1. Main Page
  2. Methodology
  3. Wallets Rating Methodology
arrows
arrows

Wallets Rating Methodology

How do we calculate the score?

Step 1

Points system

We assess each aspect of the project’s security following our Wallet Security Rating system

  • Is the token audited?

    faq chevron icon

    • Penetration Testing

      Penetration testing must be performed on an actual version of an infrastructure. If the infrastructure has a major update, it must be retested.

      1. Penetration testing must be performed on all components of the infrastructure.

      2. Penetration testing must be performed on production, not staging, or developers’ versions.

      3. Penetration testing reports must include information about performed testing actions and must include all findings.

      4. A company must demonstrate that all findings are fixed.

      5. A company which performs penetration testing must not be affiliated a with wallet and must not have any personal interests in successful compliance.

      10

      Full Scope

      0

      Partial Scope

    • Pentest Relevance

      Was it done in the last year?

      10

      Yes

      0

      No

  • Bug Bounty

    faq chevron icon

    • Scope Coverage

      10

      Full scope

      5

      Half scope

      0

      Else

    • Scope Clearness

      10

      Testing must be performed on production versions, not staging or developer ones if there is a clear set of in- or out-of-scope vulnerabilities written in technical language

      5

      If there is little information written vaguely

      0

      No information

    • Acceptance

      Less payment - fewer incentives for white-hat hackers to participate in a bug bounty program

      2

      > $2.5K

      4

      > $5K

      6

      > $10K

      8

      > $25K

      10

      > $50K

    • Self/Third-Party Hosted

      Third-party platforms significantly increase the efficiency of bug bounty programs, having white-hat hackers communities and ensuring that bug hunters receive the stated rewards.

      5

      Self-hosted

      10

      Third-party hosted

    • Language

      0

      English is not present

      10

      English is present

    • Disclosure Policy

      10

      Yes

      0

      No

  • Past Incidents

    faq chevron icon

    • Severity

      0

      Stolen funds

      5

      Stolen user data

      10

      No victims

    • Team Reaction

      0

      A team did not react

      5

      Team published incident post mortems

      10

      A team made official statement with instruction for its users, incident post mortems and fixes

    • Is Problem Resolved?

      10

      Yes

      0

      No

  • Customer Security Features

    faq chevron icon

    • Obligatory backup before usage

      10

      Yes

      0

      No

    • Detailed description of a transaction when signing

      10

      Yes

      0

      No

    • Restore methods (Self-Custody/Third Party Custody) a user takes

      If self-hosted - user takes all the risks on his own.

      If third-party services used for backup, the following 2/3 assets must be present:

      - Something you know

      - Something you have

      - Something you are

      10

      Self-hosted

      10

      2/3 (third-party custody)

      0

      1/3 (third-party custody)

    • or

      Password Requirements

      If 6-digit PIN, then it does not meet any requirements, so it has a 0 score minimum length of 8 symbols

      • Requires 8-symbols length

        4

        Yes

        0

        No

      • Requires digits

        2

        Yes

        0

        No

      • Requires uppercase symbol

        1

        Yes

        0

        No

      • Requires special character

        2

        Yes

        0

        No

      • 32 symbols password long

        1

        Yes

        0

        No

      Biometric to access the wallet

      • 10

        Yes

        0

        No

    • Cold wallet compatibility (if it fits a wallet architecture).

      10

      Yes if it doesn't fit the wallet architecture

      0

      No

Step 2

Scoring weights

We assess each aspect of the project’s security following a rating system

  • Penetration Tests

    • Pentest

      0,5

    • Pentest relevance

      0,5

  • Bug bounty

    • Scope coverage

      0,15

    • Scope clearness

      0,15

    • Acceptance

      0,4

    • Self/third-party hosted

      0,2

    • Language

      0,05

    • Disclosure policy

      0,05

  • Past Incidents

    • Severity

      0,4

    • Team reaction

      0,2

    • Is problem resolved?

      0,4

    • Actuality multiplier

      Depending on time after incident

    • Less than 1 year ago

      0

    • >1 year ago

      5

    • >2 years ago

      10

  • Customer Security Features

    • Obligatory backup before usage

      0,1

    • Detailed description of a transaction when signing

      0,1

    • Restore MethodsSelf-Custody/Third Party Custody

      0,4

    • Cold wallet compatibility (if it feets to the wallet architecture).

      0,2

    • Biometric to access the wallet

      0,2
    • OR

    • PIN and password to access a wallet

      0,1

    • Password requirements

      0,1
Step 3

Wallet Security Rating Calculation

We multiply the results received in the previous step and convert them into the rating score using the following weight

  • Penetration tests

    0,25

  • Bug bounty

    0,25

  • Past incidents

    0,25

  • Customer security features

    0,25