Update: Hardware wallet Ledger's CEO Eric Larchevêque comments, "The Coinomi meltdown is further evidence of why software wallets are a recipe for disaster. When entrusting a software wallet with your assets, you are exposing your private keys to the internet, leaving them vulnerable to attack.”
Coinomi’s crypto wallet is branded as “your trusted blockchain interface” offering a place to “securely store, manage and exchange Bitcoin” and other cryptocurrencies. Its website states it has never “been hacked or otherwise compromised to date.” But an alleged security vulnerability now puts that claim in doubt.
Coinomi has responded to the allegations in this post on Medium which states the spell checking functionality was enabled for desktop wallets but that the seed phrase wasn't sent as plain text, it was "encapsulated inside a HTTPS request with Google being the sole recipient." It added that Google did not process, cache or store the requests. The issue was fixed six days ago.
A report by security consultant Warith Al Maawali claims he lost $60,000 to $70,000 while using the Coinomi wallet. He argues that Coinomi’s built-in spell checker automatically checked his seed phrase which involved sending it as plain text to a Google-owned website. This meant it could have been intercepted, leading to the loss of funds. There have been other similar claims on Reddit. While it’s difficult to verify if these claims are true, it does highlight a bigger vulnerability: seed phrases and the dangers of entering them on computers connected to the internet.
Al Maawali told Decrypt he used his Ethereum seed phrase in the Coinomi wallet to access Ethereum-based tokens that he owned but were not supported by the Exodus crypto wallet which he was already using. He said everything worked okay at first as the tokens showed up but then a few days later, the wallet was emptied.
Due to this, he did some research and found what he believes is a critical vulnerability within the Coinomi wallet. At the point where you enter your seed phrase, it is processed through a spell checker. This means the whole seed phrase is sent to a Google-owned website. He has uploaded a video for anyone to replicate the process and see that the vulnerability exists.
Programmer Martin Habovštiak confirmed on Twitter that the vulnerability is real but argued that there might be more a more nefarious reason for the loss. Habovštiak believes it was more likely the money was stolen via malware, or Maawali sent the coins to another account he owns to make it look like they were stolen and is trying to double his money.
However there have been other reports of funds disappearing on the Coinomi wallet—which isn’t uncommon for any software wallet. There are two posts on Reddit by users who claim their funds have disappeared from the Coinomi wallet. Although neither specify that they imported their seed phrase into the wallet.
Al Maawali also provides screenshots of a conversation he claims to have had with Coinomi support in which they appear to accept the vulnerability exists but deny that it was responsible for the loss of funds. This conversation has not been independently verified.
This issue flicks at other issues facing Coinomi. Luke Childs, a developer of open-source software accused the app of lacking necessary encryption measures when sending user information. A blog post by Jonathan Sterling, co-founder of Coin Flow, goes into more detail on the issues, providing screenshots of tweets allegedly from Coinomi dismissing the claims.
While there is evidence that the exploit is real, it is much harder to verify that it was the reason the funds were stolen. There are many other possibilities of how the money was taken including malware or vulnerabilities in other crypto wallets—if it was even stolen. But this vulnerability proves that crypto wallet providers need to think outside the box when it comes to security, but not too much.
[This article has been updated with the response from Coinomi.]