Wallet Logo

QUANTUM

🔍 Last analysed 20th December 2021 . No source for current release found

Jump to verdict 

Do your own research!

Try out searching for "lost bitcoins", "stole my money" or "scammers" together with the wallet's name, even if you think the wallet is generally trustworthy. For all the bigger wallets you will find accusations. Make sure you understand why they were made and if you are comfortable with the provider's reaction.

If you find something we should include, you can create an issue or edit this analysis yourself and create a merge request for your changes.

The Analysis 

Security Arts’ is a Ukrainian company. As of November 26, 2021, the device is out of stock.

Private keys can be created offline

To begin with, activating the device requires a desktop software called Quantum Manager. However, the device can be used independently of the Quantum Manager.

Activation information from Security Arts’ documentation

All QUANTUM devices are shipped inactivated. Warranty period (6 month) starts from the moment of activation. This makes warranty period independent from delivery or stockage time. Also, this is the way to make sure that your device is genuine.

To activate new device, you need to have:

QUANTUM device with micro USB cable.

  • Computer (Windows, Linux or Mac OS) connected to internet.
  • Installed Quantum Manager.
  • Connect the QUANTUM to PC using USB cable and wait until standard USB driver is installed, which will take about 1 minute. Launch Quantum Manager and in a drop-down window you will see a 6-digit activation code that should be entered in your device.

Private keys are not shared

Especially for users with the extreme level of paranoia we came up with an idea of offline mode, in which QUANTUM operates without connecting to PC, powered from power bank or phone charger. You can create a new wallet using device UI, display its addresses as a QR code on LCD, scan it using smartphone and transfer funds to it. You can also display private key and manually rewrite it on paper for backup storage and be 100% sure that not any virus will intercept it.

Lastly, the most important advice.

ALWAYS DO BACKUP COPIES. Any device, even the most reliable one, can fail. However, this is not a problem in case of QUANTUM, since you can always restore data from a backup to a new device. We have developed a method for reserving all data to a separate extra-encrypted file and your data is never stored in a cloud service or on our servers.

Device displays receive address for confirmation

QUANTUM menu mode is the safest way to manage cryptocurrency. For example, you can create new random wallet and display address QR code on the device LCD. Then, scan this code using smartphone and send money to this wallet. Display wallet private key on the device LCD and manually make paper copy for additional backup. Thereby, you will be 100% sure that your device has never been connected to PC and your money cannot be stolen by viruses.

Also, you can manually enter private key of already existing or paper backup wallet. Although manual entry is slow and inconvenient, it provides the most secure way for cryptocurrency storing.

Interface

The device has a menu mode where the user can access the cryptocurrency wallet using the buttons on the device and an LCD screen.

We were able to find pictures of the device on Facebook

Reproducibility

The manufacturer doesn’t have a dedicated social media presence on twitter and can only be contacted via their webform or their email address.

We were able to find their GitHub page which has links to the repository of their open source desktop software the Quantum Manager.

It is through the Quantum Manager where the firmware for the device is updated.

As noted in Leo’s comment on GitLab

It appears the firmware itself is not open source.

Here the “Quantum Manager” requests the firmware, providing a random number and the hardware wallet’s serial number. This would allow to send a different firmware to each different client. Notably not providing a serial number or just random guessed integers returns errors.

(ml, dg)

Verdict Explained

Without public source of the reviewed release available, this product cannot be verified!

As part of our Methodology, we ask:

Is the source code publicly available? If not, we tag it No Source!

A wallet that claims to not give the provider the means to steal the users’ funds might actually be lying. In the spirit of “Don’t trust - verify!” you don’t want to take the provider at his word, but trust that people hunting for fame and bug bounties could actually find flaws and back-doors in the wallet so the provider doesn’t dare to put these in.

Back-doors and flaws are frequently found in closed source products but some remain hidden for years. And even in open source security software there might be catastrophic flaws undiscovered for years.

An evil wallet provider would certainly prefer not to publish the code, as hiding it makes audits orders of magnitude harder.

For your security, you thus want the code to be available for review.

If the wallet provider doesn’t share up to date code, our analysis stops there as the wallet could steal your funds at any time, and there is no protection except the provider’s word.

“Up to date” strictly means that any instance of the product being updated without the source code being updated counts as closed source. This puts the burden on the provider to always first release the source code before releasing the product’s update. This paragraph is a clarification to our rules following a little poll.

We are not concerned about the license as long as it allows us to perform our analysis. For a security audit, it is not necessary that the provider allows others to use their code for a competing wallet. You should still prefer actual open source licenses as a competing wallet won’t use the code without giving it careful scrutiny.

The product cannot be independently verified. If the provider puts your funds at risk on purpose or by accident, you will probably not know about the issue before people start losing money. If the provider is more criminally inclined he might have collected all the backups of all the wallets, ready to be emptied at the press of a button. The product might have a formidable track record but out of distress or change in management turns out to be evil from some point on, with nobody outside ever knowing before it is too late.