Roseon WonderAppLatest release: 2.3.33 ( 13th June 2022 ) 🔍 Last analysed 30th September 2021 . Custodial: The provider holds the keys
Help spread awareness for build reproducibility
Please help us spread the word discussing the risks of centralized custodians with Roseon WonderApp via their Twitter!
Do your own research!
Try out searching for "lost bitcoins", "stole my money" or "scammers" together with the wallet's name, even if you think the wallet is generally trustworthy. For all the bigger wallets you will find accusations. Make sure you understand why they were made and if you are comfortable with the provider's reaction.
The Analysis ¶
It describes itself as:
Roseon Finance is a mobile-first crypto investment app that brings decentralized finance to your pocket with the goal of simplifying your crypto experience.
Among other things, it offers several DeFi products, including staking pools, high interests and an NFT gallery
- Crypto wallet that supports Binance Smart Chain, Ethereum network, Polygon, and easy integration with Binance, Kucoin, Uniswap and PancakeSwap and others
- Deposit your crypto into the app to yield farm and earn more with your crypto holdings
- Lock your crypto in our lower risk savings feature to earn fixed rewards
- Integration with exchanges for trading or swapping
- Secure your account with KYC (Know your customer) policy
- Create your own portfolio and automate with portfolio management
- View, bid or sell your digital collectibles (Non-Fungible Tokens)
- Use Roseon wallet as your cryptocurrency app
We downloaded the app and it required the email address. Then it asked to verify the email. Once we verified the email, we then tried to deposit into the BTC account.
Then they provided a 16-bit key backup in case the account is lost. However, it is worth noting that 16-bit encryption may not be secure.
They then asked for KYC requirements including name, date of birth, nationality, ID type and ID number.
After that, we were granted the user status of level 1.
We immediately looked for the Terms and Conditions to find how it defines the wallet.
In Section 2.1.5, it describes the wallet as:
Wallet; a secured custodial service allowing Users to deposit on the Platform their own Digital Tokens.
Section 4.9.1, details that:
4.9.1. Any Wallet address sending and receiving any token to and from the Roseon.Finance Platform is solely, exclusively and directly owned and controlled by him/herself, including the Wallet’s Private key, and there are no other beneficial owners and/or controllers that the User is acting on behalf of or under any form of fiduciary or nominee or representative relationship with;
That is the wallets that interact with the Roseon product, not the Roseon product itself.
We tried contacting Roseon Finance via their twitter account to clarify where or how the bitcoin wallet’s private key can be secured by the user.
Due to not having an overt or immediate ability to backup the bitcoin wallet’s private key, this app does not appear to be self-custodial.
While we await the response of Roseon Finance, we would have to give this a verdict of custodial and therefore not verifiable.
As the provider of this product holds the keys, verifiability of the product is not relevant to the security of the funds!
As part of our Methodology, we ask:Is the product self-custodial? If not, we tag it Custodial!
A custodial service is a service where the funds are held by a third party like the provider. The custodial service can at any point steal all the funds of all the users at their discretion. Our investigations stop there.
Some services might claim their setup is super secure, that they don’t actually have access to the funds, or that the access is shared between multiple parties. For our evaluation of it being a wallet, these details are irrelevant. They might be a trustworthy Bitcoin bank and they might be a better fit for certain users than being your own bank but our investigation still stops there as we are only interested in wallets.
Products that claim to be non-custodial but feature custodial accounts without very clearly marking those as custodial are also considered “custodial” as a whole to avoid misguiding users that follow our assessment.
This verdict means that the provider might or might not publish source code and maybe it is even possible to reproduce the build from the source code but as it is custodial, the provider already has control over the funds, so it is not a wallet where you would be in exclusive control of your funds.
We have to acknowledge that a huge majority of Bitcoiners are currently using custodial Bitcoin banks. If you do, please:
- Do your own research if the provider is trust-worthy!
- Check if you know at least enough about them so you can sue them when you have to!
- Check if the provider is under a jurisdiction that will allow them to release your funds when you need them?
- Check if the provider is taking security measures proportional to the amount of funds secured? If they have a million users and don’t use cold storage, that hot wallet is a million times more valuable for hackers to attack. A million times more effort will be taken by hackers to infiltrate their security systems.
Share onTwitter Facebook LinkedIn
Or embed a widget in your website
<iframe src="https://walletscrutiny.com/widget/#appId=android/roseon.finance&theme=auto&style=short" name="_ts" style="min-width:180px;border:0;border-radius:10px;max-width:280px;min-height:30px;"> </iframe>
<iframe src="https://walletscrutiny.com/widget/#appId=android/roseon.finance&theme=auto&style=long" style="max-width:100%;width:342px;border:0;border-radius:10px;min-height:290px;"> </iframe>