en wallet security report - tokeninsight.com 2018... · bitcoin hardware wallet trezor exposed...
TRANSCRIPT
-
tokeninsight.com
Feb 2019
Digital Wallet IndustrySecurity Report
http://tokeninsight.commailto:[email protected]
-
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsightGLOBAL TOKEN & RATING AGENCY
Preface
Digital Wallet Security Report
At this current stage, about 340 digital wallets have come to exist in the market. Due to differences in
product form, private key storage mechanism, and data retention integrity, they may exhibit different
features in different use-cases. These features may become vulnerabilities in certain circumstances
and cause digital wallets to be attacked. Once a security issue arises, the possibility of users' digital
property might be stolen, and because of the particularities associated with the structure of digital
currencies, stolen assets become very difficult to recover; this is why wallet security is so important.
TokenInsight Inc. has conducted research and analysis on the overall developments of the wallet
industry, the structural characteristics of different wallet projects, and identified user security by
researching, testing, and reviewing the data of nearly 120 wallet projects. From December 2018, our
organization has set out to build a complete system and framework of industry-wide security risk
classifications and performance evaluation models. We hope this report will provide useful
suggestions for wallet users and project developers.
TokenInsight pays close attention to the development of the wallet industry. At present, we have
completed the evaluation of nearly 120 wallet companies on an international scale. Our organization
has already covered the list of leading projects for different types of wallets such as hardware wallets
and software wallets. This wallet security report data comes from our TokenInsight database, the
projects themselves, and publicly availible data, providing solid support for the empirical research of
the wallet industry .
�2
-
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsightGLOBAL TOKEN & RATING AGENCY
Table of Contents
1. Executive Summary
2. Industry Overview2.1 Wallet Overview2.2 Overview of the Wallet Security Industry
3. Technical Risks3.1 Carrier Risks3.2 Private Key Storage Risk3.3 Network Protocol and Login Risks3.4 Trading Risks3.5 Asset Transfer Risks
4. Artificial Risks4.1 Supply Chain Risks4.2 Privilege Chain Risks
5. Security Industry Outlook5.1 Expansion of the Security Auditing Business5.2 The Rise of Compatibility Wallets5.3 A Stumbling Block to the Asset Management Business
6. Appendix
56
810121315
1719
212325
4
27
Digital Wallet Security Report
-
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
Ⅰ. Executive Summary 1. As of December 2018, there are now more than 340 wallet projects, which increased by
approximately 30% compared with 2017, while the number of wallet users exceeded 34 million. As
of the second quarter of 2018, user growth rates were over 10%, but the growth rates in the third
quarter of 2018 fell to 7%. According to Google Trends, global attention towards the digital industry
peaked in January 2018, but then fell rapidly after February and remained steady through the year.
2. In terms of security incidents, hardware wallets have seen many problems in dealing with remote
transaction attacks, supply chain security and preventing brute-force attacks; while software
wallets were more affected by phishing attacks of access page and private key leaks. In 2018, the
loss caused by wallet security problems totaled about $1.2 billion. By risk classification, the main
problems seen in the wallet security field can be classified into technical risks and artificial risks.
3. Technical security issues involve the following aspects: carrier risk, private key storage risk,
webpage hijacking risk, login risk, transaction risk, asset transfer risk, etc. The risk of webpage
hijacking includes HTTPS man-in-the-middle hijacking and DNS hijacking. This problem requires
the user and the project side to work together to solve. At present, the two-factor defense set by
the project party has different defense capabilities due to different technical specifications, and the
transaction risk is still an urgent problem to be solved.
4. In the security risks faced by digital wallets, in addition to the security threats caused by
technology, it also includes the risks brought by the manual operations of different wallets due to
business needs, including supply chain risks and privilege chain risks. At present, the industry has
had effective control of supply chain risks; and the privilege chain risk is caused by the centralized
storage of the wallet, which points to the operational risk of internal staff. At present, there is no
effective control method for the privilege chain risks caused by problems such as private key
control and manual transfer.
5. In terms of development prospects in the security field, the demand and depth of the wallet
security review business will further increase due to the increase of the wallet project in 2019 and
the unsound security review framework; as new users will increase in 2019 and the security
requirements of the wallet are different at different stages, it is estimated that the wallet supporting
the centralized storage & decentralized storage architecture will be favored by the market; with the
rapid growth of the wallet asset management business, the reliance of the underlying centralized
private key storage architecture on the manual management system will be further increased. If
such artificial risks cannot be effectively controlled, the security risks of the digital assets stored in
the centralized wallet will be amplified and eventually hinder the development of the digital asset
management business.
�4GLOBAL TOKEN & RATING AGENCY
数字钱包安全性报告
-
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
Ⅱ. Industry Overview
2.1 Wallet Overview
More than 80 new projects were established in 2018, which increased by about 30% compared to 2017. In the field of wallet security, the loss caused by security vulnerabilities in the use of wallets in 2018 was about $1.2 billion. The security incidents were relatively concentrated in the leading projects with large users and digital asset storage.
