Safety of Yoroi, Nami, CC Vault, Wallets - Anyone looked into Code?

It seems that Cardano Defi is imminent and I am super concerned about not having my money stolen either directly or via code exploit.

Has anyone done a coding dive into Yoroi, Nami, CC Vault, or any of the other Cardano wallets?

Hello @Gyther

In realty most of the funds lost have nothing to do with a wallet code. Majority of lost funds happen due security breach of a computer and/or cell phone that wallet is on. Which makes sense, because thieves want the easiest way to get money and not to spend time learning how to hack.

Major breaches will happen with:

  • Key Loggers /Screen Capture Malware (Free downloaded apps, games, mining software are full of it)
  • Clipboard Reader Malware (NEVER copy and paste any password/ recovery phrases!)
  • Remote Accesses Exploits (NEVER take digital pictures of your password/ recovery phrase)
  • Ram Scrapers (Make your passwords random and long otherwise they can brut force your passwords)
  • Sim Hijacking (Set up a pin with your phone carrier and use 2FA)

With all these tools at their disposal they do not have to crack any wallets, they just take advantage of anyone not taking their security seriously and that is a lot of people. Also, all these malware tools are already made and easily found for free on line (no genius hacker needed :wink:). This doesn’t even include scams like phishing sites/email, fakes giveaways, unfixable hardware flaws, etc…

If you are worried that you may not be able to provide safe environment for your wallet, then just get a hardware wallet (as low as $50), so you can keep all these attacks away from your main stash. Keep one wallet with small amount of ADA on your computer/phone for spending, so if someone does hack your device you will loose just a little and major part will stay hidden in hardware wallet. This way you get a early warning signal that something is wrong so you can change / fix hacked device.

The best cryptographic wallet is still only as secure as users security habits. If you download anything with out checking and all your passwords are 123456, then you can have the best wallet in the world and it will still be unsecure.

Be your own bank. Decide the level of security you need that is proportional to the amount you are investing in crypto. Then learn, implement or buy the security you need.

Hope this helps :smiley:

1 Like

I agree that these are more plausible attack vectors than problems in the code of Yoroi itself. I would add fake apps and scams (“You have to transfer the Ada to this address to stake with me!” and similar) to the list.

But do we really have statistics about the most used attack vectors? There always seem to be a lot of people who swear that they kept their seed really safe and offline, that their computer is freshly installed, that they have a very safe spending password etc. pp. and still got their funds stolen.

1 Like

Absence of proof is not proof for or against.

I heard, watched and read about 1000s of attack vectors that use machine access, hardware vulnerabilities and user failure. I have not seen or heard a single case so far that shows proof of any successful wallet crack. I did speak to many people that claimed they did nothing wrong to get hacked, but it always turned out there was something they were missing. Such as using copy and paste for pass phrases/ password, or forgot that their phone backed up their info on a cloud so their passwords were accessible to anyone there.

Latest one I heard of was of individual that swore that he only used that iPhone for his crypto wallets, yet they got hacked. It turned out he was using Apple product with a chip that had vulnerability which allowed root access to his machine. If he didn’t take his phone to get checked he would of never known. He was infected by using corrupted USB-c cable that he got for free. All he did is plug the cable in and with out any interaction on his part malware gained access and deployed keylogger.

It’s cases like this, that have unusual vector of attack that make people believe that it was some genius wallet hack.

However, it’s not impossible that some can do it. I just never seen any evidence of anyone cracking a wallet. Yet, you can find 1000s of proven machine and hardware hacks… and even more user failure hacks. So 99%+ of available proof tells us we need to protect against those types of attacks first.

On the other hand, there is nothing wrong with making a team to test if they can hack the wallet or offer a bug finding reward. I believe that Charles spoke in one of his YouTube videos about having a wallet with 1 million ADA in there. So anyone who can hack into it, can keep it. This way they can test security. Not sure if anyone got that yet, or if it started yet. So, any genius hackers out there can go for a free mill. :+1:

2 Likes

I appreciate the responses. But it is also concerning that there seems to be a lot of people trusting 3rd party wallets without an investigation.