Wallet Logo

OPOLO Cosmos

🔍 Last analysed 9th November 2022 . No source for current release found

Without public source of the reviewed release available, this product cannot be verified!

As part of our Methodology, we ask:

Is the source code publicly available?

If the answer is "no", we mark it as "No source for current release found".

A wallet that claims to not give the provider the means to steal the users’ funds might actually be lying. In the spirit of “Don’t trust - verify!” you don’t want to take the provider at his word, but trust that people hunting for fame and bug bounties could actually find flaws and back-doors in the wallet so the provider doesn’t dare to put these in.

Back-doors and flaws are frequently found in closed source products but some remain hidden for years. And even in open source security software there might be catastrophic flaws undiscovered for years.

An evil wallet provider would certainly prefer not to publish the code, as hiding it makes audits orders of magnitude harder.

For your security, you thus want the code to be available for review.

If the wallet provider doesn’t share up to date code, our analysis stops there as the wallet could steal your funds at any time, and there is no protection except the provider’s word.

“Up to date” strictly means that any instance of the product being updated without the source code being updated counts as closed source. This puts the burden on the provider to always first release the source code before releasing the product’s update. This paragraph is a clarification to our rules following a little poll.

We are not concerned about the license as long as it allows us to perform our analysis. For a security audit, it is not necessary that the provider allows others to use their code for a competing wallet. You should still prefer actual open source licenses as a competing wallet won’t use the code without giving it careful scrutiny.

The product cannot be independently verified. If the provider puts your funds at risk on purpose or by accident, you will probably not know about the issue before people start losing money. If the provider is more criminally inclined he might have collected all the backups of all the wallets, ready to be emptied at the press of a button. The product might have a formidable track record but out of distress or change in management turns out to be evil from some point on, with nobody outside ever knowing before it is too late.

Help spread awareness for build reproducibility

Please help us spread the word discussing transparency with OPOLO Cosmos  via their Twitter!

Do your own research!

Try out searching for "lost bitcoins", "stole my money" or "scammers" together with the wallet's name, even if you think the wallet is generally trustworthy. For all the bigger wallets you will find accusations. Make sure you understand why they were made and if you are comfortable with the provider's reaction.

If you find something we should include, you can create an issue or edit this analysis yourself and create a merge request for your changes.

The Analysis 

This small hardware wallet features a 3.2 inch touchscreen and allows users to set a password on setup. It has a companion app for desktop and mobile.

On their homepage, OPOLO LTD. claims that their product is EAL6+ certified:

With the OPOLO wallet, we are offering the best cryptocurrency hardware wallet on the market today. We gauge cryptocurrency wallets using EAL Certifications. These certifications can range from 1 to 7, with most of the best cryptocurrency hardware wallets in the market falling between 1 - 5.

Our OPOLO Cosmos best cryptocurrency hardware wallet uses an EAL 6+ secure element. If you are looking for a secure bitcoin hardware wallet, you are in the right place. Our secure bitcoin hardware wallet is easy to backup and recover, simple to use, and comes with an EAL6+ level of security.

Creating a new wallet requires that the user installs the OPOLO Desk app. The hardware wallet must be connected via USB to an external computer running the app. When pairing the app with the hardware wallet, the user must authenticate by entering the password. To create the wallet, the user must click on a button on the OPOLO Desk app. The hardware wallet then provides the user with a 24-word BIP39 mnemonic phrase.

OPOLO relies on the desktop app to send and receive assets or import and create new wallets. There is no option to create a new wallet on the device itself.

Source code

Searching around on the internet for OPOLO’s source code lead to a GitHub user profile “OPOLO-Ltd” but it lead to a 404 page. This product’s reliance on the desktop app is not bad in and of itself, but unfortunately, neither the firmware nor the desktop app have public source code. This means that the users have no idea what is going on behind the scenes and will simply have to trust that manufacturers have not put any malicious code in the firmware or the desktop app. This product is not verifiable.

(ml, dg)