LiteVault Web Wallet Closes: Difference between revisions
No edit summary |
(Another 30 minutes complete. All sources merged in. Prevention added. Information relocated around.) |
||
| Line 1: | Line 1: | ||
{{ | {{Case Study Under Construction}}[[File:Litevault.jpg|thumb|LiteVault Homepage]]LiteVault was a web wallet set up by a litecoin developer named someguy123. It didn't manage private keys but rather gave users a secure way to generate them from the username and password (similar to blockchain.info). The service operated for several years before the domain name expired on January 1st, 2022. At this point, recovery of funds would require reconstructing the wallets using the source code. It's unclear what amount of funds remain stuck due to the level of technical knowledge which would be necessary to recover them. | ||
== About LiteVault == | |||
<ref name="litevaultarchive-8262" /><ref name="someguy123github-8263" /><ref name="litevaultarchive-8264" /><ref name="litevaultarchive-8265" /> | |||
"Welcome to LiteVault - The trustless online wallet for litecoin." "Your wallet is encrypted before it touches our servers. Unlike other Litecoin wallet services, we NEVER see your private keys, and are unable to access your funds." | "Welcome to LiteVault - The trustless online wallet for litecoin." "Your wallet is encrypted before it touches our servers. Unlike other Litecoin wallet services, we NEVER see your private keys, and are unable to access your funds." | ||
| Line 14: | Line 11: | ||
"When you login to LiteVault, your browser sends your identifier to our server, we return an encrypted version of your wallet with the AES algorithm, your browser then decrypts this using your password (which is never sent to the server) to load your private keys used to sign transactions." | "When you login to LiteVault, your browser sends your identifier to our server, we return an encrypted version of your wallet with the AES algorithm, your browser then decrypts this using your password (which is never sent to the server) to load your private keys used to sign transactions." | ||
== The Reality == | == The Reality == | ||
Any centralized service can go offline at any time, and it's critical to keep backups of any important data. | |||
== What Happened == | == What Happened == | ||
The | The LiteVault wallet domain expired on January 1st, 2022, bringing the website offline and preventing CherylTuntIRL from accessing their litecoin web wallet. | ||
{| class="wikitable" | {| class="wikitable" | ||
|+Key Event Timeline - LiteVault Web Wallet Closes | |+Key Event Timeline - LiteVault Web Wallet Closes | ||
| Line 53: | Line 22: | ||
!Event | !Event | ||
!Description | !Description | ||
|- | |||
|December 31st, 2022 | |||
|Wallet Working | |||
|CherylTuntIRL reportedly is still able to access their wallet "on NYE"<ref>[https://old.reddit.com/r/litecoin/comments/ru96ce/litevault_gone/hqxk42r/ CherylTuntIRL - "What's frustrating is that I was able to access it on NYE when I remembered I had them, then 2 days later it's gone. I'll never trust an online wallet again." - Reddit] (Aug 31, 2023)</ref> and that "there was a cert[ificate] error"<ref>[https://old.reddit.com/r/litecoin/comments/ru96ce/litevault_gone/hqxwdfl/ CherylTuntIRL - "Yes there was a cert error. Will try to contact the owner." - Reddit] (Aug 31, 2023)</ref>. | |||
|- | |||
|January 1st, 2022 | |||
|Domain Expired | |||
|The litevault.net domain name reportedly expired<ref name="reddit-8261" />. | |||
|- | |- | ||
|January 2nd, 2022 6:01:26 AM MST | |January 2nd, 2022 6:01:26 AM MST | ||
| | |Reddit Post Made | ||
| | |CherylTuntIRL posts on Reddit to report that they "had a bit of LTC in" the LiteVault service. They recommend for other users to "[s]tore [thei]r coings in hardware wallets" instead<ref name="reddit-8261" />. | ||
|- | |- | ||
| | | | ||
| Line 65: | Line 42: | ||
== Technical Details == | == Technical Details == | ||
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited? | This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited? | ||
"When you login to LiteVault, your browser sends your identifier to our server, we return an encrypted version of your wallet with the AES algorithm, your browser then decrypts this using your password (which is never sent to the server) to load your private keys used to sign transactions." | |||
== Total Amount Lost == | == Total Amount Lost == | ||
| Line 73: | Line 53: | ||
== Immediate Reactions == | == Immediate Reactions == | ||
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed? | How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed? | ||
=== Discussion About Wallet Options === | |||