�5GLOBAL TOKEN & RATING AGENCY
数字钱包安全性报告
新增项⽬目数量量(个)
0
20
40
60
80
100
2014 2015 2016 2017 2018
‣ Graph 2-1 Global digital wallet growthSource:TokenInsight
工作表 1cryptocurrency wallet: (2018) 总和
Null234679101516171819202425272832343639404142434851535659626980828486879095100
基于 经度(生成) 和 纬度(生成) 的地图。 颜色显示有关 cryptocurrency wallet: (2018) 总和 的详细信息。 为 Country 显示了详细信息。
From the perspective of the global distribution of wallet search trend, most of the countries with high
attention to the wallet are located in Africa, Oceania and North America. Singapore has also entered
the top 10 of attention.
In 2018, the number of wallet projects increased by about 80, and the total number of projects
reached about 340. The increase was lower than in 2017 but still higher than in 2016 and before.
‣ Graph 2-2 Geographical distribution statistics of Wallet global search trend Source:TokenInsight,Google Trends
-
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsightGLOBAL TOKEN & RATING AGENCY
数字钱包安全性报告
2.2 Overview of the Wallet Security Field
The chart below shows several serious security attacks on the wallet recently (since the focus is on
the security analysis of the wallet's technical architecture, the following incidents do not include the
theft caused by the attack on the exchange).
�6
Since the beginning of 2017, the security attacks and doubts of wallets have two characteristics: real-
time and wide-ranging. Whether it is a hardware wallet or a light wallet, security holes are inevitable.
Some wallet projects were attacked just after they entered the market, reflecting that the digital wallet
market is currently in the initial stage of technology or management in the security field. The
architectures of various security audits and parameter standardization have not been established.
Feb Cryptocurrency hardware wallets Ledger which got 75 million dollars in the B round financing was exposed to vulnerabilities
Bitcoin wallet developed by John McAfee, Bitfi hard wallet project was broken
Myetherwallet wallet had a security incident and hackers stole at least $13,000 in two hours
Hackers stole $750,000 worth of bitcoin using Electrum wallet vulnerabilities
Bitpay wallet had problems when using third-party services, the project side recommended users to transfer assets
2018
Aug
2019
Apr
Jan
Nov
Dec A group at the Chaos Communications Congress claimed to master the method of cracking most hardware wallets and demonstrate it
‣ Graph 2-3 Statistics of wallet projects suffered from security attack Source:TokenInsight
Intel chip vulnerability incident continued to ferment, triggering mass panic of software wallet
2017
Nov
Bitcoin hardware wallet Trezor exposed security vulnerabilities, developers launched emergency mechanisms to upgrade wallet firmware
Dec
Ethereum wallet Parity has a system bug, the developer starts the emergency mechanism, users' assets are frozen
Jan
-
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsightGLOBAL TOKEN & RATING AGENCY
数字钱包安全性报告
�7
损失⾦金金额(亿元)
0
2
5
7
10
12
2013 2014 2015 2016 2017 2018
钱包漏漏洞洞损失交易易所漏漏洞洞损失
‣ Graph 2-4 Comparison between wallet vulnerabil ity loss and exchange vulnerabil ity loss Source:TokenInsight
Technical Risks
Carrier Risk
Asset Transfer Risk
Login RiskArtificial Risks
Supply Chain Risk
Authority Chain Risk
‣ Graph 2-5 Classification of wallet risk vulnerabil ity Source:TokenInsight
Due to their different internal architectures, wallet projects have large differences in storage methods
and business modules. Regardless of the type of wallet, there are different levels of security risks in
terms of private key storage and transaction security. The loss caused by wallet vulnerabilities in
2018 was about $1.2 billion, 1.4 times the loss of the exchange in 2018.
After conducting data research on nearly 120 projects in the wallet industry, TokenInsight found that
the security problems that arise in the use of wallets mainly include technical risks and artificial risks.
The technical risks can be divided into carrier risk, private key risk, network risk, trading risk, login risk
and asset transfer risk, the artificial risks include supply chain risk and privilege chain risk.
Trading Risk
Private Key Storage Risk
Network Protocol Risk
-
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
Ⅲ. Technical Risk
3.1 Carrier Risk
By product form, wallets can be classified into hardware wallets and software wallets. The carrier of the hardware wallet is a physical device with a dedicated encryption chip, and the private key is stored in a protected area within the device. Taking Ledger as an example, its structure is composed of a security encryption chip, a display screen, a push button, etc. In addition to the basic private key storage and transaction functions, the wallet has detailed functions such as PIN verification, seed repair, and transaction initiation confirmation. The hardware wallets account for about 24% of the wallet projects in the market, the rest is the software wallets. Generally, the security level of the hardware wallet security encryption chip is required to reach CC EAL4 (that is, the financial encryption chip standard). According to TokenInsight statistics, projects that meet CC EAL4 and above account for about 65% of the total project. The failure of the security encryption is one of the reasons for the security problems in the use of the wallet.
According to the time of storage and transaction of digital assets, technical risks involve the following aspects: carrier risk, private key storage risk, network protocol risk, login risk, transaction risk, asset transfer risk, etc.
�8GLOBAL TOKEN & RATING AGENCY
数字钱包安全性报告
‣ Graph 3-1 Comparison of the number of walletsSource:TokenInsight
硬件钱包24%
软件钱包76%
未达到⾦金金融加密芯⽚片标准35%
达到⾦金金融加密芯⽚片标准65%
‣ Graph 3-2 Comparison of the security level of hardware wallet encryption chip Source:TokenInsight
-
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsightGLOBAL TOKEN & RATING AGENCY
数字钱包安全性报告
�9
‣ Graph 3-3 Statistics of chip implementation standard for wallets with eligible secure encryption levelsSource:TokenInsight
According to TokenInsight's 2018 Most Valuable Wallet - Hardware Wallet List (see Appendix for
details) Top10 samples, the processing chip security level is up to 70%. Trezor's Model T, One and
KeepKey do not use financial-grade security encryption chips, the rest are all up to standard. This
reflects that in the digital wallet market, especially in the hardware wallet market, there is currently no
agreement on industry standards, and parameter normalization is still one of the problems that the
digital wallet industry needs to solve.
