Least Authority has published a blog post to alert Atomic Wallet users to the potential risks associated with the vulnerabilities they claim to have discovered in the wallet's system design.
CoinDesk reached out to Atomic Wallet for comment but did not receive a reply at time of initial publication. Atomic's CEO Konstantin Gladych has since responded with the following statement:
We have taken all the issues discovered by Least Authority into full account.
- For some issues, we have already released corresponding patches and notified Least about doing so.
- To implement the remaining suggestions, we will need to rework some parts of our application’s core architecture. This will take some more time as per our estimate, but we are working on it. None of those issues pose any security risks to our users, as Atomic is a non-custodial wallet and all data is stored locally on users’ devices. We are expecting to implement the rest of Least’s suggestions in Q2 2022. Once we are done, we will re-audit the application.
- Atomic Wallet has undergone two security audits so far. The other audit, conducted by DerSecur Ltd, asserted: “The application’s average security score is 4.7. This result is higher than the market average. The application can be considered secure enough, nevertheless, we recommend bringing to the attention vulnerabilities discovered during the audit and consulting with the detailed results.”
- Security is our highest priority, and we are continuously working on improving Atomic Wallet. Therefore, we have thoroughly reviewed Least’s report and will be done implementing their recommendations in full in Q2, 2022.
Least Authority was first hired to examine Atomic's system design as well as its corresponding core, desktop and mobile coded implementations in early 2021. That report, delivered to Atomic in April, concluded that there were vulnerabilities and insufficiencies that put users at "significant risk."
The research team stated that the wallet sent them a response noting their updates and improvements in November. However, after checking Atomic's remediation commits, Least Authority discovered that "a significant number of issues and suggestions remain unresolved ..."
Further attempts to work with Atomic to resolve the outstanding security issues have been unsuccessful, according to Least Authority.
Now, after 10 months of following responsible disclosure procedures, Least Authority is taking the next step in alerting Atomic's users to the potential risks associated with the vulnerabilities they claim to have discovered. In the interest of preventing malicious actors from acting on the information in the final report, the security team is not releasing the finer details of their findings.
"We hope that this disclosure of the existence of significant vulnerabilities without providing details helps to appropriately warn users without putting them at even greater risk," the blog post states.
Today marks the first time since its establishment in 2011 that Least Authority has taken this step to alert the public to unresolved security issues with a client's product.
Vulnerabilities in Atomic Wallet
Least Authority noted the following outstanding vulnerabilities in their latest audit of Atomic Wallet:
- current users are vulnerable to a range of attacks that may lead to the total loss of user funds, specifically due to the current use and implementation of cryptography;
- a lack of adherence to wallet system design and development standards and best practices;
- a lack of robust project documentation;
- an incorrect use of Electron, a framework for building desktop applications, leading to an increased risk of potential security vulnerabilities and implementation errors, as well as out-of-date and unmaintained dependencies.
The company is also calling on Atomic Wallet to conduct and publish "a full, comprehensive follow up security audit" from an independent security auditing team once they have fully addressed and resolved the existing vulnerabilities to ensure the fixes have been "properly implemented."
Update: February 10, 2021, 15:57 UTC: Added response from Atomic Wallet CEO Konstantin Gladych.
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.