Multiple Reddit users discussed different wallet alternatives<ref>[https://old.reddit.com/r/litecoin/comments/ru96ce/litevault_gone/hqxjca3/ flinginlead - "Currently shopping hardware wallets myself. Thanks for the reminder." - Reddit] (Aug 31, 2023)</ref><ref>[https://old.reddit.com/r/litecoin/comments/ru96ce/litevault_gone/hqz7pzi/ snakesbbq - "If you can't, or don't want to use a hardware wallet, at least use your own personal software wallet. Anytime you don't hold the keys to your own crypto you run the risk of losing it." - Reddit] (Aug 31, 2023)</ref>.<blockquote>Currently shopping hardware wallets myself. Thanks for the reminder.</blockquote><blockquote>If you can't, or don't want to use a hardware wallet, at least use your own personal software wallet. Anytime you don't hold the keys to your own crypto you run the risk of losing it.</blockquote> | |||
=== Discussion About Website Coming Back === | |||
<blockquote>The cert expired last month so it's not a surprise that the domain also expired. Whoever was running it has the coins, but I wouldn't use the website again if it ever comes up unless the original owner comes out to say he put it back up.</blockquote> | |||
== Ultimate Outcome == | == Ultimate Outcome == | ||
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done? | What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done? | ||
"I had a bit of LTC in an old Litecoin wallet but the service is no longer available. Looks like the domain expired on 01/01/2022 and someone else has bought it. I completely forgot about it until the conversation came up and I was going to move it out today. Store your coins in hardware wallets, folks!" | |||
"Whoever was running it has the coins, but I wouldn't use the website again if it ever comes up unless the original owner comes out to say he put it back up." | |||
== Total Amount Recovered == | == Total Amount Recovered == | ||
There are several methods which could be used to recover funds in this situation: | |||
* Obtaining a copy of the litevault source code would allow the wallet to be derived based on the known credential information. | |||
* If the IP address of the litevault website was known, and the server hosting it was still online, an entry could be manually added to the Windows hosts file, bypassing the normal DNS lookup. This IP may be obtainable from past logs or WHOIS information. | |||
* If the wallet generation algorithm is standard and has been used or documented elsewhere, it may be possible to try multiple algorithms with the credential information in a brute force manner. | |||
The total amount recovered is unknown. | The total amount recovered is unknown. | ||
== Ongoing Developments == | == Ongoing Developments == | ||
What parts of this case are still remaining to be concluded? | What parts of this case are still remaining to be concluded? | ||
== | == Individual Prevention Policies == | ||
In general, to avoid this issue, you want to be sure that you have a full backup of your seed phrase in a standard format like BIP39. | In general, to avoid this issue, you want to be sure that you have a full backup of your seed phrase in a standard format like BIP39. | ||
{{Prevention:Individuals:Keep Multiple Backups}} | |||
Web wallets are generally not a good idea to secure a large quantity of funds for a wide variety of other reasons. Keep the vast majority of funds stored offline. | Web wallets are generally not a good idea to secure a large quantity of funds for a wide variety of other reasons. Keep the vast majority of funds stored offline. | ||
{{Prevention:Individuals: | {{Prevention:Individuals:Store Funds Offline}} | ||
{{Prevention:Individuals:End}} | {{Prevention:Individuals:End}} | ||
== Platform Prevention Policies == | == Platform Prevention Policies == | ||
{{Prevention:Platforms: | Platforms should work to increase user education on safe storage practices and the importance of keeping a separate backup of any generated wallet addresses. The process should be straightforward for users to download a seed phrase to recover their wallet. | ||
{{Prevention:Platforms:Cryptocurrency Safety Quiz}} | |||
An industry insurance fund could assist users to retrieve their funds in these situations. | |||
{{Prevention:Platforms:Establish Industry Insurance Fund}} | |||
{{Prevention:Platforms:End}} | {{Prevention:Platforms:End}} | ||
== Regulatory Prevention Policies == | == Regulatory Prevention Policies == | ||
{{Prevention:Regulators: | Increase education can inform users of the need to keep proper backups and the risks of loss. | ||
{{Prevention:Regulators:Cryptocurrency Education Mandate}} | |||
Third party reviews can validate that services have a way for user to retrieve funds in the event of loss. | |||
{{Prevention:Regulators:Platform Security Assessments}} | |||
An industry insurance fund could assist users to retrieve their funds in these situations. | |||
