Disclosure of Security Vulnerabilities in Atomic Wallet, Audited by Least Authority

Our security research team conducted a comprehensive security audit of the Atomic Wallet system design, in addition to the corresponding core, desktop, and mobile coded implementations. The initial review phase began on 3 March 2021 and concluded upon delivery of the Initial Audit Report on 7 April 2021. We found that the design and implementation of the Atomic Wallet system does not sufficiently demonstrate considerations for security and places current users of the wallet at significant risk.

Following the delivery of the Initial Audit Report, the Atomic Wallet team provided a response to our findings on 16 November 2021. During the verification phase, our team reviewed the commits provided by Atomic Wallet and found that a significant number of issues and suggestions remain unresolved and that the implementation in its current state continues to be a security risk for users.

Due to the current state of the design and implementation, as detailed in the issues and suggestions outlined in our Final Audit Report, we consider the Atomic Wallet to be insufficiently secure in protecting user assets and private data. 

As a result, we strongly recommend that the Atomic Wallet team immediately notify users of the existing security vulnerabilities. In addition, until the issues and suggestions outlined in the report have been sufficiently remediated and the Atomic Wallet has undergone subsequent security audits, we strongly recommend against the Atomic Wallet’s deployment and use. 

We are publishing this blog post in adherence with our policy on responsible disclosure to the users who may be at increased risk due to the issues we reported remaining unaddressed. We are committed to our clients and will work to ensure they have the appropriate information and time needed to address threats and vulnerabilities identified during our security audit. In an effort to stay true to our mission of promoting ethical practices as it relates to security and privacy, we also have a responsibility to the developers, users, and broader community utilizing the tools and technologies that we audit. In support of this effort, we permit our clients’ development teams the opportunity to address any issues prior to publicly disclosing our concerns or our findings. In the event that issues are not addressed by the development team in a timely manner and users are at risk, this results in a public disclosure. 

Prior to publishing this blogpost, we notified the Atomic Wallet team of our plans to responsibly disclose the risk to users and invited them to work collaboratively with us in hopes that they would take immediate action, as recommended. We provided the Atomic Wallet team several opportunities to address the issues in our report and reached out several times to inform them of our reasoning and intentions prior to publishing this blogpost. However, they have not provided a sufficient or timely response after several suggestions by our team encouraging their proactive participation in this disclosure to alert users.

At this time, we have decided against publishing the Final Audit Report to the public in order to prevent potential malicious actors misusing the information in the report to compromise user wallets, steal user funds, and access private user data. We hope that this disclosure of the existence of significant vulnerabilities without providing details helps to appropriately warn users without putting them at even greater risk.

 

Additional Details

We identified several security-critical issues making current users of the Atomic Wallet vulnerable to a range of attacks that may lead to the total loss of user funds. Specifically, we found that user funds are at increased risk due to the current use and implementation of cryptography. We also noted a lack of adherence to wallet system design and development standards and best practices, reducing the overall security of the system and increasing the Atomic Wallet’s attack surface. 

In addition, the absence of robust project documentation, a comprehensive test suite, and the large number of potential issues that may result from the incorrect use of Electron increase the risk of security vulnerabilities and implementation errors going unnoticed. The implementation also makes use of a large number of out-of-date and unmaintained dependencies.

We strongly recommend that Atomic Wallet immediately notify users of the existing vulnerabilities, addressing and resolving all issues and suggestions outlined in the audit report, and conducting and publishing a full, comprehensive follow up security audit of the Atomic Wallet by an independent security auditing team once all fixes have been sufficiently implemented.

Archives