New Hardware Wallet Security Assessment Features for Wallet Security Audit

SlowMist
3 min readFeb 23, 2024

Web3 hardware wallets are physical devices used to store cryptocurrencies and digital assets, typically offering greater security than web/app wallets because they provide a way to store private keys offline. This means that when interacting with DApps using a hardware wallet, the private key is never exposed to the internet, thus protecting it from hacker attacks.

Compared to web/app wallets, hardware wallets have stricter security requirements. If the security of the hardware itself is not adequately considered from the outset, it may introduce security issues that cannot be fixed through firmware updates. In such cases, the only solution is to release a new version of the hardware wallet. Older versions of the hardware wallet may not meet the ongoing security requirements, and users’ assets may be at risk, representing a significant loss for both the project developers and the users.

Moreover, hardware wallets often have many security weaknesses in their supply chain, physical security, and firmware code implementation. If project developers consider these weaknesses at the design stage and incorporate relevant security designs, it can effectively prevent security issues after the hardware wallet is manufactured.

Over the years, the SlowMist security team has continuously focused on Web3 wallet security, launching services such as web wallet security audits, browser extension wallet security audits, and mobile/desktop wallet security audits.

Recently, our team has conducted an in-depth analysis of hardware wallet security, assisted by threat modeling to facilitate security and attack scenario analysis for hardware wallets, compiling the following hardware wallet security audit items:

Note: For hardware wallets, SlowMist strongly recommends conducting white-box audits to ensure a comprehensive audit

Hardware wallets are critical devices for managing users’ cryptocurrency assets. The SlowMist security team continues to support the development of the industry’s ecosystem by providing security capabilities. By introducing new hardware wallet security audit capabilities, we aim to better protect project developers and users’ cryptocurrency assets, reducing the risk of cryptocurrency asset theft. Currently, the SlowMist security team has established long-term collaborations with the Account Labs and OneKey teams, working together to ensure the security of cryptocurrency assets. Project developers in need of audit services are welcome to contact the SlowMist security team via email at team@slowmist.com for consultation and cooperation.

About SlowMist

At SlowMist, we pride ourselves on being a frontrunner in blockchain security, dedicating years to mastering threat intelligence. Our expertise is grounded in providing comprehensive security audits and advanced anti-money laundering tracking to a diverse clientele. We’ve established a robust network for threat intelligence collaboration, positioning ourselves as a key player in the global blockchain security landscape. We offer tailor-made security solutions that span from identifying threats to implementing effective defense mechanisms. This holistic approach has garnered the trust of numerous leading and recognized projects worldwide, including names like Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, and Cheers UP. Our mission is to ensure the blockchain ecosystem is not only innovative but also secure and reliable.

We offers a variety of services that include but are not limited to security audits, threat intelligence, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) solutions, Vulpush (Vulnerability monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) , Safe Staking and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, FireEye, RC², TianJi Partners, IPIP, etc.

By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we wish to help spread awareness and raise the security standards in the blockchain ecosystem.

💬Website 🐦Twitter ⌨️GitHub

--

--

SlowMist

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.