Least Authority Discloses Security Risks in Atomic Wallet

Funds held in Atomic Wallet, a crypto wallet that supports over 300 coins and tokens, may be at risk, according to a comprehensive security audit conducted by Least Authority.

Read more: Your First Crypto Wallet: How to Use It and Why You Need One

Least Authority has published a blog post to alert Atomic Wallet users to the potential risks associated with the vulnerabilities they claim to have discovered in the wallet's system design.

"... we strongly recommend that the Atomic Wallet team immediately notify users of the existing security vulnerabilities. In addition, until the issues and suggestions outlined in the report have been sufficiently remediated and the Atomic Wallet has undergone subsequent security audits, we strongly recommend against the Atomic Wallet’s deployment and use."

CoinDesk reached out to Atomic Wallet for comment but did not receive a reply at time of initial publication. Atomic's CEO Konstantin Gladych has since responded with the following statement:

We have taken all the issues discovered by Least Authority into full account.

• For some issues, we have already released corresponding patches and notified Least about doing so.
• To implement the remaining suggestions, we will need to rework some parts of our application’s core architecture. This will take some more time as per our estimate, but we are working on it. None of those issues pose any security risks to our users, as Atomic is a non-custodial wallet and all data is stored locally on users’ devices. We are expecting to implement the rest of Least’s suggestions in Q2 2022. Once we are done, we will re-audit the application.
• Atomic Wallet has undergone two security audits so far. The other audit, conducted by DerSecur Ltd, asserted: “The application’s average security score is 4.7. This result is higher than the market average. The application can be considered secure enough, nevertheless, we recommend bringing to the attention vulnerabilities discovered during the audit and consulting with the detailed results.”
• Security is our highest priority, and we are continuously working on improving Atomic Wallet. Therefore, we have thoroughly reviewed Least’s report and will be done implementing their recommendations in full in Q2, 2022.

Responsible disclosure

Least Authority was first hired to examine Atomic's system design as well as its corresponding core, desktop and mobile coded implementations in early 2021. That report, delivered to Atomic in April, concluded that there were vulnerabilities and insufficiencies that put users at "significant risk."

The research team stated that the wallet sent them a response noting their updates and improvements in November. However, after checking Atomic's remediation commits, Least Authority discovered that "a significant number of issues and suggestions remain unresolved ..."

Further attempts to work with Atomic to resolve the outstanding security issues have been unsuccessful, according to Least Authority.

Now, after 10 months of following responsible disclosure procedures, Least Authority is taking the next step in alerting Atomic's users to the potential risks associated with the vulnerabilities they claim to have discovered. In the interest of preventing malicious actors from acting on the information in the final report, the security team is not releasing the finer details of their findings.

"We hope that this disclosure of the existence of significant vulnerabilities without providing details helps to appropriately warn users without putting them at even greater risk," the blog post states.

Today marks the first time since its establishment in 2011 that Least Authority has taken this step to alert the public to unresolved security issues with a client's product.

Vulnerabilities in Atomic Wallet

Least Authority noted the following outstanding vulnerabilities in their latest audit of Atomic Wallet:

• current users are vulnerable to a range of attacks that may lead to the total loss of user funds, specifically due to the current use and implementation of cryptography;
• a lack of adherence to wallet system design and development standards and best practices;
• a lack of robust project documentation;
• an incorrect use of Electron, a framework for building desktop applications, leading to an increased risk of potential security vulnerabilities and implementation errors, as well as out-of-date and unmaintained dependencies.

The company is also calling on Atomic Wallet to conduct and publish "a full, comprehensive follow up security audit" from an independent security auditing team once they have fully addressed and resolved the existing vulnerabilities to ensure the fixes have been "properly implemented."

Atomic Wallet's ERC20 token, AWC, has fallen from a high of over $2.50 in April of last year to about $0.86 Wednesday night. First launched in 2018, the token gives holders discounts on exchange services and other benefits, according to Atomic's website.

Update: February 10, 2021, 15:57 UTC: Added response from Atomic Wallet CEO Konstantin Gladych.