Digital Wallet Industry Security Report - tokeninsight.com Feb 2019
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Digital Wallet Industry
Security Report
tokeninsight.com
bd@tokeninsight.com
Feb 2019s i h t
n In s ig g
e n s i
k nI
Digital Wallet Security Report
To In
ke e n
To To
k
h t
Preface i g h t
In s ig h t
n n s ig
k e nI n s
To k e
e nI
To k
To
At this current stage, about 340 digital wallets have come to exist in the market. Due to differences in
product form, private key storage mechanism, and data retention integrity, they may exhibit different
features in different use-cases. These features may become vulnerabilities in certain circumstances
t
and cause digital wallets to be attacked. Once a security issue arises, the possibility of users' digital
h
si g h t
property might be stolen, and because of the particularities associated with the structure of digital
ig t
currencies, stolen assets become very difficult to recover; this is why wallet security is so important.
In s h
en n In
n s ig
k e
TokenInsight Inc. has conducted research and analysis on the overall developments of the wallet
nI
To
industry, the structural characteristics of different wallet projects, and identified user security by
k e
researching, testing, and reviewing the data of nearly 120 wallet projects. From December 2018, our
To
organization has set out to build a complete system and framework of industry-wide security risk
classifications and performance evaluation models. We hope this report will provide useful
To k
suggestions for wallet users and project developers.
h t t
g ig h t
n s ig h
TokenInsight pays close attention to the development of the wallet industry. At present, we have
nI
completed the evaluation of nearly 120 wallet companies on an international scale. Our organization
n s
nI
has already covered the list of leading projects for different types of wallets such as hardware wallets
k e
and software wallets. This wallet security report data comes from our TokenInsight database, the
To k e
projects themselves, and publicly availible data, providing solid support for the empirical research of
e n
the wallet industry .
To To k
h t t
ig h
ns
GLOBAL TOKEN & RATING AGENCY
ig 2s i h t
n In s ig g
e n s i
k nI
Digital Wallet Security Report
To e n In
k e
To To
k
Table of Contents
h t
i g h t
In s 1. Executive Summary
i g 4
h t
n 2. Industry Overviewn
I s ig
k e n n s
o e nI
2.1 Wallet Overview
T k 5
o ke
2.2 Overview of the Wallet Security Industry
T 6
3. Technical Risks
3.1 Carrier Risks
To
8
ht
3.2 Private Key Storage Risk
10
si g 3.4 Trading Risks
h t
3.3 Network Protocol and Login Risks
12
In s ig
3.5 Asset Transfer Risks
ht
13
en In i g 15
e n
4. Artificial Risks
In s
k 4.1 Supply Chain Risks
n
To k e
4.2 Privilege Chain Risks
17
5. Security Industry Outlook To k
19
5.1 Expansion of the Security Auditing Business To
5.2 The Rise of Compatibility Wallets
t
21
h ht
5.3 A Stumbling Block to the Asset Management 23
g g ht
Business
s i g
25
In
6. Appendix
n s i 27
ke n In
To k e e n
To To k
h t t
ig h
ns
GLOBAL TOKEN & RATING AGENCY
igs i h t
n In s ig g
e
数字钱包安全性报告
k In s i
T o e n n In
k
Ⅰ. Executive Summary e
To
1. As of December 2018, there are now more than 340 wallet projects, which increased by To
k
approximately 30% compared with 2017, while the number of wallet users exceeded 34 million. As
t
of the second quarter of 2018, user growth rates were over 10%, but the growth rates in the third
h
ig t
quarter of 2018 fell to 7%. According to Google Trends, global attention towards the digital industry
h
n s ig
peaked in January 2018, but then fell rapidly after February and remained steady through the year.
h t
nI n s ig
nI
2. In terms of security incidents, hardware wallets have seen many problems in dealing with remote
k e n s
nI
transaction attacks, supply chain security and preventing brute-force attacks; while software
To k e
wallets were more affected by phishing attacks of access page and private key leaks. In 2018, the
To k e
loss caused by wallet security problems totaled about $1.2 billion. By risk classification, the main
To
problems seen in the wallet security field can be classified into technical risks and artificial risks.
3. Technical security issues involve the following aspects: carrier risk, private key storage risk,
t
webpage hijacking risk, login risk, transaction risk, asset transfer risk, etc. The risk of webpage
h
si g t
hijacking includes HTTPS man-in-the-middle hijacking and DNS hijacking. This problem requires
h
In ig t
the user and the project side to work together to solve. At present, the two-factor defense set by
s h
en n ig
the project party has different defense capabilities due to different technical specifications, and the
n I
transaction risk is still an urgent problem to be solved.
s
k e nIn
4. In the security risks faced by digital wallets, in addition to the security threats caused by
To k e
technology, it also includes the risks brought by the manual operations of different wallets due to
To
business needs, including supply chain risks and privilege chain risks. At present, the industry has
had effective control of supply chain risks; and the privilege chain risk is caused by the centralized
To k
storage of the wallet, which points to the operational risk of internal staff. At present, there is no
ht
effective control method for the privilege chain risks caused by problems such as private key
g control and manual transfer.
h t
s ig h t
ig
5. In terms of development prospects in the security field, the demand and depth of the wallet
nIn s
security review business will further increase due to the increase of the wallet project in 2019 and
e nIn
the unsound security review framework; as new users will increase in 2019 and the security
k
To e
requirements of the wallet are different at different stages, it is estimated that the wallet supporting
k e n
To k
the centralized storage & decentralized storage architecture will be favored by the market; with the
rapid growth of the wallet asset management business, the reliance of the underlying centralized
private key storage architecture on the manual management system will be further increased. If To
such artificial risks cannot be effectively controlled, the security risks of the digital assets stored in
h t
the centralized wallet will be amplified and eventually hinder the development of the digital asset
t
ig
management business.
h
ns
GLOBAL TOKEN & RATING AGENCY
ig 4s i h t
n In s g ig
e
数字钱包安全性报告
k In s i
T o e n n In
Ⅱ. Industry Overview o k k e
T
More than 80 new projects were established in 2018, which
o
Tincreased
by about 30% compared to 2017. In the field of wallet security, the
t billion. The security incidents were relatively
loss caused by security vulnerabilities in the use of wallets in 2018
was abouth$1.2
i g in the leading projects withh t users and digital asset
In s
concentrated
i g large
h t
storage.
n In s i g
k e 2.1 Wallet Overview
n In s
To k e
‣ Graph 2-1 Global digital wallet growth
n
To
Source:TokenInsight
k e
100
To
新增项⽬目数量量(个)
80
h t 60
s i g 40
h t
In s i g
20
h t
en n g
0
n I 2014
s i
2015 2016 2017 2018
k e In
In 2018, the number of wallet projects increased by about 80, and the total number of projects
n
To e
reached about 340. The increase was lower than in 2017 but still higher than in 2016 and before.