{{Prevention:Regulators:Establish Industry Insurance Fund}} | |||
{{Prevention:Regulators:End}} | {{Prevention:Regulators:End}} | ||
== References == | == References == | ||
<references><ref name="reddit-8261">[https://www.reddit.com/r/litecoin/comments/ru96ce/litevault_gone/ Litevault gone | <references> | ||
<ref name="reddit-8261">[https://www.reddit.com/r/litecoin/comments/ru96ce/litevault_gone/ CherylTuntIRL - Litevault gone - Reddit] (May 30, 2022)</ref> | |||
<ref name="litevaultarchive-8262">[https://web.archive.org/web/20210811195641/https://litevault.net/ LiteVault - Secure Litecoin Web Wallet] (Jun 30, 2022)</ref> | <ref name="litevaultarchive-8262">[https://web.archive.org/web/20210811195641/https://litevault.net/ LiteVault - Secure Litecoin Web Wallet] (Jun 30, 2022)</ref> | ||
<ref name="someguy123github-8263">[https://github.com/someguy123/litevault GitHub - Someguy123/LiteVault: LiteVault - Secure Online Litecoin Wallet https://www.litevault.net] (Jun 30, 2022)</ref> | <ref name="someguy123github-8263">[https://github.com/someguy123/litevault GitHub - Someguy123/LiteVault: LiteVault - Secure Online Litecoin Wallet https://www.litevault.net] (Jun 30, 2022)</ref> | ||
<ref name="litevaultarchive-8264">[https://web.archive.org/web/20210811195208/https://litevault.net/about About LiteVault] (Jun 30, 2022)</ref> | <ref name="litevaultarchive-8264">[https://web.archive.org/web/20210811195208/https://litevault.net/about About LiteVault] (Jun 30, 2022)</ref> | ||
<ref name="litevaultarchive-8265">[https://web.archive.org/web/20220331012529/https://litevault.net/ litevault.net] (Jun 30, 2022)</ref> | |||
<ref name="litevaultarchive-8265">[https://web.archive.org/web/20220331012529/https://litevault.net/ litevault.net] (Jun 30, 2022)</ref></references> | </references> | ||
Latest revision as of 14:13, 31 August 2023
Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
LiteVault was a web wallet set up by a litecoin developer named someguy123. It didn't manage private keys but rather gave users a secure way to generate them from the username and password (similar to blockchain.info). The service operated for several years before the domain name expired on January 1st, 2022. At this point, recovery of funds would require reconstructing the wallets using the source code. It's unclear what amount of funds remain stuck due to the level of technical knowledge which would be necessary to recover them.
About LiteVault
"Welcome to LiteVault - The trustless online wallet for litecoin." "Your wallet is encrypted before it touches our servers. Unlike other Litecoin wallet services, we NEVER see your private keys, and are unable to access your funds."
"Litevault is an online wallet service which uses in-browser cryptography to reduce the risk of the coin operator running with the funds. This same system is used by Blockchain.info - a well known online Bitcoin wallet (UNAFFILIATED WITH LITEVAULT)."
Litevault was made by Someguy123: "I am a trusted website developer within the Litecoin community responsible for various services including the Litecoin Block Explorer, and administrating various official Litecoin resources such as the Wiki and IRC. I feel Litecoin hasn’t had enough backing or support, so this is my contribution."
"When you login to LiteVault, your browser sends your identifier to our server, we return an encrypted version of your wallet with the AES algorithm, your browser then decrypts this using your password (which is never sent to the server) to load your private keys used to sign transactions."
The Reality
Any centralized service can go offline at any time, and it's critical to keep backups of any important data.
What Happened
The LiteVault wallet domain expired on January 1st, 2022, bringing the website offline and preventing CherylTuntIRL from accessing their litecoin web wallet.
| Date | Event | Description |
|---|---|---|
| December 31st, 2022 | Wallet Working | CherylTuntIRL reportedly is still able to access their wallet "on NYE"[5] and that "there was a cert[ificate] error"[6]. |
| January 1st, 2022 | Domain Expired | The litevault.net domain name reportedly expired[7]. |
| January 2nd, 2022 6:01:26 AM MST | Reddit Post Made | CherylTuntIRL posts on Reddit to report that they "had a bit of LTC in" the LiteVault service. They recommend for other users to "[s]tore [thei]r coings in hardware wallets" instead[7]. |
Technical Details
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?
"When you login to LiteVault, your browser sends your identifier to our server, we return an encrypted version of your wallet with the AES algorithm, your browser then decrypts this using your password (which is never sent to the server) to load your private keys used to sign transactions."
