Report: Only 6 out of 45 cryptocurrency wallet brands have completed penetration testing.

A report released in July by the cybersecurity certification platform CER revealed that merely six out of 45 cryptocurrency wallet brands, or 13.3%, have undergone penetration testing to identify security weaknesses. Among these, only half have conducted tests on the most recent versions of their products.

According to the report, the three brands that have completed current penetration tests are MetaMask, ZenGo, and Trust Wallet. Rabby and Bifrost conducted penetration testing on earlier versions of their software, while LedgerLive tested an unspecified version (noted as “N/A” in the report). The remaining brands listed did not provide any proof of having conducted these tests.

The report also included an overall security ranking for each wallet, identifying MetaMask, ZenGo, Rabby, Trust Wallet, and Coinbase wallet as the most secure options overall.

CER rankings for wallet security. Source: CER.

“Penetration testing” refers to a technique used to discover security vulnerabilities within computer systems or software. A security researcher attempts to breach the device or software and exploit it for unintended purposes. Typically, a penetration tester receives minimal to no information regarding the product’s functionality. This method is employed to mimic real-world hacking attempts to identify vulnerabilities prior to the product’s launch.

CER discovered that 39 out of 45 wallet brands did not engage in any penetration testing whatsoever, even on older software versions. CER suggested that the likely reason for this is the high cost of such tests, particularly for companies that frequently update their products, stating, “We attribute it to the amount of updates an average app has, where each new update can disqualify the pentest made earlier.”

The analysis indicated that the most widely used wallet brands were more inclined to conduct security audits, including penetration tests, as they typically had the financial resources to do so:

“Essentially, popular wallets tend to adopt more robust security measures to protect their increasing user base. This seems logical – a higher user base often corresponds to more significant funds to secure, more visibility, and consequently, more potential threats. It can also result in a positive feedback loop, with more secure wallets attracting new users in higher numbers than the less secure ones.”

CER’s wallet ranking was based on a methodology that considered factors such as bug bounties, previous incidents, and security features, including recovery methods and password requirements.

While the majority of wallet brands do not perform penetration testing, CER noted that many rely on bug bounties to identify vulnerabilities, which is often an effective strategy for preventing hacks. They classified 47 out of 159 individual wallets as “secure” overall, indicating a security score above 60. These 159 wallets included some from the same brands. For instance, MetaMask for Edge browser was regarded as a distinct wallet from MetaMask for Android.

Related: Bug bounties can help secure blockchain networks, but have mixed results

Wallet security has emerged as a critical concern in 2023, particularly following the loss of over $100 million in the Atomic Wallet hack on June 3. The Atomic team has speculated that the breach may have resulted from a virus or malware injection within the company’s infrastructure, but the specific vulnerability that enabled the attack remains unidentified. Additionally, the web wallet MyAlgo experienced a security breach in late February, leading to an estimated loss exceeding $9 million for users.