k
Wallet global search trend
工作表 1
Source:TokenInsight,Google Trends
To
‣ Graph 2-2 Geographical distribution statistics of
T o k
cryptocurrency wallet: (
Null
t
2
3
h t
4
g h
6
7
s i g h t 9
10
15
In s i g 16
17
18
e n In
19
20
k n
24
25
To e
27
k e n 28
32
To
34
o k 36
39
T
40
41
42
43
48
51
53
From the perspective of the global distribution of wallet search trend, most of the countries with high
t
56
59
i g h
attention to the wallet are located in Africa, Oceania and North America. Singapore has also entered
h t
62
69
80
ns
the top 10 of attention. 82
ig
84
86
GLOBAL TOKEN & RATING AGENCY 5 87
基于 经度(生成) 和 纬度(生成) 的地图。 颜色显示有关 cryptocurrency wallet: (2018) 总和 的详细信息。 为 Country 显示了详细信息。 90s i h t
n In s ig g
数字钱包安全性报告
e n s i
T o k
e nI n In
2.2 Overview of the Wallet SecuritykField e
To To
k
The chart below shows several serious security attacks on the wallet recently (since the focus is on
the security analysis of the wallet's technical architecture, the following incidents do not include the
t
theft caused by the attack on the exchange).
h
ig h t
‣ Graph 2-3 Statistics of wallet projects suffered from security attack
s
Source:TokenInsight
n ig h t
nI n s ig
k e nI n s
e nI
2017 Nov Ethereum wallet Parity has a system bug, the
To k developer starts the emergency mechanism, users'
To
assets are frozen
k e
To
Dec Bitcoin hardware wallet Trezor exposed security
vulnerabilities, developers launched emergency
mechanisms to upgrade wallet firmware
2018 Jan Intel chip vulnerability incident continued to ferment,
h t triggering mass panic of software wallet
si g t
Cryptocurrency hardware wallets Ledger which got 75
h
Feb million dollars in the B round financing was exposed to
In s igvulnerabilities
h t
en In ig
Apr Myetherwallet wallet had a security incident and
e n s
hackers stole at least $13,000 in two hours
n
k nI
Aug Bitcoin wallet developed by John McAfee, Bitfi hard
To e
wallet project was broken
k
To
Bitpay wallet had problems when using third-party
Nov
services, the project side recommended users to
o k
Dec
transfer assets
A group at the Chaos Communications Congress
claimed to master the method of cracking most
T
t hardware wallets and demonstrate it
h ht
2019 Jan Hackers stole $750,000 worth of bitcoin using
g i g Electrum wallet vulnerabilities
t
n s ig h
n I n s
Since the beginning of 2017, the security attacks and doubts of wallets have two characteristics: real-
k e nI
time and wide-ranging. Whether it is a hardware wallet or a light wallet, security holes are inevitable.
e
To k
Some wallet projects were attacked just after they entered the market, reflecting that the digital wallet
e n
To
market is currently in the initial stage of technology or management in the security field. The
architectures of various security audits and parameter standardization have not been established.
To k
h t t
ig h
ns
GLOBAL TOKEN & RATING AGENCY
ig 6s i h t
n In s ig g
数字钱包安全性报告
e n s i
To
k nI In
ke
‣ Graph 2-4 Comparison between wallet vulnerability loss and exchange
e n
To k
vulnerability loss
To
Source:TokenInsight 钱包漏漏洞洞损失
交易易所漏漏洞洞损失
12
损失⾦金金额(亿元)
10
h t
7
ig h t
n s ig h t
nI s
5
n ig
k e 2
nI n s
To 0
k e
e nI
To
2013 2014 2015 2016 2017 2018
k
To
Due to their different internal architectures, wallet projects have large differences in storage methods
and business modules. Regardless of the type of wallet, there are different levels of security risks in
terms of private key storage and transaction security. The loss caused by wallet vulnerabilities in
h t
2018 was about $1.2 billion, 1.4 times the loss of the exchange in 2018.
si g h t
ig t
‣ Graph 2-5 Classification of wallet risk vulnerability
In Source:TokenInsight
s h
en n In
n s ig
k e Carrier Risk
nI
To Private Key
k e
Storage Risk
Network
To Supply Chain To k
Protocol Risk Risk
t Technical Risks Artificial Risks
h ht
Authority Chain
Login Risk
g i g t
Risk
n s Trading Risk
ig h
n I n s
k e Asset Transfer
e nI
To
Risk
k e n
To
After conducting data research on nearly 120 projects in the wallet industry, TokenInsight found that
To
the security problems that arise in the use of wallets mainly include technical risks and artificial risks.
k
The technical risks can be divided into carrier risk, private key risk, network risk, trading risk, login risk
h t
and asset transfer risk, the artificial risks include supply chain risk and privilege chain risk.
t
ig h
ns
GLOBAL TOKEN & RATING AGENCY
ig 7s i h t
n In s ig g
数字钱包安全性报告
k e In s i
To e n n In
o k
Ⅲ. Technical TRisk k e
To
According to the time of storage and transaction of digital assets,
t
technical risks involve the following aspects: carrier risk, private key
h
ig h t
storage risk, network protocol risk, login risk, transaction risk, asset
s
transfer risk, etc.
n
I Carrier Risk ig h t
n n s ig
nI s
3.1
ke e nIn
To k
By product form, wallets can be classified into hardware wallets and software wallets. The carrier of
To k e
the hardware wallet is a physical device with a dedicated encryption chip, and the private key is stored
To
in a protected area within the device. Taking Ledger as an example, its structure is composed of a
security encryption chip, a display screen, a push button, etc. In addition to the basic private key
storage and transaction functions, the wallet has detailed functions such as PIN verification, seed
t
repair, and transaction initiation confirmation. The hardware wallets account for about 24% of the
h
si g h t
wallet projects in the market, the rest is the software wallets. Generally, the security level of the
ig
hardware wallet security encryption chip is required to reach CC EAL4 (that is, the financial encryption
In s h t
chip standard). According to TokenInsight statistics, projects that meet CC EAL4 and above account
en In ig
for about 65% of the total project. The failure of the security encryption is one of the reasons for the
n n s
k e
security problems in the use of the wallet.
nI
To e
‣ Graph 3-1 Comparison of
the number of wallets
k
To k
Source:TokenInsight
硬件钱包
24%
To
h t t
g ig h t
n s
软件钱包
76%
ig h
nI s
‣ Graph 3-2 Comparison of the security
e
level of hardware wallet encryption
chip
k nIn
To
Source:TokenInsight
k e e n
未达到⾦金金融加密芯⽚片标准
35% To To k
h t 达到⾦金金融加密芯⽚片标准
t
ig 65%
h
ns
GLOBAL TOKEN & RATING AGENCY
ig 8s i h t
n In s ig g
数字钱包安全性报告
e n s i
To
k nI In
ke e n
To k
‣ Graph 3-3 Statistics of chip implementation standard for
To
wallets with eligible secure encryption levels
Source:TokenInsight
9
数量量
7
h t
ig
5
h t
n s ig h t
nI s
4
n ig
e nI s
2
k e nIn
To
0
CC EAL4+
k
CC EAL5 CC EAL5 + CC EAL5+ CC EAL6
e
To k
To
Note: CC (Common Criteria) is the result of the unification of various existing standards by the
International Organization for Standardization and is the most comprehensive evaluation criterion at
present. CC divides the evaluation process into two parts: function and guarantee. The evaluation
t
level is divided into EAL1, EAL2, EAL3, EAL4, EAL5, EAL6 and EAL7 in seven levels.
