On Saturday, the Atomic Wallet team officially confirmed reports of compromised user wallets. Independent blockchain sleuth ZachXBT followed through by tracing transaction hashes via received messages from victims. At the time, he reported the largest single victim having lost $2.8 million worth of USDT.

On Sunday, the Atomic Wallet team made another announcement claiming that only “1% of our monthly active users have been affected/reported. Last drained transaction was confirmed over 40h ago.”

Atomized User Funds

In the meantime, drained funds have been accumulating. ZachXBT kept adding the toll to an estimated $50 million, with the single largest victim losing 7.95 million USDT. Interestingly, the wallet exploit attack appears highly concentrated, with just five wallets accounting for $17 million.

The exact mechanism behind the exploit/attack is still not clear.  Meanwhile, the Atomic Wallet team is forwarding all affected wallet addresses to exchanges and blockchain analytics to “trace and block the stolen funds.”

Such action recently happened when Binance helped US authorities recover $4.4 million from North Korean hackers. However, the Atomic Wallet exploit was life-shattering even for users holding relatively minor funds.

It is highly unusual for a self-custodial wallet to collapse so completely. After all, everyone in the crypto space is familiar with the long-standing mantra, ‘Not your keys, not your Bitcoin!’ including the Atomic Wallet team, led by Konstantin Gladych.

Two Major Red Flags

Despite the multi-million popularity, there were some red flags present. Firstly, Atomic Wallet’s code is closed-source. This means that users depend wholly on the team to safeguard the wallet’s security, as the code is not publicly scrutinized.

The Atomic Wallet team acknowledged that open source “allows crypto enthusiasts and software engineers to audit the code to make sure it’s secure,” but this is a double-edged sword because:

“At the same time, it also greatly aids scammers & hackers in learning everything about the app’s inner workings.”

The Atomic Wallet team further noted that open source makes scammers’ life easier by “creating fake GitHub repositories filled with malware.” In hindsight, perhaps the open-source maxim “Given enough eyeballs, all bugs are shallow.” should have been headed instead.

Interestingly, Binance opted for an open-source approach when it acquired the mobile Trust Wallet in 2018, becoming the official wallet for the world’s largest exchange.

As for the second red flag, in February 2022, a comprehensive security audit done by Least Authority concluded the following:

“We found that the design and implementation of the Atomic Wallet system does not sufficiently demonstrate considerations for security and places current users of the wallet at significant risk.”

One of the discovered vulnerabilities is precisely what happened over the weakened, as the Atomic Wallet was found “vulnerable to a range of attacks that may lead to the total loss of user funds.”

Least Authority pointed at the lack of proper cryptography implementation, lack of best practices in wallet system design, and the lack of robust project documentation. Connecting the dots, it appears that Atomic Wallet’s justification for not being open-source was related to these issues rather than preventing fake GitHub repositories.

This article originally appeared on The Tokenist

Thank you for reading! Have some feedback for us?
Contact the 24/7 Wall St. editorial team.