technical expertise, who may struggle to “identify and address these issues.”
Therefore, wallet developers must enhance security measures to “ensure the software’s safety.”
As noted in the detailed explainer from CertiK, average users should increase their awareness of these risks and adopt “best practices for storing and managing” their digital assets.
CertiK concluded that through rigorous auditing and continuous improvement of desktop wallets, we can better “safeguard user digital asset security and promote the healthy development of the entire Web3 ecosystem.”