h
si g h t
According to TokenInsight's 2018 Most Valuable Wallet - Hardware Wallet List (see Appendix for
ig
details) Top10 samples, the processing chip security level is up to 70%. Trezor's Model T, One and
In s h t
KeepKey do not use financial-grade security encryption chips, the rest are all up to standard. This
en n In s ig
reflects that in the digital wallet market, especially in the hardware wallet market, there is currently no
n
e nI
agreement on industry standards, and parameter normalization is still one of the problems that the
k
To e
digital wallet industry needs to solve.
k
To k
‣ Graph 3-4 Software wallet forms
Source:TokenInsight
PC To
g ht Forms
ht
Software Wallet Mobile
s i g h t
n In Web
s ig
k e nIn
The other type is the software wallet, which basically has three forms: PC, Mobile, and Web. Since
To k e
computers and mobile phones are not professional encryption devices, it is generally considered that
e n
To
the carrier security of the PC wallet and the mobile wallet is lower than that of hardware wallet; the
Web wallet is considered to be less secure due to the need of frequent connection with the network
To k
during operation.
h t
Therefore, it is generally considered that the security of the carrier is: hardware wallet > PC / Mobile
t
ig
wallet > Web wallet
h
ns
GLOBAL TOKEN & RATING AGENCY
ig 9s i h t
n In s ig g
数字钱包安全性报告
e n s i
To
k nI In
ke n
3.2 Private Key Storage Risk
To k e
To
Wallet private key management is the core of digital asset security. The essence of the wallet is to
help users manage and use the private key conveniently and securely. Wallets can be classified into
two types according to the storage method of the private key: centralization and decentralization.
In the decentralized wallet, the private key is kept by users and will not be uploaded to the database of
t
the wallet project party. The centralized wallet means that the private key is centrally managed by the
h t
project party. The latter's financial risk will be more concentrated in the wallet project side, and its
ig h
centralized server becomes the target of being attacked more than the decentralized wallet.
s t
n ig
Therefore, from this perspective, it is generally considered that the wallet private key is safer for
h
nI s ig
decentralized storage.
nIn s
ke ‣ Graph 3-5 Centralized wallet private key
e nIn
To
management mode
k e
To
Source:TokenInsight
Private key of user 1
k
Upload to project
side server for
unified
Private key of user 2
To
management
h t
si g h t
Private key of user 3
In ‣ Graph 3-6 Decentralized wallet private key
s ig h t
en
management mode
Source:TokenInsight
n In s ig
k e
Local storage Private key of user 1
nIn
To k e
Local storage
To
Private key of user 2
To k
Local storage Private key of user 3
h t ‣ Graph 3-7 Comparison of the number
t
g ig h
of wallets with different storage
t
methods of private key
来源:TokenInsight
n s ig h
nI
中⼼心化钱包
n s
nI
21%
k e
To k e e n
To 去中⼼心化钱包
To k
79%
At present, the proportion of decentralized wallets is higher than that of centralized wallets, and about
h t
79% of wallets are decentralized wallets. It reflects the consensus that digital wallet users have
t
ig
higher security in decentralized wallets.
h
ns
GLOBAL TOKEN & RATING AGENCY
ig 10s i h t
n In s ig g
数字钱包安全性报告
e n s i
To
k nI In
‣ Graph3-8 Comparison of
ke e n
To k
numbers of open-sourced
To
wallets
Source:TokenInsight
未开源钱包
40%
h t
ig h t
n s ig 开源钱包
h t
nI s ig
60%
e nIn s
k e nIn
To
‣ Graph 3-9 2018 Most Valuable Wallet - Light Wallet - China
list of partial evaluation data
k e
Source:TokeInsight
To k
China-SPV/centralized To
ht
Cobo Qbao Kcash MEET.O Secry imToken Token Math
Name BitKeep Bitpie
Wallet Network Wallet NE pto Wallet Pocket Wallet
si g h t
In Open source
× ×
s×
ig× × × √ ×
ht
√ √
en nIn
n s i g
k e n I
In addition, the user's private key generation operations and transactions may be recorded and
To k e
obtained by other users, and the core code of the wallet may be reverse broken to trigger such an
To k
attack. In order to facilitate the users' trust and accelerate the algorithm upgrade of the product, some
project parties choose to open source the program, upload the code to Github or other communities to
publicize. To
ht
Except the potential risk of being attack due to the program vulnerabilities and the failure of upgrade
g h t
in time, the open-sourced code of this project is beneficial for the secure storage of users' digital
s ig h t
assets in the long term. According to TokenInsight's 2018 Most Valuable Wallet-Light Wallet-China's
nIn s ig
List (see Appendix for details), 30% project in Top10 is open-sourced, while in the statistics of nearly
e nIn
120 wallet projects at home and abroad, the open source ratio is 60%, and the web-side wallet
k
To
accounts for the majority.
k e e n
To k
Note: The open source program here refers to the core code and related programs that constitute the
wallet architecture. It is considered as partially open source when the publicity program is not
compilable. To
h t t
ig h
ns
GLOBAL TOKEN & RATING AGENCY
ig 11s i h t
n In s ig g
数字钱包安全性报告
e n s i
T o k
e nI n In
3.3 Web Hijacking Risk and Login k e
To Risk
Most of the digital asset transactions require network connection. Users may suffer from phishing
To
k
attacks due to HTTPS hijacking and DNS hijacking. 1It is not uncommon for users in centralized
exchanges to suffer losses due to HTTPS hijacking and DNS hijacking. There are two precautions
against this:
h t
ig t
1) Collect and safekeep the link address of the wallet to reduce the possibility of entering the fake
h
s
website
n ig h t
nI n s
2) A professional firewall can be used to intercept and filter phishing websites on the network.