数量量
0
2
4
5
7
9
CC EAL4+ CC EAL5 CC EAL5 + CC EAL5+ CC EAL6
The other type is the software wallet, which basically has three forms: PC, Mobile, and Web. Since
computers and mobile phones are not professional encryption devices, it is generally considered that
the carrier security of the PC wallet and the mobile wallet is lower than that of hardware wallet; the
Web wallet is considered to be less secure due to the need of frequent connection with the network
during operation.
Therefore, it is generally considered that the security of the carrier is: hardware wallet > PC / Mobile
wallet > Web wallet
Software Wallet Forms
PC
Mobile
Web
‣ Graph 3-4 Software wallet formsSource:TokenInsight
Note: CC (Common Criteria) is the result of the unification of various existing standards by the
International Organization for Standardization and is the most comprehensive evaluation criterion at
present. CC divides the evaluation process into two parts: function and guarantee. The evaluation
level is divided into EAL1, EAL2, EAL3, EAL4, EAL5, EAL6 and EAL7 in seven levels.
-
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsightGLOBAL TOKEN & RATING AGENCY
数字钱包安全性报告
3.2 Private Key Storage Risk
Wallet private key management is the core of digital asset security. The essence of the wallet is to help users manage and use the private key conveniently and securely. Wallets can be classified into two types according to the storage method of the private key: centralization and decentralization.
In the decentralized wallet, the private key is kept by users and will not be uploaded to the database of the wallet project party. The centralized wallet means that the private key is centrally managed by the project party. The latter's financial risk will be more concentrated in the wallet project side, and its centralized server becomes the target of being attacked more than the decentralized wallet. Therefore, from this perspective, it is generally considered that the wallet private key is safer for decentralized storage.
�10
‣ Graph 3-7 Comparison of the number of wallets with different storage methods of private key 来源:TokenInsight
Upload to project side server for
unified management
Private key of user 1
Private key of user 2
Private key of user 3
‣ Graph 3-5 Centralized wallet private key management modeSource:TokenInsight
中⼼心化钱包21%
去中⼼心化钱包79%
At present, the proportion of decentralized wallets is higher than that of centralized wallets, and about
79% of wallets are decentralized wallets. It reflects the consensus that digital wallet users have
higher security in decentralized wallets.
Private key of user 1
Private key of user 2
Private key of user 3
Local storage
Local storage
Local storage
‣ Graph 3-6 Decentralized wallet private key management modeSource:TokenInsight
-
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsightGLOBAL TOKEN & RATING AGENCY
数字钱包安全性报告
�11
未开源钱包40%
开源钱包60%
In addition, the user's private key generation operations and transactions may be recorded and
obtained by other users, and the core code of the wallet may be reverse broken to trigger such an
attack. In order to facilitate the users' trust and accelerate the algorithm upgrade of the product, some
project parties choose to open source the program, upload the code to Github or other communities to
publicize.
Except the potential risk of being attack due to the program vulnerabilities and the failure of upgrade
in time, the open-sourced code of this project is beneficial for the secure storage of users' digital
assets in the long term. According to TokenInsight's 2018 Most Valuable Wallet-Light Wallet-China's
List (see Appendix for details), 30% project in Top10 is open-sourced, while in the statistics of nearly
120 wallet projects at home and abroad, the open source ratio is 60%, and the web-side wallet
accounts for the majority.
Note: The open source program here refers to the core code and related programs that constitute the
wallet architecture. It is considered as partially open source when the publicity program is not
compilable.
‣ Graph3-8 Comparison of numbers of open-sourced walletsSource:TokenInsight
China-SPV/centralized
Name Cobo WalletQbao
Network BitKeepKcash Wallet
MEET.ONE
Secrypto
imToken Wallet Bitpie
Token Pocket
Math Wallet
Open source × × × × × × √ × √ √
‣ Graph 3-9 2018 Most Valuable Wallet - Light Wallet - China l ist of partial evaluation dataSource:TokeInsight
-
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsightGLOBAL TOKEN & RATING AGENCY
数字钱包安全性报告
3.3 Web Hijacking Risk and Login Risk
�12
‣ Graph 3-10 Reasons analysis for users' webpage hijackingSource:TokenInsight
Most of the digital asset transactions require network connection. Users may suffer from phishing attacks due to HTTPS hijacking and DNS hijacking. 1It is not uncommon for users in centralized exchanges to suffer losses due to HTTPS hijacking and DNS hijacking. There are two precautions against this:
1) Collect and safekeep the link address of the wallet to reduce the possibility of entering the fake website
2) A professional firewall can be used to intercept and filter phishing websites on the network.