Total Amount Lost
The total amount lost is unknown.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Discussion About Wallet Options
Multiple Reddit users discussed different wallet alternatives[8][9].
Currently shopping hardware wallets myself. Thanks for the reminder.
If you can't, or don't want to use a hardware wallet, at least use your own personal software wallet. Anytime you don't hold the keys to your own crypto you run the risk of losing it.
Discussion About Website Coming Back
The cert expired last month so it's not a surprise that the domain also expired. Whoever was running it has the coins, but I wouldn't use the website again if it ever comes up unless the original owner comes out to say he put it back up.
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
"I had a bit of LTC in an old Litecoin wallet but the service is no longer available. Looks like the domain expired on 01/01/2022 and someone else has bought it. I completely forgot about it until the conversation came up and I was going to move it out today. Store your coins in hardware wallets, folks!"
"Whoever was running it has the coins, but I wouldn't use the website again if it ever comes up unless the original owner comes out to say he put it back up."
Total Amount Recovered
There are several methods which could be used to recover funds in this situation:
- Obtaining a copy of the litevault source code would allow the wallet to be derived based on the known credential information.
- If the IP address of the litevault website was known, and the server hosting it was still online, an entry could be manually added to the Windows hosts file, bypassing the normal DNS lookup. This IP may be obtainable from past logs or WHOIS information.
- If the wallet generation algorithm is standard and has been used or documented elsewhere, it may be possible to try multiple algorithms with the credential information in a brute force manner.
The total amount recovered is unknown.
Ongoing Developments
What parts of this case are still remaining to be concluded?
Individual Prevention Policies
In general, to avoid this issue, you want to be sure that you have a full backup of your seed phrase in a standard format like BIP39.
Ensure that more than one copy of your seed phrase is kept, and that each copy is in a distinct location. For example, you may keep a backup copy in a bank vault. A common scheme is to split the 24 word seed phrase into 3 sets of 16 words each, such that any two of the sets are needed to unlock the wallet.
Web wallets are generally not a good idea to secure a large quantity of funds for a wide variety of other reasons. Keep the vast majority of funds stored offline.
Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Platforms should work to increase user education on safe storage practices and the importance of keeping a separate backup of any generated wallet addresses. The process should be straightforward for users to download a seed phrase to recover their wallet.
Never take for granted the limited knowledge of users of your service and their tendency to skip past provided information. It is recommended to design a simple tutorial and quiz for new users which explains the basics of seed phrases, strong password generation, secure two-factor authentication, common fraud schemes, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space. This tutorial and quiz should ensure their understanding and be a standard part of the sign-up or download process which is difficult or impossible to skip.
An industry insurance fund could assist users to retrieve their funds in these situations.
Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
Increase education can inform users of the need to keep proper backups and the risks of loss.
Create a standard tutorial and quiz for all new cryptocurrency participants, which is required to be completed once per participant. This tutorial and quiz should cover the basics of proper seed phrase protection, strong password generation, secure two-factor authentication, common fraud schemes, how to detect and guard against phishing attacks, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space.
Third party reviews can validate that services have a way for user to retrieve funds in the event of loss.
All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.
An industry insurance fund could assist users to retrieve their funds in these situations.
Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ LiteVault - Secure Litecoin Web Wallet (Jun 30, 2022)
- ↑ GitHub - Someguy123/LiteVault: LiteVault - Secure Online Litecoin Wallet https://www.litevault.net (Jun 30, 2022)
- ↑ About LiteVault (Jun 30, 2022)
- ↑ litevault.net (Jun 30, 2022)
- ↑ CherylTuntIRL - "What's frustrating is that I was able to access it on NYE when I remembered I had them, then 2 days later it's gone. I'll never trust an online wallet again." - Reddit (Aug 31, 2023)
- ↑ CherylTuntIRL - "Yes there was a cert error. Will try to contact the owner." - Reddit (Aug 31, 2023)
- ↑ 7.0 7.1 CherylTuntIRL - Litevault gone - Reddit (May 30, 2022)
- ↑ flinginlead - "Currently shopping hardware wallets myself. Thanks for the reminder." - Reddit (Aug 31, 2023)
- ↑ snakesbbq - "If you can't, or don't want to use a hardware wallet, at least use your own personal software wallet. Anytime you don't hold the keys to your own crypto you run the risk of losing it." - Reddit (Aug 31, 2023)