ig
k e nI n s
To e nI
‣ Graph 3-10 Reasons analysis for users' webpage hijacking
Source:TokenInsight
k e
To Browser problem
k
Analysis of the
Unverified domain To
User's reason
name
reasons for
i g ht
webpage hijacking Unverified server
certificate
t
n s ig h
Expired server
Project side
reason
t
I s h
en n ig
certificate
n I s
verification login
k e
‣ Graph 3-11 Comparison of the number of wallets with or without two-factor
nIn
To e
Source:TokenInsight
没有双因⼦子验证
k
42%
To To k
具有双因⼦子验证
h t t
58%
g h
Two-factor verification proves the identity of the visitor through two independent and irrelevant
ig t
n ig h
evidences. Using this technology in the login phase can improve the security of the user's digital
s
assets. Currently, the wallet with this function accounts for about 42% of the industry projects. Most of
nI s
the project parties use the dynamic password provided by Google plus the user's original login
n
e nI
password as the two-factor verification architecture. However, this technology may fail in the face of
k e
To
sender ID spoofing attacks, so users should develop good security awareness to deal with such
k e n
To
attacks. 2
1. The webpage hijacking risk refers to the attack the user might suffer from during interaction with the data
o k
T
network when using the wallet if the user does not verify the certificate of access address or the certificate has
expired. In the process, hijackers will be stealing access data and can ultimately cause the user's digital assets to
be at risk of loss.
h t
2. In the Sender ID spoofing attack, the attacker uses the official identity of fake Google to send emails to the user
t
to obtain other private information such as the dynamic password, and finally log in as the user. This type of attack
ig
is extremely harmful for some wallets with low security defense capabilities.
h
ns
GLOBAL TOKEN & RATING AGENCY
ig 12s i h t
n In s ig g
数字钱包安全性报告
e n s i
T o k nI In
ke e n
3.4 Trading Risk
To
The transaction requires a private key signature for authorization, including multiple signatures and
To
k
single signatures.
Single signature means that only one user has a private key and has full autonomous trading rights.
h t
t
The multi-signature mode is that a digital asset is managed by multiple people, and the private key
ig h
holder who needs to meet the lower threshold signs with the private key. For client wallets that are
s t
n ig
less encrypted than hardware wallets, the multi-signature mode has the advantage of reducing
h
nI n s
individual risk and improving the security of digital asset transactions. According to statistics, wallets
ig
k e nI
that support multi-signatures in the client wallet account for 31%.
n s
To k e
‣ Graph 3-12 Comparison of the number of wallets with or
e nI
To k
without multi-signature
To
Source:TokenInsight
⽀支持多签名
31%
h t
si g h t
In s ig 不不⽀支持多签名
h t
en n ig
69%
n I s
k e
‣ Graph 3-13 2018 Most Valuable Wallet - Light Wallet - Overseas
nIn
To
list of Top10 evaluation data
Source:TokenInsight
k e
Overseas-SPV/centralized
To To k
Freewallet HB Coinbase Copay Bitcoin Trust Green Bread
Edge Citowise Uphold
t
Name Series Wallet Wallet Wallet Wallet Address Wallet
g h h t
ig ht
Multi-
√ × × √ √ × × × √ ×
signature
n s i g
nI In s
ke n
According to the Top10 (see Appendix) projects in the 2018 Most Valuable Wallet - Light Wallet -
e
To k
Overseas list published by TokenInsight, the proportion of projects supporting multiple signatures is
e n
To
low. Although the multi-signature mechanism is currently more secure than single-signature, it is more
widely used for large-scale managed projects or enterprise-level customization, and the technology is
To k
not yet popular for individual users.
h t t
ig h
ns
GLOBAL TOKEN & RATING AGENCY
ig 13s i h t
n In s ig g
数字钱包安全性报告
e n s i
To
k nI In
ke e n
To
‣ Graph 3-14 Wallet multi-signature
usage scenario analysis
k
Source:TokenInsight
large-scale managed projects
asset management
To
ht
Multi-signature Enterprise Digital Asset
i g usage scenario
h t
Management
In s ig
Centralized exchange asset
h t
n n s management
ig
k e nI n s
To k e nI
For individuals troubled by high cost when using the multi-signature mechanism, "private key +
e
To k
transaction password" mode offers an alternative solution to reduce the trading risk. In addition to the
To
private key, users also need to input password to confirm and complete the transaction of digital
asset. BitKeep Wallet has adopted the DESM algorithm based on SHA256 + AES256 + cloud
authentication encryption system to double encrypt user's single-signature wallet. The method of
h t
using single-signature mechanism with private key and double confirmation with password can greatly
si g
reduce the trading risk.
h t
In s ig h t
en n ig
‣ Figure 3-15 Wallet transaction secondary
n I
confirmation password usage specification
s
Source:TokenInsight
k e nIn
To k e
PIN(Fixed string)
Transaction
secondary
confirmation
To
Dynamic instruction
(one-time password) To k
password usage
User-specific information
h t t (fingerprint, etc.)
g ig h t
n s ig h
In terms of usage specifications, the current secondary confirmation mechanism adopted by the
nI n s
wallet industry uses fixed strings, dynamic passwords, and user-specific attribute verification. From
k e nI
the perspective of cryptography, it is generally considered that user-specific attribute verification has
e
To k
a higher security level. For example, Math Wallet uses biometric security authentication technologies
e n
To
such as fingerprints and face recognition for large-value transfers.
T
According to TokenInsight's incomplete statistics, the wallet industry has a large number of projectso k
using fixed strings in the transaction secondary confirmation password usage specification, and the
h t
number of projects using the user-specific attribute verification method is the least. The technical
t
ig
specifications adopted by the wallet industry to reduce transaction risk remain to be unified.
h
ns
GLOBAL TOKEN & RATING AGENCY
ig 14s i h t
n In s ig g
数字钱包安全性报告
e n s i
T o k nI In
ke e n
3.5 Asset Transfer Risk
To To
k
When a mobile device or hardware wallet carrying a client wallet is lost, it may result in the loss of
digital assets. Since the general mobile device does not have a professional encryption function, the
probability of theft of digital assets is large. The hardware wallet generally has the function of brute
h t
force cracking. For extreme situations, some hardware wallets have a violent disassembly and self-
ig h t
destruction module, that is, the data is destroyed before the illegal visitor obtains the private key. This
n s ig
kind of the wallets accounts for about 9% of the hardware wallet, the current popularity is not high.
h t
nI n s ig
nI s
‣ Graph 3-16 Number of hardware wallets
ke that support self-destruction
e
⽀支持暴暴⼒力力破解⾃自毁
nIn
To
9%
k
Source:TokenInsight
To k e
To
ht
不不⽀支持暴暴⼒力力破解⾃自毁
t
91%
si g h
In s ig h t
en n ig
‣ Graph 3-17 Number of wallets that support
n
different BIP protocol standards
I s
Source:TokenInsight
k e nIn
To k e⽀支持BIP-44
To k
86%
To
⽀支持BIP-39
h t 14%
t
g ig h t
s h
Another way to safely transfer digital assets after the terminal is lost is to use the HD (Hierarchical
n ig
nI s
Deterministic) wallet mentioned above. The specific implementation standard is the BIP protocol
e nIn
series. The complicated technical operation can be simplified by the BIP protocol. BIP protocols for
k
To
mainstream wallets include BIP-39 and BIP-44.
k e e n
To
Simply speaking, the protocol can turn a complex private key into a mnemonic, basically in the form of
24 (or at least 12) words + passphrases (null or no), and the user will back up the generated
To k
mnemonics. If the wallet is lost, the digital asset can be safely transferred using the same standard
BIP wallet.