‣ Graph 3-11 Comparison of the number of wallets with or without two-factor verif ication loginSource:TokenInsight
没有双因⼦子验证42%
具有双因⼦子验证58%
Two-factor verification proves the identity of the visitor through two independent and irrelevant evidences. Using this technology in the login phase can improve the security of the user's digital assets. Currently, the wallet with this function accounts for about 42% of the industry projects. Most of the project parties use the dynamic password provided by Google plus the user's original login password as the two-factor verification architecture. However, this technology may fail in the face of sender ID spoofing attacks, so users should develop good security awareness to deal with such attacks. 2
Analysis of the reasons for
webpage hijacking
Browser problem
User's reason
Project side reason
Unverified server certificate
Unverified domain name
1. The webpage hijacking risk refers to the attack the user might suffer from during interaction with the data network when using the wallet if the user does not verify the certificate of access address or the certificate has expired. In the process, hijackers will be stealing access data and can ultimately cause the user's digital assets to be at risk of loss.2. In the Sender ID spoofing attack, the attacker uses the official identity of fake Google to send emails to the user to obtain other private information such as the dynamic password, and finally log in as the user. This type of attack is extremely harmful for some wallets with low security defense capabilities.
Expired server certificate
-
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsightGLOBAL TOKEN & RATING AGENCY
数字钱包安全性报告
3.4 Trading Risk
�13
The transaction requires a private key signature for authorization, including multiple signatures and single signatures.
Single signature means that only one user has a private key and has full autonomous trading rights.
The multi-signature mode is that a digital asset is managed by multiple people, and the private key holder who needs to meet the lower threshold signs with the private key. For client wallets that are less encrypted than hardware wallets, the multi-signature mode has the advantage of reducing individual risk and improving the security of digital asset transactions. According to statistics, wallets that support multi-signatures in the client wallet account for 31%.
‣ Graph 3-12 Comparison of the number of wallets with or without multi-signature Source:TokenInsight
According to the Top10 (see Appendix) projects in the 2018 Most Valuable Wallet - Light Wallet -
Overseas list published by TokenInsight, the proportion of projects supporting multiple signatures is
low. Although the multi-signature mechanism is currently more secure than single-signature, it is more
widely used for large-scale managed projects or enterprise-level customization, and the technology is
not yet popular for individual users.
‣ Graph 3-13 2018 Most Valuable Wallet - Light Wallet - Overseas l ist of Top10 evaluation dataSource:TokenInsight
⽀支持多签名31%
不不⽀支持多签名69%
Overseas-SPV/centralized
Name Freewallet SeriesHB
Wallet EdgeCoinbase
WalletCopay Bitcoin
Wallet Citowise UpholdTrust Wallet
Green Address
Bread Wallet
Multi-signature √ × × √ √ × × × √ ×
-
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsightGLOBAL TOKEN & RATING AGENCY
数字钱包安全性报告
�14
For individuals troubled by high cost when using the multi-signature mechanism, "private key +
transaction password" mode offers an alternative solution to reduce the trading risk. In addition to the
private key, users also need to input password to confirm and complete the transaction of digital
asset. BitKeep Wallet has adopted the DESM algorithm based on SHA256 + AES256 + cloud
authentication encryption system to double encrypt user's single-signature wallet. The method of
using single-signature mechanism with private key and double confirmation with password can greatly
reduce the trading risk.
Multi-signature usage scenario
large-scale managed projects asset management
Centralized exchange asset management
Enterprise Digital Asset Management
‣ Graph 3-14 Wallet multi-signature usage scenario analysisSource:TokenInsight
Transaction secondary
confirmation password usage
Dynamic instruction (one-time password)
PIN(Fixed string)
User-specific information (fingerprint, etc.)
‣ Figure 3-15 Wallet transaction secondary confirmation password usage specificationSource:TokenInsight
In terms of usage specifications, the current secondary confirmation mechanism adopted by the
wallet industry uses fixed strings, dynamic passwords, and user-specific attribute verification. From
the perspective of cryptography, it is generally considered that user-specific attribute verification has
a higher security level. For example, Math Wallet uses biometric security authentication technologies
such as fingerprints and face recognition for large-value transfers.
According to TokenInsight's incomplete statistics, the wallet industry has a large number of projects
using fixed strings in the transaction secondary confirmation password usage specification, and the
number of projects using the user-specific attribute verification method is the least. The technical
specifications adopted by the wallet industry to reduce transaction risk remain to be unified.
-
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsightGLOBAL TOKEN & RATING AGENCY
数字钱包安全性报告
3.5 Asset Transfer Risk
�15
When a mobile device or hardware wallet carrying a client wallet is lost, it may result in the loss of digital assets. Since the general mobile device does not have a professional encryption function, the probability of theft of digital assets is large. The hardware wallet generally has the function of brute force cracking. For extreme situations, some hardware wallets have a violent disassembly and self-destruction module, that is, the data is destroyed before the illegal visitor obtains the private key. This kind of the wallets accounts for about 9% of the hardware wallet, the current popularity is not high.
‣ Graph 3-16 Number of hardware wallets that support self-destruction Source:TokenInsight
⽀支持暴暴⼒力力破解⾃自毁9%
不不⽀支持暴暴⼒力力破解⾃自毁91%
Another way to safely transfer digital assets after the terminal is lost is to use the HD (Hierarchical
Deterministic) wallet mentioned above. The specific implementation standard is the BIP protocol
series. The complicated technical operation can be simplified by the BIP protocol. BIP protocols for
mainstream wallets include BIP-39 and BIP-44.
