Least Authority Discloses Security Risks in Atomic Wallet

Funds held successful Atomic Wallet, a crypto wallet that supports implicit 300 coins and tokens, whitethorn beryllium astatine risk, according to a broad information audit conducted by Least Authority.

Least Authority has published a blog post to alert Atomic Wallet users to the imaginable risks associated with the vulnerabilities they assertion to person discovered successful the wallet's strategy design.

CoinDesk reached retired to Atomic Wallet for remark but did not person a reply astatine clip of archetypal publication. Atomic's CEO Konstantin Gladych has since responded with the pursuing statement:

We person taken each the issues discovered by Least Authority into afloat account.

• For immoderate issues, we person already released corresponding patches and notified Least astir doing so.

• To instrumentality the remaining suggestions, we volition request to rework immoderate parts of our application’s halfway architecture. This volition instrumentality immoderate much clip arsenic per our estimate, but we are moving connected it. None of those issues airs immoderate information risks to our users, arsenic Atomic is simply a non-custodial wallet and each information is stored locally connected users’ devices. We are expecting to instrumentality the remainder of Least’s suggestions successful Q2 2022. Once we are done, we volition re-audit the application.

• Atomic Wallet has undergone 2 information audits truthful far. The different audit, conducted by DerSecur Ltd, asserted: “The application’s mean information people is 4.7. This effect is higher than the marketplace average. The exertion tin beryllium considered unafraid enough, nevertheless, we urge bringing to the attraction vulnerabilities discovered during the audit and consulting with the elaborate results.”

• Security is our highest priority, and we are continuously moving connected improving Atomic Wallet. Therefore, we person thoroughly reviewed Least’s study and volition beryllium done implementing their recommendations successful afloat successful Q2, 2022.

Least Authority was archetypal hired to analyse Atomic's strategy plan arsenic good arsenic its corresponding core, desktop and mobile coded implementations successful aboriginal 2021. That report, delivered to Atomic successful April, concluded that determination were vulnerabilities and insufficiencies that enactment users astatine "significant risk."

The probe squad stated that the wallet sent them a effect noting their updates and improvements successful November. However, aft checking Atomic's remediation commits, Least Authority discovered that "a important fig of issues and suggestions stay unresolved ..."

Further attempts to enactment with Atomic to resoluteness the outstanding information issues person been unsuccessful, according to Least Authority.

Now, aft 10 months of pursuing responsible disclosure procedures, Least Authority is taking the adjacent measurement successful alerting Atomic's users to the imaginable risks associated with the vulnerabilities they assertion to person discovered. In the involvement of preventing malicious actors from acting connected the accusation successful the last report, the information squad is not releasing the finer details of their findings.

"We anticipation that this disclosure of the beingness of important vulnerabilities without providing details helps to appropriately pass users without putting them astatine adjacent greater risk," the blog station states.

Today marks the archetypal clip since its constitution successful 2011 that Least Authority has taken this measurement to alert the nationalist to unresolved information issues with a client's product.

Least Authority noted the pursuing outstanding vulnerabilities successful their latest audit of Atomic Wallet:

• current users are susceptible to a scope of attacks that whitethorn pb to the full nonaccomplishment of idiosyncratic funds, specifically owed to the existent usage and implementation of cryptography;

• a deficiency of adherence to wallet strategy plan and improvement standards and champion practices;

• a deficiency of robust task documentation;

• an incorrect usage of Electron, a model for gathering desktop applications, starring to an accrued hazard of imaginable information vulnerabilities and implementation errors, arsenic good arsenic out-of-date and unmaintained dependencies.

The institution is besides calling connected Atomic Wallet to behaviour and people "a full, broad travel up information audit" from an autarkic information auditing squad erstwhile they person afloat addressed and resolved the existing vulnerabilities to guarantee the fixes person been "properly implemented."

Atomic Wallet's ERC20 token, AWC, has fallen from a precocious of implicit $2.50 successful April of past twelvemonth to astir $0.86 Wednesday night. First launched successful 2018, the token gives holders discounts connected speech services and different benefits, according to Atomic's website.

Update: February 10, 2021, 15:57 UTC: Added effect from Atomic Wallet CEO Konstantin Gladych.