h t t
ig h
ns
GLOBAL TOKEN & RATING AGENCY
ig 15s i h t
n In s ig g
数字钱包安全性报告
e n s i
To
k nI In
‣ Graph 3-18 Private key anti-brute force
ke e n
To k
architecture supported by mainstream wallets
To
Source:TokenInsight
Hardware wallet
biometric confirmation
ht
Mobile transaction
Private key+PIN
i g h t
secondary password
In s ig
Web transaction
h t
n n ssecondary password
ig
k e nI n s
e nI
In addition to using the HD (Hierarchical Deterministic) wallet to secure the transfer of assets when
To k
losing a wallet, the wallet will also include a secondary transaction confirmation password in the
e
To k
program. Generally, it is a PIN or a user-specific information attribute (such as a fingerprint). This
To
module can delay the speed at which the private key is cracked when the wallet is lost, and strive for
time for the security transfer of users' digital assets. Once the wallet's anti-brute force module is
broken and the user's private key is stolen, the digital asset is considered to be lost.
h t
‣ Graph 3-19 Comparison of wallet features using
si g
ordinary and contract addresses
Source:TokenInsight
h t
In s ig h t
en n ig
HD wallet
+ Ordinary
I = Simplified
+ Safe transfer of
architecture
e n
address storage trading process assets
n s
HD wallet
architecture +To
k
Contract
address storage
= Simplified
trading process +ke nI
Reduced risk of
theft + Safe transfer of
assets
To To k
In order to solve the problem that the broken login PIN of wallets without secondary protection can
h t t
easily cause security issues, it is also possible to use the blockchain's own framework technology to
g ig h t
perform secondary asset encryption, so that the user can control the digital assets more strongly. For
s ig h
example, if the ETH is stored by using the smart contract address instead of the ordinary address, the
n
nI s
transaction will be successful only after both the private key signature and a separate password are
n
k e
required to invoke the contract each time the ETH is transferred out,
e nI
To k
The scheme is currently in use at the EtherSafer wallet project, which features low cost and a high
e n
the risk of theft of the users' digital assets.
To
level of security. The secure storage of ETH wallets using the contract address can effectively reduce
To k
h t t
ig h
ns
GLOBAL TOKEN & RATING AGENCY
ig 16s i h t
n In s ig g
数字钱包安全性报告
k e In s i
To e n n In
k e
To
IV. Artificial Risks
To
k
Among the security risks of digital asset storage and transaction, in
t
addition to the security threats caused by technology, there are also
h
ig h t
risks brought by the manual operation of different wallets due to
s ig
business needs, including supply chain risk, authority chain risk, etc.
n
I Supply Chain Risk h t
n In s ig
k e4.1
n n s
To k e nI
Supply chain risk is particularly evident in the security threat of hardware wallets. As a physical
e
To k
product, from the production of the enterprise to the use of the user, the hardware wallet may
To
experience problems such as product damage and firmware tampering caused by the above
process. The supply chain risk management methods currently used by project sides engaged in
hardware wallet production generally are: 'logistics security guarantee' + 'initial verification'.
h t
t
Note: Usually the meaning of supply chain risk refers to materials flowing through the supply chain
si g h
from production and distribution enterprises to users, generating different flows such as business,
In s ig h t
logistics and information flow, involving many processes such as distribution processing, storage,
en In ig
packaging, transportation, loading and unloading, distribution and information processing. Any risk
n
caused by problems in these links is called supply chain risk.
e n s
To
k
‣ Graph 4-1 Number of wallets that support logistics security guarantee
e nI
Source:TokenInsight
k
不不⽀支持物流安全保证
20%
To To k
h t t
g ig h t
n s ig h
nI s
⽀支持物流安全保证
k e nIn
80%
To k e
We can see from Graph 4-1 and 4-2 that 80% of the hardware wallet projects support logistics
e n
To
security guarantee in response to supply chain risks. The main approach is to monitor its own product
links and coordinate with the logistics chain. 90% of the hardware wallet projects support initial
o k
verification, and most project parties are already taking measures to control the risks. The project
parties who are pursuing the user experience have also adopted some special methods, such as
T
h t
peer-to-peer logistics, which can reduce the supply chain risk again. Overall, the digital wallet industry
t
ig
has achieved initial success in supply chain risk management and control.
h
ns
GLOBAL TOKEN & RATING AGENCY
ig 17s i h t
n In s ig g
数字钱包安全性报告
e n s i
To
k nI In
ke e n
To k
‣ Graph 4-2 Number of wallets that
To
support initial verification
Source:TokenInsight
不不⽀支持初始化验证
10%
h t
ig h t
n s ig h t
nI n s ig
k e ⽀支持初始化验证
nI n s
To
90%
k e
e nI
To k
‣ Graph4-3 Hardware wallet comprehensive
ranking Top10 list
Source:TokenInsight
To
h t
si g h t
Hardware Wallet
In Name Blue Model T Nano S
s
KeepKey
ig ONE BEPAL Q
Digital
Bitbox
Bepal
Pro S
h
BiPal
t Keywallet
Touch
en In s ig
en
Overall
11.7 9.8 9.7 9.5 9.4 9.3 9.1 9 8.7 8.3
Rating
k In
Ranking 1
To 2 3 4 5 6
k
7
en 8 9 10
To o k
T
ht
In TokenInsight's 2018 Most Valuable Wallet - Hardware Wallet List (see Appendix for details), there
g h t
are 22 wallets from 16 companies at home and abroad, including(Ledger)Blue with a
s ig h t
comprehensive ranking of 11.7 points at the top of the list and BEPAL-Q ranking top in China with a
nIn
score of 9.4 points, ranking sixth overall.
s ig
k e nIn
To k e e n
To To k
h t t
ig h
ns
GLOBAL TOKEN & RATING AGENCY
ig 18s i h t
n In s ig g
数字钱包安全性报告
e n s i
To
k nI In
ke n
4.2 Privilege Chain
To k e
In many centralized wallets, in addition to physical chains (usually hardware wallets or full-node
To
wallets) that can implement asymmetric encryption algorithms, there are also privilege chains (usually
management systems composed of staff) that control transactions, time, amount, etc. as shown in the
following graph of the managed system designed by InVauIt: the off-net storage room can be
t
regarded as the physical chain, and the network storage room can be regarded as the privilege chain,
h t
general centralized exchanges and trustee institutions engaged in large-scale custody services use
ig
such structures for digital asset management.
s h t
n ig h
nI s ig
‣ Graph 4-4 Centralized wallet physical chain +
e
privilege chain schematic
nIn s
k Source:TokenInsight
e nIn
To k e
To
Privilege chain Use the physical
contacts chain for
k
physical chain operation
To
i g ht Authorize the
privilege chain t
Confirm the
transaction,
n s for transfer
ig h withdraw the
privilege chain
t
I s h
en n In
n s ig
k e
‣ Graph 4-5 Centralized wallet physical chain +
authority chain structure example
nI
To e
Source:InVault
k
To To k
h t t
g ig h t
n s ig h
nI n s
k e
e nI
To k e n
To To k
h t t
ig h
ns
GLOBAL TOKEN & RATING AGENCY
ig 19s i h t
n In s ig g
数字钱包安全性报告
e n s i
To
k nI In
ke n
The physical chain and the privilege chain are isolated from each other in the architecture design.