Simply speaking, the protocol can turn a complex private key into a mnemonic, basically in the form of
24 (or at least 12) words + passphrases (null or no), and the user will back up the generated
mnemonics. If the wallet is lost, the digital asset can be safely transferred using the same standard
BIP wallet.
‣ Graph 3-17 Number of wallets that support different BIP protocol standardsSource:TokenInsight
⽀支持BIP-3914%
⽀支持BIP-4486%
-
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsightGLOBAL TOKEN & RATING AGENCY
数字钱包安全性报告
�16
In order to solve the problem that the broken login PIN of wallets without secondary protection can
easily cause security issues, it is also possible to use the blockchain's own framework technology to
perform secondary asset encryption, so that the user can control the digital assets more strongly. For
example, if the ETH is stored by using the smart contract address instead of the ordinary address, the
transaction will be successful only after both the private key signature and a separate password are
required to invoke the contract each time the ETH is transferred out,
The scheme is currently in use at the EtherSafer wallet project, which features low cost and a high
level of security. The secure storage of ETH wallets using the contract address can effectively reduce
the risk of theft of the users' digital assets.
HD wallet architecture + Ordinary address storage = Safe transfer of assetsSimplified trading process +HD wallet
architecture + Contract address storage = Reduced risk of theftSimplified trading process + + Safe transfer of assets
Private key+PIN
Hardware wallet biometric confirmation
In addition to using the HD (Hierarchical Deterministic) wallet to secure the transfer of assets when losing a wallet, the wallet will also include a secondary transaction confirmation password in the program. Generally, it is a PIN or a user-specific information attribute (such as a fingerprint). This module can delay the speed at which the private key is cracked when the wallet is lost, and strive for time for the security transfer of users' digital assets. Once the wallet's anti-brute force module is broken and the user's private key is stolen, the digital asset is considered to be lost.
‣ Graph 3-18 Private key anti-brute force architecture supported by mainstream walletsSource:TokenInsight
‣ Graph 3-19 Comparison of wallet features using ordinary and contract addressesSource:TokenInsight
Web transaction secondary password
Mobile transaction secondary password
-
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
IV. Artificial Risks
4.1 Supply Chain Risk
Supply chain risk is particularly evident in the security threat of hardware wallets. As a physical product, from the production of the enterprise to the use of the user, the hardware wallet may experience problems such as product damage and firmware tampering caused by the above process. The supply chain risk management methods currently used by project sides engaged in hardware wallet production generally are: 'logistics security guarantee' + 'initial verification'.
Among the security risks of digital asset storage and transaction, in addition to the security threats caused by technology, there are also risks brought by the manual operation of different wallets due to business needs, including supply chain risk, authority chain risk, etc.
�17GLOBAL TOKEN & RATING AGENCY
数字钱包安全性报告
‣ Graph 4-1 Number of wallets that support logistics security guaranteeSource:TokenInsight
We can see from Graph 4-1 and 4-2 that 80% of the hardware wallet projects support logistics
security guarantee in response to supply chain risks. The main approach is to monitor its own product
links and coordinate with the logistics chain. 90% of the hardware wallet projects support initial
verification, and most project parties are already taking measures to control the risks. The project
parties who are pursuing the user experience have also adopted some special methods, such as
peer-to-peer logistics, which can reduce the supply chain risk again. Overall, the digital wallet industry
has achieved initial success in supply chain risk management and control.
不不⽀支持物流安全保证20%
⽀支持物流安全保证80%
Note: Usually the meaning of supply chain risk refers to materials flowing through the supply chain from production and distribution enterprises to users, generating different flows such as business, logistics and information flow, involving many processes such as distribution processing, storage, packaging, transportation, loading and unloading, distribution and information processing. Any risk caused by problems in these links is called supply chain risk.
-
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsightGLOBAL TOKEN & RATING AGENCY
数字钱包安全性报告
�18
不不⽀支持初始化验证10%
⽀支持初始化验证90%
‣ Graph 4-2 Number of wallets that support init ial verif icationSource:TokenInsight
In TokenInsight's 2018 Most Valuable Wallet - Hardware Wallet List (see Appendix for details), there
are 22 wallets from 16 companies at home and abroad, including(Ledger)Blue with a comprehensive ranking of 11.7 points at the top of the list and BEPAL-Q ranking top in China with a
score of 9.4 points, ranking sixth overall.
‣ Graph4-3 Hardware wallet comprehensive ranking Top10 list Source:TokenInsight
Hardware Wallet
Name Blue Model T Nano S KeepKey ONE BEPAL Q Digital BitboxBepal Pro S BiPal
Keywallet Touch
Overall Rating 11.7 9.8 9.7 9.5 9.4 9.3 9.1 9 8.7 8.3
Ranking 1 2 3 4 5 6 7 8 9 10
-
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsightGLOBAL TOKEN & RATING AGENCY
数字钱包安全性报告
4.2 Privilege Chain
�19
‣ Graph 4-4 Centralized wallet physical chain + privilege chain schematicSource:TokenInsight
In many centralized wallets, in addition to physical chains (usually hardware wallets or full-node wallets) that can implement asymmetric encryption algorithms, there are also privilege chains (usually management systems composed of staff) that control transactions, time, amount, etc. as shown in the following graph of the managed system designed by InVauIt: the off-net storage room can be regarded as the physical chain, and the network storage room can be regarded as the privilege chain, general centralized exchanges and trustee institutions engaged in large-scale custody services use such structures for digital asset management.
