How Secure Is Your Wallet? Let’s Put It to the Test

Millions of dollars have been lost in several widely known breaches of cryptocurrency wallets. The Mt. Gox hack in 2014 led to the loss of about 850,000 bitcoins (worth about $450 million at the time), as well as the DAO hack in 2016, which resulted in the loss of about $60 million worth of ether, are two of the most noteworthy hacks. In recent times, Hackers have stolen large amounts of cryptocurrency in some instances, such as the $3.8 billion stolen in 2022.

A crypto wallet product's security is critical to ensuring users' funds' safety. Suppose a wallet product is not properly secured. In that case, it can be vulnerable to a range of attacks, including theft of private keys, unauthorized access to the wallet, and tampering with transactions.

A crypto wallet product security audit is essential in ensuring the safety and security of cryptocurrency assets. As the use of cryptocurrencies has become more widespread, the number of wallet products has increased, making it challenging for users to choose a wallet that is both easy to use and secure. This is where a security audit comes in - it can thoroughly assess a wallet product's security posture, identify vulnerabilities, and provide recommendations for remediation.

Connecting with you You must have been added to a closed group with the Auditing Team by now. You would be connected with the Project Manager and the Auditors through this dedicated channel during the process for collaboration and instant resolution. At any point, if you face any query or find a need to discuss anything - we are just a message away!

Things We Cover in the Audit Process :

• Secure Key Management
• Authentication and Authorization
• Secure Communication Protocols
• Third-party Component Security
• Key Derivation
• Access Control
• Secure Storage
• Mobile Wallet/Extension Mobile Security

We ensure your smart contract goes through all the stages, from manual code review to automated testing, before generating the Initial Audit Report. Once your team updates the code, we thoroughly scrutinise the smart contract to provide you with the Final Audit Report. Let’s dive deep into it and explore more.

Step 1 - Specification Gathering / Prepare For a Security Audit

• Gather information about the wallet product, such as documentation and source code, to understand its architecture and functionality.
• The scope of the wallet pentest security audit should be clearly defined in advance. This should include the wallet product under test, any associated mobile applications or web interfaces, and any relevant third-party components.
• This is the most crucial stage because details are key for a successful smart contract Security audit. Here is how you can prepare for it:
  • Code quality
    • Remove dead code and comments. 
    • Consistent coding style.

Use comments to document complex parts of the code and ensure these are consistent with thecoded.e

Step 2 - Vulnerability Assessment Test

The vulnerability assessment phase involves testing the wallet product for vulnerabilities. This may include:

• Testing the authentication and authorization mechanisms to identify any weaknesses or vulnerabilities.
• Testing the input validation mechanisms to identify potential injection attacks, such as SQL injection or cross-site scripting (XSS) attacks.
• Testing the key management process to identify any weaknesses or vulnerabilities in the key derivation process or backup key management.
• Testing the cryptography mechanisms to identify any weaknesses or vulnerabilities in the encryption algorithms or key sizes.
• Testing the network security measures, such as firewalls or intrusion detection systems (IDSs), to identify potential weaknesses or vulnerabilities.
• Testing the mobile application or web interfaces to identify potential vulnerabilities or weaknesses in the user interface.

Step 3 - Exploitation Phase

The exploitation phase involves attempting to exploit any identified vulnerabilities. This may include:

• Attempting to bypass authentication or authorization mechanisms.
• Attempting to inject malicious code or commands into the wallet product.
• Attempting to steal sensitive data, such as private keys or transaction data.
• Attempting to launch denial-of-service (DoS) attacks against the wallet product or associated services.

Step 4 - Testing Over Various Attacks

• Improper Platform Usage
• Insecure Data Storage
• Insecure Communication
• Insecure Authentication
• Insufficient Cryptography
• Insecure Authorization
• Client Code Quality
• Code Tampering
• Reverse Engineering
• Extraneous Functionality
• Indirect Object Reference
• Functionality Abuse
• Business Logic
• Wallet Seed Phrase Protection
• Previous attack exploits
• Transfer of tokens from and in the application
• Rate Limit Issues and Brute-forcing

Step 5 - Testing with Automated Tools

• Burp Suite
• Frida
• Nmap
• Metasploit
• Horusec
• Postman
• Netcat
• Nessus and many more.