To k e
After being authorized, both sides can contact and operate. When the transaction is over, the two
To
sides are again isolated. However, it can be found that the privilege chain actually has absolute
control over the physical chain. Once a problem occurs in any dimension such as the time, object or
amount of the transaction, the users' digital assets may be potentially threatened or damaged.
h t
ig
‣ Graph 4-6 Privilege chain risk incidents as a
h t
s
percentage of centralized wallet security incidents
n ig h t
nI n s ig
k e 涉及权限链⻛风险
nI n s
To e nI
40%
k e
To k
To
不不涉及权限链⻛风险
60%
h t
t
In addition to physical chain risks, the asset security of a centralized wallet is also subject to the
si g h
artificial risks of privilege chain. This is particularly evident in the asset losses suffered by the
In s ig h t
centralized exchanges. According to statistics, about 40% of the centralized wallet losses in 2018 are
en In ig
related to privilege chain risks. In February 2019, the founder of the QuadrigaCX Exchange was
n n s
e nI
missing (currently the Indian government has provided a death certificate), resulting in the loss of
k
To e
$195 million digital assets of the exchange, which pushed the risk of privilege chains to the forefront of
k
To
the digital wallet hosting security problems. Because the privilege chain risk is uncontrollable, it has
become a difficult problem for asset security in the industry.
o k
T
h t t
g ig h t
n s ig h
nI n s
k e
e nI
To k e n
To To k
h t t
ig h
ns
GLOBAL TOKEN & RATING AGENCY
ig 20s i h t
n In s igg
e
数字钱包安全性报告
k In s i
T o e n n In
5. Security Field o k Outlook k e
T To
In view of the industry development trend and the above-mentioned
problems, it is currently believed that the hotspots in the security field
of the wallet industry in 2019 will focus on the improvement of the
h t
security audit system, the development of wallets based on the
ig h t
security architecture, and the management of artificial risks of wallet
n s
asset management businesses.
ig h t
e nI In s
s ig
n
k 5.1 Expansion of the Securitye Audit Business n
To
o k e nI
T k
To
With the development of the wallet industry, the market will further expand. According to statistics, the
creation time of existing wallets was initially concentrated in 2013. As of December 2018, the number
of digital wallet projects has accumulated to more than 340, an increase of about 30% compared with
2017.
h t
si g
‣ Graph 5-1 Number of global digital
h t
In wallet projects
s ig h t
en n
Source:Statista
n I s ig
400
e nIn
项⽬目数量量(个)
k
To e
320
k
To
240
o k
T
160
80
ht
0
g
2013 2014
h t 2015 2016 2017 2018
s ig h t
ig
In terms of the growth rate of wallets, 2017 increased by about 62% compared with 2016, which was
nIn
higher than ever before. Although the growth rate in 2018
s
slipped down, it is still much higher than
e nIn
the year before 2017. This reflects that the digital currency market is currently of a certain size. It is
k
To e
expected that the mainstream wallet projects will increase by at least 20 in the global market in 2019.
k e n
To
The original wallets are also actively expanding and adding new services. For example, Legder、
Xapo and other wallet companies focusing on secure storage have begun to deploy emerging
To k
businesses such as digital asset custody and asset management. Both the depth and breadth of the
wallet industry itself are growing rapidly.
h t t
ig h
ns
GLOBAL TOKEN & RATING AGENCY
ig 21s i h t
n In s ig g
数字钱包安全性报告
e n s i
To
k nI In
ke n
At present, all security reviews of wallet projects on the market have the following categories:
To k e
The first category is the technical risk security review. The current security review is based on the
To
following: carrier risk review (system vulnerability scanning, new user registration security, carrier
environment detection, client integrity detection), private key storage risk review (mnemonic creation
security, mnemonic storage security, private key generation security, private key storage security,
locally stored data sensitivity detection), network protocol risk review (network proxy detection,
h t
certificate verification in https communication), login risk review (user information security, private key
ig h t
import security, transaction password security), transaction risk review (transaction creation security,
n s ig
transfer address security detection, transaction signature security, transaction confirmation, balance
h t
nI
inquiry accuracy) etc.
n s ig
k e nI n s
To e nI
‣ Graph 5-2 Various wallet security audit businesses
Source:TokenInsight
k e
To k
Hardware wallet
security audit
Chip security
detection
To
h t
si g h t Private key storage
In s ig detection
h t
en n ig
PC wallet
n I
security audit
Network security
detection
s
k e nIn
To e
Carrier detection
k
To
Carrier detection To k
ht
Private key storage
g h t detection
s ig
Mobile wallet Network security
h t
nIn security audit detection
s ig
k e nIn
Login security
detection
To k e e n
To
Transaction security
detection
o k
However, the above-mentioned security auditing business only audits part of the technical risks of
mobile terminals, there are fewer technical risk auditing for hardware wallets and PC wallets. Overall,
T
h t
the digital wallet security audit services need to be expanded. Therefore, based on the continuous
t
increase of wallet projects and services and the incompleteness of the existing security review
ig h
framework, the demand for wallet security audit business will further increase in 2019.
ns
GLOBAL TOKEN & RATING AGENCY
ig 22s i h t
n In s ig g
e
数字钱包安全性报告
kRise of Compatibility Wallets nIn s i
T o
5.2 The
e n In
k e
To k
According to statistics, as of the Q4 quarter of 2018, the number of global digital asset wallets users
To
was 31.914 million, an increase of 10.4% from the previous quarter and an increase of 48.3% from
the previous year. If the number of Internet users is the development target of the number of digital
currency users, the total amount of users has 100 times expansion space. This means that it has
great development potential and huge market space. With the development of blockchain technology,
h t
the market will usher in more diversified development in 2019, and more people will access and flood
ig
into the blockchain and digital currency industry.
h t
n s ig h t
nI s
‣ Graph 5-3 Global digital currency user size
n ig
nI
Source:Statista
ke s
全球数字钱包⽤用户规模
n
To 4,000
k e
e nI
数字钱包⽤用户数(万)
3,200
To k
2,400
1,600
To
h t 800
si g 0
h t
ig
1
2
3
4
1
2
3
4
1
2
3
4
1
2
3
4
t
Q
Q
Q
Q
Q
Q
Q
Q
Q
Q
Q
Q
Q
Q
Q
Q
n
15
15
15
15
16
16
16
16
17
17
17
17
18
18
18
18
I s h
20
20
20
20
20
20
20
20
20
20
20
20
20
20
20
20
en ‣ Graph 5-4 Development of wallet user
n In
n s ig
selection intention
k e nI
To e
Source:TokenInsight
k
Early user
selection To Late user
selection
To k
ht
Practicality Practicality Security
g h t
ig
Due to the lack of understanding of asymmetric cryptographic algorithms and the unskilled use of
s h t
ig
decentralized wallets, This part of emerging users will choose a centralized wallet as a storage tool to
nIn
reduce the security risks of their digital assets.
s
e
After a period of time, as professional knowledge increases, users will seek to use a decentralized
k nIn
To k e
wallet to pass on the security risks of digital assets from the wallet project to themselves. At this time,
e n
To
the user has a certain stickiness to the original centralized wallet.