‣ Graph 4-5 Centralized wallet physical chain + authority chain structure example Source:InVault
Privilege chain contacts
physical chain
Use the physical chain for operation
Authorize the privilege chain
for transfer
Confirm the transaction, withdraw the
privilege chain
-
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsightGLOBAL TOKEN & RATING AGENCY
数字钱包安全性报告
�20
The physical chain and the privilege chain are isolated from each other in the architecture design.
After being authorized, both sides can contact and operate. When the transaction is over, the two
sides are again isolated. However, it can be found that the privilege chain actually has absolute
control over the physical chain. Once a problem occurs in any dimension such as the time, object or
amount of the transaction, the users' digital assets may be potentially threatened or damaged.
In addition to physical chain risks, the asset security of a centralized wallet is also subject to the
artificial risks of privilege chain. This is particularly evident in the asset losses suffered by the
centralized exchanges. According to statistics, about 40% of the centralized wallet losses in 2018 are
related to privilege chain risks. In February 2019, the founder of the QuadrigaCX Exchange was
missing (currently the Indian government has provided a death certificate), resulting in the loss of
$195 million digital assets of the exchange, which pushed the risk of privilege chains to the forefront of
the digital wallet hosting security problems. Because the privilege chain risk is uncontrollable, it has
become a difficult problem for asset security in the industry.
涉及权限链⻛风险40%
不不涉及权限链⻛风险60%
‣ Graph 4-6 Privilege chain risk incidents as a percentage of centralized wallet security incidents
-
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
5. Security Field Outlook
5.1 Expansion of the Security Audit Business
In view of the industry development trend and the above-mentioned problems, it is currently believed that the hotspots in the security field of the wallet industry in 2019 will focus on the improvement of the security audit system, the development of wallets based on the security architecture, and the management of artificial risks of wallet asset management businesses.
�21GLOBAL TOKEN & RATING AGENCY
数字钱包安全性报告
With the development of the wallet industry, the market will further expand. According to statistics, the
creation time of existing wallets was initially concentrated in 2013. As of December 2018, the number
of digital wallet projects has accumulated to more than 340, an increase of about 30% compared with
2017.
项⽬目数量量(个)
0
80
160
240
320
400
2013 2014 2015 2016 2017 2018
‣ Graph 5-1 Number of global digital wallet projectsSource:Statista
In terms of the growth rate of wallets, 2017 increased by about 62% compared with 2016, which was
higher than ever before. Although the growth rate in 2018 slipped down, it is still much higher than
the year before 2017. This reflects that the digital currency market is currently of a certain size. It is
expected that the mainstream wallet projects will increase by at least 20 in the global market in 2019.
The original wallets are also actively expanding and adding new services. For example, Legder、Xapo and other wallet companies focusing on secure storage have begun to deploy emerging
businesses such as digital asset custody and asset management. Both the depth and breadth of the
wallet industry itself are growing rapidly.
-
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsightGLOBAL TOKEN & RATING AGENCY
数字钱包安全性报告
�22
At present, all security reviews of wallet projects on the market have the following categories:
The first category is the technical risk security review. The current security review is based on the following: carrier risk review (system vulnerability scanning, new user registration security, carrier environment detection, client integrity detection), private key storage risk review (mnemonic creation security, mnemonic storage security, private key generation security, private key storage security, locally stored data sensitivity detection), network protocol risk review (network proxy detection, certificate verification in https communication), login risk review (user information security, private key import security, transaction password security), transaction risk review (transaction creation security, transfer address security detection, transaction signature security, transaction confirmation, balance inquiry accuracy) etc.
However, the above-mentioned security auditing business only audits part of the technical risks of mobile terminals, there are fewer technical risk auditing for hardware wallets and PC wallets. Overall, the digital wallet security audit services need to be expanded. Therefore, based on the continuous increase of wallet projects and services and the incompleteness of the existing security review framework, the demand for wallet security audit business will further increase in 2019.
Mobile wallet security audit
Carrier detection
Private key storage detection
Network security detection
Transaction security detection
Login security detection
PC wallet security audit
Private key storage detection
Network security detection
Carrier detection
Hardware wallet security audit
Chip security detection
‣ Graph 5-2 Various wallet security audit businessesSource:TokenInsight
-
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsightGLOBAL TOKEN & RATING AGENCY
数字钱包安全性报告
5.2 The Rise of Compatibility Wallets
�23
According to statistics, as of the Q4 quarter of 2018, the number of global digital asset wallets users was 31.914 million, an increase of 10.4% from the previous quarter and an increase of 48.3% from the previous year. If the number of Internet users is the development target of the number of digital currency users, the total amount of users has 100 times expansion space. This means that it has great development potential and huge market space. With the development of blockchain technology, the market will usher in more diversified development in 2019, and more people will access and flood into the blockchain and digital currency industry.
‣ Graph 5-3 Global digital currency user sizeSource:Statista
数字钱包⽤用户数(万)
0
800
1,600
2,400
3,200
4,000
2015
Q1
2015
Q2
2015
Q3
2015
Q4
2016
Q1
2016
Q2
2016
Q3
2016
Q4
2017
Q1
2017
Q2
2017
Q3
2017
Q4
2018
Q1
2018
Q2
2018
Q3
2018
Q4
全球数字钱包⽤用户规模
Due to the lack of understanding of asymmetric cryptographic algorithms and the unskilled use of decentralized wallets, This part of emerging users will choose a centralized wallet as a storage tool to reduce the security risks of their digital assets.
