In Tuesday’s edition of The Daily, we detail the theoretical vulnerability found in the Coldcard crypto wallet, coming just one month after its manufacturer ridiculed the flaw found in other hardware wallets. Sticking with vulnerabilities, we also consider the risks of leaving your funds on an exchange in the wake of Liqui’s demise and examine how private zcash transactions really are.
Coldcard Subjected to Proof-of-Concept Hack
Coldcard, the hardware wallet (HW) developed by Coinkite, is vulnerable to a theoretical man in the middle attack that would enable its PIN code to be tried multiple times a second. The attack would require physical access and specialist hardware to perform, but was nevertheless deemed serious enough for Coinkite to publish a blog post encouraging users to select a long PIN code. The white hat hacker who found the exploit, Lazy Ninja, shared his findings with Coinkite, along with a video demonstrating it in action.
If you have a COLDCARDWallet you should increase your PIN to at least 6 digits and if you ever lose your wallet you should move your funds to a new seed root. I’ll post some more technical details on the attack soon.
— LazyNinja ☇ (@FreedomIsntSafe) January 28, 2019
As Coinkite explains, “His approach takes between 5 and 10 seconds per PIN attempt … Although we allow very short PIN codes—even just four digits (2+2) for development—as explained in our documentation, best practice is using an eight digit PIN code (4+4), which is what we recommend.” In December, Coinkite published a blog post titled “Some Other Wallets.fail” which poked fun at other manufacturers’ devices that were exploited by the Wallet Fail team.
Liqui Exchange Shuts Down Citing Lack of Liquidity
On Jan. 28, Liqui exchange sent an email to its users stating that: “Much to our regret … Liqui is no longer able to provide liquidity for the users left. We also do not see any economic point in providing you with our services.” It’s promised users that they will be able to withdraw their assets within 30 days of the notice. Speculation has swirled as to the reasons behind the exchange winding down.
Traders have reported withdrawal issues with Liqui for months, and were disgruntled in late December to find updated terms that deducted 3.33 percent per day after a zero-fee withdrawal period ended. Given the shadiness of the Ukraine-registered exchange, whose owners are unknown, its exit from the cryptocurrency space will not be mourned by traders who were able to withdraw all of their holdings in time.
— Liqui (@Liqui_Exchange) December 28, 2018
Zcash Privacy Debated
The level of privacy provided by zcash (ZEC) has been fiercely debated this week in the wake of comments from the Winklevoss twins that regulators were more “comfortable” with the coin than monero (XMR). “In theory Zcash has better privacy than Monero. Is there something they know about ZEC that we don’t?” responded well-known cryptographer Peter Todd. He later directed his Twitter followers to a tweet highlighting a ZEC feature that enables transactions to be marked for the purposes of meeting “mandatory KYC/AML bullshit.”
So Zcash specifically promotes using a feature they added – an encrypted memo field – for deanonymizing transactions to meet mandatory KYC/AML bullshit.
Transparency for the weak, privacy for the powerful… https://t.co/LfY7ujegXU
— Peter Todd (@peterktodd) January 26, 2019
In a separate Twitter debate on Jan. 28, another user ranked the privacy levels of ZEC and XMR, suggesting that the most private method was sending zcash between z-addresses, followed by using monero with lots of “churn” to further obfuscate sender and receiver. “This is quite accurate,” agreed Monero developer Riccardo Spagni.
What are your thoughts on the stories in today’s news roundup? Let us know in the comments section below.
Images courtesy of Shutterstock.
Need to calculate your bitcoin holdings? Check our tools section.