If the wallet project party can provide another private key decentralized storage solution at this time,
o k
the user can satisfy the upgrade requirement of the user's private key security storage and can retain
the user's original operating environment, and the project party can reduce the user loss and increase
T
the attractiveness of new users.
h t t
ig
In summary, based on security and market development considerations, wallets that support
h
ns
decentralized storage & centralized storage in 2019 will be a popular choice for users.
GLOBAL TOKEN & RATING AGENCY
ig 23s i h t
n In s ig g
数字钱包安全性报告
e n s i
To
k nI In
ke e n
To k
‣ Graph 5-5 2018 Most Valuable Wallet - Light Wallet -
To
China's List Evaluation Data
Source:TokenInsight
h t China-SPV/centralized
s
Name
ig
Cobo Qbao
BitKeep
Token imToken
ht
Kcash
Bitpie
MEET. Math
t
Secrypto
sig
Wallet Network Pocket Wallet Wallet ONE Wallet
nIn ig h
n
Overall
I
9.0 8.6 8.2 8.1 7.7 7.2 6.6 6.0 6.0 5.9
k e Rating
n n s
To
Ranking 1 2 3
ke
4 5 6 7
e
8
nI 9 10
To k
To
Among the Top10 wallet projects in the Most Valuable Wallet - Light Wallet - China's List (see
Appendix for details), Math Wallet、Cobo Wallet have begun to try compatibility services. According to
t
the development of the market, the wallet that supports the centralized and decentralized dual storage
h
si g t
function will be more and more favored by users, and the new security issues brought about by the
h
In architecture upgrade are also worth noting.
s ig h t
en n In
n s ig
k e nI
To k e
To To k
h t t
g ig h t
n s ig h
nI n s
k e
e nI
To k e n
To To k
h t t
ig h
ns
GLOBAL TOKEN & RATING AGENCY
ig 24s i h t
n In s g ig
数字钱包安全性报告
k e In s i
T e n
5.3 AoStumbling Block to the Asset Management Business
n In
o k k e
In terms of project functions, the wallet industry is not limited to the storage and transaction solutions
T To
to digital currency assets. The functions added on this basis include information service, asset
management, lending, and DApp access. With the development of public chains and the involvement
of traditional financial institutions, projects such as project docking, asset management and lending
are rapidly emerging. More than 40 wallet project parties have launched digital asset management
services.
h t
ig
‣ Graph 5-6 Wallet function overview
h t
n s
Source:TokenInsight
ig h t
nI n s Storage and
ig
e nI s
transaction
k e nIn
To k Information
e
To
service
k
Wallet function
overview
Asset
management To
ht
Lending
si g h t
In s ig DApp access
h t
en n I
‣ Graph 5-7 Wallet financial functionn
n s ig
overview
k e nI
To
Source:TokenInsight
Financial
product
k e
To To k
Fixed
term Intellige Current
h t t
financial
manage
nt
mining
financial
manage
g ig h ment ment
t
n s ig h
nI n s
e nI
‣ Graph 5-8 Number of wallets with and
k
without asset management businesses
e
To
Source:TokenInsight
k e n
⽀支持资管业务
32% To To k
h t 不不⽀支持资管业务
t
ig 68%
h
ns
GLOBAL TOKEN & RATING AGENCY
ig 25s i h t
n In s ig g
数字钱包安全性报告
e n s i
To
k nI In
ke e n
To k
‣ Graph 5-9 2018 Most Valuable Wallet - Light Wallet -
To
China List Top10
Source:TokenInsight
h t China-SPV/centralized
ig h t
n s
Name
Cobo
Wallet
Qbao
Network
BitKeep
Kcash
Wallet
MEET.
ig
ONE
Secryp
to
imToken
Wallet
Bitpie
Token
Pocket
Math
h
Wallet
t
nI n s ig
ke
Financial
√ √
e
√
nI √ √ × × ×
I
√
n s ×
To
products
k e n
To k
To
Most of the organizations that have launched digital asset management services use a centralized
approach to manage digital assets in the form of 'physical chain' + 'privilege chain'. With the rapid
expansion of this business, the security risks are also increasing. Especially due to the uncontrollable
h t
nature of the 'privilege chain' risk, the fully managed wallets are very likely to face similar security
si g
vulnerabilities as of the centralized exchanges.
h t
In s ig
The custody and asset management services in the wallet business are developing rapidly. Among
h t
en In ig
the Top 10 of the most valuable wallet - light wallet - China list released by TokenInsight (see
n n s
e nI
Appendix for details), Cobo Wallet、BitKeep、Token Pocket and 3 other wallets have launched
k
To
financial management services, and digital assets stored in the centralized wallets will grow rapidly.
k e
For the asset management services that are about to develop rapidly, the artificial risks such as
To
private key control and manual transfer brought by digital asset centralized storage will be an urgent
problem to be solved. If it is impossible to find a solution that reduces the artificial risks, the security of
To k
digital assets will be plagued by artificial risks.