After a period of time, as professional knowledge increases, users will seek to use a decentralized wallet to pass on the security risks of digital assets from the wallet project to themselves. At this time, the user has a certain stickiness to the original centralized wallet.
If the wallet project party can provide another private key decentralized storage solution at this time, the user can satisfy the upgrade requirement of the user's private key security storage and can retain the user's original operating environment, and the project party can reduce the user loss and increase the attractiveness of new users.
In summary, based on security and market development considerations, wallets that support decentralized storage & centralized storage in 2019 will be a popular choice for users.
Late user selection
Practicality Security
Early user selection
Practicality
‣ Graph 5-4 Development of wallet user selection intentionSource:TokenInsight
-
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsightGLOBAL TOKEN & RATING AGENCY
数字钱包安全性报告
�24
‣ Graph 5-5 2018 Most Valuable Wallet - Light Wallet - China's List Evaluation DataSource:TokenInsight
Among the Top10 wallet projects in the Most Valuable Wallet - Light Wallet - China's List (see
Appendix for details), Math Wallet、Cobo Wallet have begun to try compatibility services. According to the development of the market, the wallet that supports the centralized and decentralized dual storage
function will be more and more favored by users, and the new security issues brought about by the
architecture upgrade are also worth noting.
China-SPV/centralized
Name Cobo WalletQbao
Network BitKeepToken Pocket
imToken Wallet
Kcash Wallet Bitpie
MEET.ONE
Math Wallet Secrypto
Overall Rating 9.0 8.6 8.2 8.1 7.7 7.2 6.6 6.0 6.0 5.9
Ranking 1 2 3 4 5 6 7 8 9 10
-
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsightGLOBAL TOKEN & RATING AGENCY
数字钱包安全性报告
5.3 A Stumbling Block to the Asset Management Business
�25
In terms of project functions, the wallet industry is not limited to the storage and transaction solutions to digital currency assets. The functions added on this basis include information service, asset management, lending, and DApp access. With the development of public chains and the involvement of traditional financial institutions, projects such as project docking, asset management and lending are rapidly emerging. More than 40 wallet project parties have launched digital asset management services.
⽀支持资管业务32%
不不⽀支持资管业务68%
‣ Graph 5-8 Number of wallets with and without asset management businessesSource:TokenInsight
Wallet function overview
Storage and transaction
Information service
Asset management
DApp access
Lending
‣ Graph 5-6 Wallet function overviewSource:TokenInsight
Financial product
Fixed term
financial manage
ment
Intelligent
mining
‣ Graph 5-7 Wallet f inancial function overview Source:TokenInsight
Current financial manage
ment
-
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsightGLOBAL TOKEN & RATING AGENCY
数字钱包安全性报告
�26
Most of the organizations that have launched digital asset management services use a centralized
approach to manage digital assets in the form of 'physical chain' + 'privilege chain'. With the rapid
expansion of this business, the security risks are also increasing. Especially due to the uncontrollable
nature of the 'privilege chain' risk, the fully managed wallets are very likely to face similar security
vulnerabilities as of the centralized exchanges.
The custody and asset management services in the wallet business are developing rapidly. Among
the Top 10 of the most valuable wallet - light wallet - China list released by TokenInsight (see
Appendix for details), Cobo Wallet、BitKeep、Token Pocket and 3 other wallets have launched financial management services, and digital assets stored in the centralized wallets will grow rapidly.
For the asset management services that are about to develop rapidly, the artificial risks such as
private key control and manual transfer brought by digital asset centralized storage will be an urgent
problem to be solved. If it is impossible to find a solution that reduces the artificial risks, the security of
digital assets will be plagued by artificial risks.
‣ Graph 5-9 2018 Most Valuable Wallet - Light Wallet - China List Top10Source:TokenInsight
China-SPV/centralized
Name Cobo WalletQbao
Network BitKeepKcash Wallet
MEET.ONE
Secrypto
imToken Wallet Bitpie
Token Pocket
Math Wallet
Financial products √ √ √ √ √ × × × √ ×
-
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsightGLOBAL TOKEN & RATING AGENCY
数字钱包安全性报告
�27
Appendix
Hardware Wallet
Product Name Price RatingTarget Groups
Number of Major Currenci
es
Quantity Rating
Operation
Standard Rating
Hardware User-friendlin
ess
