/dec 18, 2017

What's in your Crypto Currency Wallet?

By Jet Anderson

Keeping up with our theme of cryptocurrency blog posts, especially given all of the hoopla about digital currencies these days, we decided to do a little digging into the relative security of cryptocurrency related open source projects.

Wow. Just wow.

The names have been changed to protect the guilty, but even we were surprised at the results. In total, we scanned the top five projects with active development, each having dozens of commits in the past week. We didn't want to just focus on a single currency or even only wallets, but projects that were likely to be used in commercial applications or purpose-built for commercial use. The results were astonishing.

Outdated Libraries

As you can see from the graphic below, in just these five examples there were 46 libraries alone with old libraries indicating a lack of visibility by the developers into the version creep in their software.

Security Vulnerabilities in cryptocurrency related open source projects


On the vulnerability front, the count is lower, but the severity is most definitely not.

  • 1 Remote Code Execution flaw
  • 2 Cross-Site Scripting vulns
  • 14 Denial Of Service flaws

The list goes on.

Over 70 Percent Only Visible With Premium

Now here's the kicker: Of the 26 vulnerabilities found, just six of them have been reported. You'll only see the remaining (verified) security flaws if you have access to SourceClear premium data.

With the rise in popularity of cryptocurrency, and especially the proliferation of new coin types, wallets, and exchanges it's time we pay attention to where our money is stored or we may find some missing.

Related Posts

By Jet Anderson

Jet is a technical evanglist at Veracode. He likes talking to customers and helping them with their DevSecOps journey.