h t t
g ig h t
n s ig h
nI n s
k e
e nI
To k e n
To To k
h t t
ig h
ns
GLOBAL TOKEN & RATING AGENCY
ig 26s i h t
n In s ig g
数字钱包安全性报告
e n s i
To
k nI In
ke e n
Appendix To To
k
h t
ig Hardware Wallet
h t
n s ig h t
nI
Number Operatio Hardwar Chip Operatio
Product Name
Price Target of Major
n s
Quantity n e User- Security n
ig
Overall
e nI s
Rating Groups Currenci Rating Standar friendlin Level Perform Ratings
k n
es d Rating ess Rating ance
To Blue 6
k e
Enterpri
16 10 0 2
e
8
nI 10 11.7
To
se
k
To
Individu
Model T 6
al
6 6 0 0 10 10 9.8
Individu
Nano S 6
al
16 10 0 0 8 10 9.7
h t
t
Individu
si gKeepKey 6
al
3
h
4 -1 2 10 10 9.5
In ONE 10
Individu
s 5
ig 6 -1 0 10 10
ht 9.4
en
al
nIn
Individu
s i g
BEPAL Q 8
k e al
6 6 0 2
n In
6 6 9.3
To ke
Individu
Digital Bitbox 10
al
2 4 0 0 10 10 9.1
Bepal Pro S 6
Enterpri
se
6 6 0
To 2 6 6 9.0
To k
Individu
BiPal 6 9 8 0 0 10 6 8.7
t
al
g h Keywallet Touch 10
h
Individu
t 6 6 0 0 8 6 8.3
s ig
al
h t
n ig
Swiss Bank in Individu
I 7.4
8 4 4 0 0 10 6
Your Pocket al
s
链盾
k en 0
Individu
al
4 4 0
nIn2 6 4 7.1
To k e e n
To
Individu
7.0
k
LUBANSO X1 6 6 6 0 0 6 6
al
KASSE HK-1000 10
Individu
al
6 6 0 0 7 6 To
7.0
Individu
CoolWallet 8
h t al
3 4 0 0
t
8 6 6.7
ig h
ns
GLOBAL TOKEN & RATING AGENCY
ig 27s i h t
n In s ig g
数字钱包安全性报告
e n s i
T o k nI In
ke e n
Wallet List
To To
k
Nu
Hie Op Mul Tw Pri Num mb Sta Sta Tra Mar Fin DA Soc Ov
h t
rar
chi
en
So
ti-
sig
o-
ste
vat
e
ber
of
er
of
rs rs
-
nsa
ctio
ket
Info
anc
ial
pp
Acc
ial
Fun
eral
l
t
cal urc nat p Key Com Co Rat n rma Too ess ctio Rat
ig
Name
h
Det e ure veri Sto ment mm ing Ser tion ls n ing
s t
erm fica rag s ent vic s
n
inis tion e s-
ig e
h
nI s
tic Loc Rat
ig
atio ing
e
n
nIn
China-SPV/centralized
s
k nIn
To
Cobo Wallet 1 0 1 1
ke 1 2,531 10 5 10 1 0
e
1 0 1 9.0
To k 8.6
To
Qbao Network 1 0 0 0 1 373 8 4 8 1 1 1 1 1
BitKeep 1 0 0 0 1 77 4 4 8 1 1 1 1 1 8.2
Token Pocket 0 1 0 1 1 58 2 4.0 8 1 1 1 1 1 8.1
i g ht
imToken Wallet 1 1 0 0 1 286
t
8 4.5 9 1 1 0 1 0 7.7
n s Kcash Wallet 0 0 1 1 1
ig h
160 4 4 8 1 0 1 1
t
0 7.2
I s h
en n ig
Bitpie 1 0 0 0 1 403 8 4 8 1 1 0 1 0 6.6
I s
en
6.0
n
MEET.ONE 0 0 0 0 1 6 0 5 10 1 1 1 1 0
k I
o en
Math Wallet 0 1 0 0 1 24 2 4 8 1 1 0 1 0 6.0
Secrypto T
0 1 0 0 1 76 2 3.5
o k
7 1 0 0 1 1 5.9
T o k
Freewallet Series 1 0 1 1
Overseas-SPV/centralized
0 504 8 4.5 9 1 1 0 1 0 7.7
T
ht t
HB Wallet 1 0 0 1 1 377 8 4 8 1 0 0 0 1 6.6
g Edge 1 1
ig
0
h 1 1 66 2 4.5 9 1 0
t 0 0 0 6.1
Coinbase Wallet 0
n
0
s 1 1 0 201 4 4 8 1
ig
1 h 0 0 0 5.2
I s
en n
Copay Bitcoin
nI
1 1 1 0 1 95 4 3.5 7 0 0 0 0 0 5.1
Wallet
k
o ke
5.0
n
Citowise 1 0 0 0 1 622 10 5 10 1 0 0 0 0
T e
To k
Uphold 0 0 0 1 0 2,638 10 5 10 1 0 1 0 0 5.0
Trust Wallet 1 0 0 0 1 1,793 10 4.5 9 0 0 0 1 0
To
4.9
Green Address 1 1 1 1 0 27 2 3 6 0 0 0 0 0 4.8
ht
Bread Wallet 1 1 0 0 1 989 10 3.5 7 0 0 0 0 0 4.7
i g h t
n s
GLOBAL TOKEN & RATING AGENCY
ig 28s i h t
n In s ig g
数字钱包安全性报告
e n s i
To
k nI In
ke e n
To
Wallet Lists,samples are divided into SPV and centralized wallets.
The output is divided into domestic development wallet and foreign wallet.
To
k
Hierarchical certainty - whether multiple addresses can be
controlled by a private key
h t
ig
Whether the wallet is open sourced
h t
In s ig Yes: +1 point; No: 0 point
h t
A total of nine
s ig
en
Whether the wallet has dual verification?
dimensions are
Boolean values.
nIn s
o k Multi-signature - a dimension mostly owned by the
e
enterprise-level wallet
nIn
T k
One of the indicators for measuring safety
e
To k
To
User experience: transaction services; market information;
Yes: +1 point; No: 0 point
financial tools; DApp access; social functions
Private key storage
User retention, wallet retention, third party retention +1 point, 0 point, -1 point
t
location
i g h t
Take the quartiles of the number
h
of comments(10 points, 8
s
The first data source of comments is the App store, the US
ig
points, 4 points, 2 points, 0
In Popularity
account;
s
The second source is google play; the rating stars are in the
points)
h t
en n ig
same order.
n I Stars *2 as star rating
s
k e Hardware Wallet
nIn
To ke 100: 6 points
10: 10 points
g h Executive standard
i g ht
The higher the standard, the higher the score, which is an
additional subtraction
BIP44: 0 point;
t
BIP39: 1 point
n s
There are different forms such as tablets, U shields, cards,
ig h
Tablet: 2 points;
Type
n I etc.
Score according to friendliness.
n s Others: 0 point
ke
Chip security level The higher the security level, the higher the score
e nI CCELA 4+ 6;CCELA 5+ 8
To Excellent
k e n
To k
The company received more than $10 million financing, has
o
leading technology and feasible profit methods;
T
Good
The company received less than $10 million but more than
Operating conditions of Excellent 10 points;Good 6
$1 million financing; the technical level is in the upper
manufacturers points;General 4 points
reaches of the industry and profit methods are feasible;
General
h t
The company received less than $1 million financing, the
technical level is in the middle reaches of the industry, and
t
igthe profitability has bottlenecks.
h
ns
GLOBAL TOKEN & RATING AGENCY
ig 29TokenInsight Inc.
Global Token Data & Rating Agency
获取最新区块链⾏行行业数据研究报告
⽹网站链接
www.tokeninsight.com
INSIGHT
合作邮箱
bd@tokeninsight.com
TOKEN
其他联系⽅方式
官⽅方微信公众号 | Tokenin
官⽅方Twitter | TokenInsight
官⽅方新浪微博 | TokenInsight
官⽅方Telegram中⽂文电报群
http://t.me/TokenInsightChinese
官⽅方微信联系⼈人⼆二维码 ⼩小程序⼆二维码You can also read
