QUANTUM🔍 Last analysed 20th December 2021 . No source for current release found
Do your own research!
Try out searching for "lost bitcoins", "stole my money" or "scammers" together with the wallet's name, even if you think the wallet is generally trustworthy. For all the bigger wallets you will find accusations. Make sure you understand why they were made and if you are comfortable with the provider's reaction.
The Analysis ¶
Security Arts’ is a Ukrainian company. As of November 26, 2021, the device is out of stock.
Private keys can be created offline
Activation information from Security Arts’ documentation
All QUANTUM devices are shipped inactivated. Warranty period (6 month) starts from the moment of activation. This makes warranty period independent from delivery or stockage time. Also, this is the way to make sure that your device is genuine.
To activate new device, you need to have:
QUANTUM device with micro USB cable.
- Computer (Windows, Linux or Mac OS) connected to internet.
- Installed Quantum Manager.
- Connect the QUANTUM to PC using USB cable and wait until standard USB driver is installed, which will take about 1 minute. Launch Quantum Manager and in a drop-down window you will see a 6-digit activation code that should be entered in your device.
Private keys are not shared
Especially for users with the extreme level of paranoia we came up with an idea of offline mode, in which QUANTUM operates without connecting to PC, powered from power bank or phone charger. You can create a new wallet using device UI, display its addresses as a QR code on LCD, scan it using smartphone and transfer funds to it. You can also display private key and manually rewrite it on paper for backup storage and be 100% sure that not any virus will intercept it.
Lastly, the most important advice.
ALWAYS DO BACKUP COPIES. Any device, even the most reliable one, can fail. However, this is not a problem in case of QUANTUM, since you can always restore data from a backup to a new device. We have developed a method for reserving all data to a separate extra-encrypted file and your data is never stored in a cloud service or on our servers.
Device displays receive address for confirmation
QUANTUM menu mode is the safest way to manage cryptocurrency. For example, you can create new random wallet and display address QR code on the device LCD. Then, scan this code using smartphone and send money to this wallet. Display wallet private key on the device LCD and manually make paper copy for additional backup. Thereby, you will be 100% sure that your device has never been connected to PC and your money cannot be stolen by viruses.
Also, you can manually enter private key of already existing or paper backup wallet. Although manual entry is slow and inconvenient, it provides the most secure way for cryptocurrency storing.
The device has a menu mode where the user can access the cryptocurrency wallet using the buttons on the device and an LCD screen.
We were able to find pictures of the device on Facebook
The manufacturer doesn’t have a dedicated social media presence on twitter and can only be contacted via their webform or their email address.
It is through the Quantum Manager where the firmware for the device is updated.
As noted in Leo’s comment on GitLab
It appears the firmware itself is not open source.
Here the “Quantum Manager” requests the firmware, providing a random number and the hardware wallet’s serial number. This would allow to send a different firmware to each different client. Notably not providing a serial number or just random guessed integers returns errors.
Without public source of the reviewed release available, this product cannot be verified!
As part of our Methodology, we ask:Is the source code publicly available? If not, we tag it No Source!
A wallet that claims to not give the provider the means to steal the users’ funds might actually be lying. In the spirit of “Don’t trust - verify!” you don’t want to take the provider at his word, but trust that people hunting for fame and bug bounties could actually find flaws and back-doors in the wallet so the provider doesn’t dare to put these in.
Back-doors and flaws are frequently found in closed source products but some remain hidden for years. And even in open source security software there might be catastrophic flaws undiscovered for years.
An evil wallet provider would certainly prefer not to publish the code, as hiding it makes audits orders of magnitude harder.
For your security, you thus want the code to be available for review.
If the wallet provider doesn’t share up to date code, our analysis stops there as the wallet could steal your funds at any time, and there is no protection except the provider’s word.
“Up to date” strictly means that any instance of the product being updated without the source code being updated counts as closed source. This puts the burden on the provider to always first release the source code before releasing the product’s update. This paragraph is a clarification to our rules following a little poll.
We are not concerned about the license as long as it allows us to perform our analysis. For a security audit, it is not necessary that the provider allows others to use their code for a competing wallet. You should still prefer actual open source licenses as a competing wallet won’t use the code without giving it careful scrutiny.
Share onTwitter Facebook LinkedIn
Or embed a widget in your website
<iframe src="https://walletscrutiny.com/widget/#appId=hardware/quantum&theme=auto&style=short" name="_ts" style="min-width:180px;border:0;border-radius:10px;max-width:280px;min-height:30px;"> </iframe>
<iframe src="https://walletscrutiny.com/widget/#appId=hardware/quantum&theme=auto&style=long" style="max-width:100%;width:342px;border:0;border-radius:10px;min-height:290px;"> </iframe>