Step 6 - Initial Audit Report

The reporting phase involves documenting the audit results and providing recommendations for improving the security of the wallet product. This may include:

• Creating a detailed report outlining the audit findings and recommendations for remediation.
• Prioritizing the vulnerabilities based on severity and potential impact.
• Providing guidance on how to address each identified vulnerability, including recommendations for software patches or configuration changes.
• Delivering the report to the Client Team.

How can you help? 
You have to prepare an 'Updation Summary' or 'Comment Report' carrying details of the changes you've made after getting the IAR; this would help us identify the changes and test them rigorously.

Step 7 - Final Audit Report

After initial audit fixes, the process is repeated, and the Final Audit Report is delivered. There is a possibility that even after the fixes you've made, some issues are still not resolved, and/or those changes have led to a few more issues.

So, after receiving the Final Audit report, you have to take a call (based on the severity table containing the unresolved issues) on whether to alter the code again or to move forward as it is.

Step 8: Quill Vigilant Squad*

Following the completion of the second audit review, the Fixed codebase, along with the comprehensive audit report, will be formally delivered to our dedicated Vigilant Squad. This elite team is comprised of world-class security researchers, each possessing extensive experience and expertise in identifying and analyzing vulnerabilities within complex systems. The Vigilant Squad will undertake a meticulous and in-depth review of both the codebase/Dapp itself and the accompanying report. They will dedicate their full time and resources to this critical task, leveraging their specialized skills to proactively search for and uncover any potential security issues, however subtle they may be. In the event that the Vigilant Squad discovers any vulnerability, security flaw, or other issue, we will be notified immediately, ensuring swift action can be taken to mitigate any potential risks.

How you can help? 
You have to prepare an 'Updation Summary' or 'Comment Report' with details of the changes in case, if you get any New issues from our side; this would help us identify the differences and test them rigorously.

Step 9 - Delivery

After getting the green light from the previous step, we send the report to our designers to generate a PDF version of the Audit Report, displaying all the necessary details of the auditing process.

Sample Audit Report - Oron Wallet

Then, the report is uploaded to our official GitHub Repository, after which we share the link to the Audit Report and Certificate of Compliance from QuillAudits.

Step 10 - Post-Audit

After the Final Audit Report, we take your project in front of the masses through:

Social Media Announcements

• As per your requests, we will make an audit announcement from our social media handles to mark the completion of the Audit.

LinkedIn - X (Twitter) - Telegram - Reddit - Medium

The completion of this step totally depends on the calendar availability of our marketing team. Therefore, this step might take some time to complete.

• Access to QuillAudits Ecosystem (Exchanges, IDO, KYC, Incubators, VC Partners)

AMA Sessions

• Expert auditors explain the nuances of the Audit Report.
• Q&A and direct interaction with your audience to build trust in your project.

Niche Targeted PR Services

• Articles & guest posts in renowned publications.
• Cross-platform promotions to give more exposure to the project.

Organize Product Launches, Community Meetups etc.

• QuillAudits team will help you in your product launch in India.
• Set up community meetups, product workshops, and web3 events for you.
• QuillAudits expert team and partners will take care of everything from content creation to marketing and event location to event coordination.

• Delivery of initial report within the agreed timeline (considering a margin of ±2 days due to unforeseen circumstances)
• Reviewing the final version of the code before concluding the audit.
• Following the complete audit process, i.e., Manual Review, Functional Testing, Automated Testing, and Reporting bug findings.
• Publishing Audit Report and making post-audit announcements based on agreed-upon terms.

• A working test suite (all tests written are executable) covering at least 90% of the project code and edge-case scenarios.
• Structured code following reasonable naming conventions and consistent coding style.
• Well-documented contracts/functions and updated whitepaper
• Fixing issues from the initial bug-finding report and providing detailed comments, stating what fixes have been implemented to the concerned issues.
• Reviewing the final report so that QuillAudits can conclude the audit.

QuillAudits is a leading blockchain security firm with 7 years of experience, securing $30B in TVL with multi-layered audit framework, across 1400+ projects in DeFi, GameFi, NFT, Gaming, and all blockchain layers.

Our senior auditors conduct line-by-line code reviews, combining manual & AI-driven audits for smart contracts on 20+ chains including Ethereum, BSC, Arbitrum, Algorand, Tron, Polygon, Polkadot, Fantom, NEAR, & Solana. We also offer token risk assessments & real-time monitoring tools to fortify Web3 security. 

Beyond audits, we’ve hosted 50+ global events and 300+ workshops to educate and support the Web3 community.