Chip Security
Level Rating
Operation
Performance
Overall Ratings
Blue 6 Enterprise 16 10 0 2 8 10 11.7
Model T 6 Individual 6 6 0 0 10 10 9.8
Nano S 6 Individual 16 10 0 0 8 10 9.7
KeepKey 6 Individual 3 4 -1 2 10 10 9.5
ONE 10 Individual 5 6 -1 0 10 10 9.4
BEPAL Q 8 Individual 6 6 0 2 6 6 9.3
Digital Bitbox 10 Individual 2 4 0 0 10 10 9.1
Bepal Pro S 6 Enterprise 6 6 0 2 6 6 9.0
BiPal 6 Individual 9 8 0 0 10 6 8.7
Keywallet Touch 10 Individual 6 6 0 0 8 6 8.3
Swiss Bank in Your Pocket 8
Individual 4 4 0 0 10 6 7.4
链盾 0 Individual 4 4 0 2 6 4 7.1
LUBANSO X1 6 Individual 6 6 0 0 6 6 7.0
KASSE HK-1000 10 Individual 6 6 0 0 7 6 7.0
CoolWallet 8 Individual 3 4 0 0 8 6 6.7
-
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsightGLOBAL TOKEN & RATING AGENCY
数字钱包安全性报告
�28
Name
Hierarchical Deterministic
Open Source
Multi-signature
Two-step
verification
Private
Key Storage
Location
Number of
Comment
s
Number of Comments - Rating
Stars
Stars-
Rating
Transaction
Service
Market Information
Financial
Tools
DApp
Access
Social
Function
Overal
l Ratings
China-SPV/centralized
Cobo Wallet 1 0 1 1 1 2,531 10 5 10 1 0 1 0 1 9.0
Qbao Network 1 0 0 0 1 373 8 4 8 1 1 1 1 1 8.6
BitKeep 1 0 0 0 1 77 4 4 8 1 1 1 1 1 8.2
Token Pocket 0 1 0 1 1 58 2 4.0 8 1 1 1 1 1 8.1
imToken Wallet 1 1 0 0 1 286 8 4.5 9 1 1 0 1 0 7.7
Kcash Wallet 0 0 1 1 1 160 4 4 8 1 0 1 1 0 7.2
Bitpie 1 0 0 0 1 403 8 4 8 1 1 0 1 0 6.6
MEET.ONE 0 0 0 0 1 6 0 5 10 1 1 1 1 0 6.0
Math Wallet 0 1 0 0 1 24 2 4 8 1 1 0 1 0 6.0
Secrypto 0 1 0 0 1 76 2 3.5 7 1 0 0 1 1 5.9
Overseas-SPV/centralized
Freewallet Series 1 0 1 1 0 504 8 4.5 9 1 1 0 1 0 7.7
HB Wallet 1 0 0 1 1 377 8 4 8 1 0 0 0 1 6.6
Edge 1 1 0 1 1 66 2 4.5 9 1 0 0 0 0 6.1
Coinbase Wallet 0 0 1 1 0 201 4 4 8 1 1 0 0 0 5.2
Copay Bitcoin Wallet 1 1 1 0 1 95 4 3.5 7 0 0 0 0 0 5.1
Citowise 1 0 0 0 1 622 10 5 10 1 0 0 0 0 5.0
Uphold 0 0 0 1 0 2,638 10 5 10 1 0 1 0 0 5.0
Trust Wallet 1 0 0 0 1 1,793 10 4.5 9 0 0 0 1 0 4.9
Green Address 1 1 1 1 0 27 2 3 6 0 0 0 0 0 4.8
Bread Wallet 1 1 0 0 1 989 10 3.5 7 0 0 0 0 0 4.7
Wallet List
-
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsight
TokenI
nsightGLOBAL TOKEN & RATING AGENCY
数字钱包安全性报告
�29
Wallet Lists,samples are divided into SPV and centralized wallets. The output is divided into domestic development wallet and foreign wallet.
A total of nine dimensions are Boolean values.
Hierarchical certainty - whether multiple addresses can be controlled by a private key
Yes: +1 point; No: 0 point
Whether the wallet is open sourced
Whether the wallet has dual verification?
Multi-signature - a dimension mostly owned by the enterprise-level walletOne of the indicators for measuring safety
User experience: transaction services; market information; financial tools; DApp access; social functions Yes: +1 point; No: 0 point
Private key storage location User retention, wallet retention, third party retention +1 point, 0 point, -1 point
PopularityThe first data source of comments is the App store, the US account;The second source is google play; the rating stars are in the same order.
Take the quartiles of the number of comments(10 points, 8 points, 4 points, 2 points, 0 points)
Stars *2 as star rating
Hardware Wallet
Wallet Price The lower the wallet price, the higher the score (enterprise and personal wallet separately)
100: 6 points
Supported currencyThe higher the number of currencies, the higher the scoreIf the storage of ERC20 tokens is supported, extra points can be gained.
10: 10 points
Executive standard The higher the standard, the higher the score, which is an additional subtractionBIP44: 0 point;BIP39: 1 point
TypeThere are different forms such as tablets, U shields, cards, etc.Score according to friendliness.
Tablet: 2 points;Others: 0 point
Chip security level The higher the security level, the higher the score CCELA 4+ 6;CCELA 5+ 8
Operating conditions of manufacturers
ExcellentThe company received more than $10 million financing, has leading technology and feasible profit methods;GoodThe company received less than $10 million but more than $1 million financing; the technical level is in the upper reaches of the industry and profit methods are feasible;GeneralThe company received less than $1 million financing, the technical level is in the middle reaches of the industry, and the profitability has bottlenecks.
Excellent 10 points;Good 6 points;General 4 points
-
TokenInsight Inc.Global Token Data & Rating Agency
获取最新区块链⾏行行业数据研究报告
⽹网站链接www.tokeninsight.com
其他联系⽅方式
官⽅方微信公众号 | Tokenin
官⽅方Twitter | TokenInsight
官⽅方新浪微博 | TokenInsight
官⽅方Telegram中⽂文电报群http://t.me/TokenInsightChinese
官⽅方微信联系⼈人⼆二维码 ⼩小程序⼆二维码
TOK
EN
INS
IGH
T
http://www.tokeninsight.commailto:[email protected]://twitter.com/TokenInsighthttps://weibo.com/u/6515221664http://t.me/TokenInsightChinese