Chivo Walletlatest release: 1.0 ( 7th September 2021 ) last analysed 10th October 2021 Custodial: The provider holds the keys
Help spread awareness for build reproducibility
Please help us spread the word discussing the risks of centralized custodians with Chivo Wallet via their Twitter!
Do your own research!
Try out searching for "lost bitcoins", "stole my money" or "scammers" together with the wallet's name, even if you think the wallet is generally trustworthy. For all the bigger wallets you will find accusations. Make sure you understand why they were made and if you are comfortable with the provider's reaction.
The Analysis ¶
(Analysis from Android review)
Chivo Wallet is the official Bitcoin and Dollar wallet of the Government of El Salvador. Chivo Wallet allows you to send and receive Bitcoin and / or Dollar between Salvadorans without commission, in the same way it allows users to exchange Bitcoin for Dollar or vice versa without commission. Additionally Chivo is compatible with other Bitcoin on-chain and Lightning wallets. Finally, Chivo connects with the banking system of El Salvador to deposit or withdraw dollars from the platform, and with a network of Chivo ATMs to deposit and withdraw dollars in cash. Chivo has a company version that allows you to charge, assign payment terminals for employees, and pay taxes quickly and easily.
Google Play Reviews
★☆☆☆☆ October 2, 2021
“SUPER BAD” Registration was easy, unfortunately the app stop working (it keep logging but didn’t logging)the second day. After a week I decided to Uninstall the app, thinking that it may solve the logging problems; now when I try to login, it tells me that the password is wrong; in other words I can’t login. I was going to star sending money using this app, but I don’t trust it at this point.
★☆☆☆☆ September 18, 2021
Hard to register if your able to get to the registration process if it doesnt give an error or a conection problem, once your inside and you get the bonus Bitcoin you cant use them unless you put some money on it or someone sends you some. Aside from that its a government run wallet so no open source get what you will from it. There a better wallets out there.
Note The app is only downloadable in select locations which includes the US, El Salvador and some South American countries.
The official website for the wallet cannot be accessed from certain locations. Using a VPN with a US location allowed us to glean some insight.
4.2 When an Account is closed: (i) Your right to use it to gain access to the Services immediately ceases, (ii) the data or content associated with the Account is deleted and the User and the Account are disconnected (unless the applicable legislation requires them to be kept, returned or transmitted to the User) and (iii) if there is any value in the Account, they will be withdrawn from the destination that the user has informed, if never has informed an Account for this purpose, the balance of your Account will remain blocked until the User proceeds to comply with the process of withdrawal of the balance of your Account.
We get a glimpse of what will happen when a government entity has custody and control over user’s funds:
Finally, the User accepts and agrees that CHIVO SA DE CV may, without prior notice, limit, suspend or terminate the Services and Accounts, prohibit access to the Site, its content, services and tools, restrict or remove stored content , and take technical and legal actions to keep Users out of Chivo Wallet if it considers that they are violating the T&C. Likewise, when creating an Account, the User accepts that the decision to cancel or block it may be based on confidential criteria essential for the Compliance and risk protocols of CHIVO SA DE CV, therefore, the User understands and accepts that the latter has no obligation to disclose details of these internal protocols.
The app can only be installed with the following requirements:
- El Salvadoran DUI (Documento Único de Identidad)
- US, El Salvadora and some South American phone numbers for verification
El Salvador’s Chivo wallet is the tip of the spear in President Nayib Bukele’s Bitcoin law recognizing Bitcoin as legal tender. By all indications it is certainly custodial and particularly concerning since a government has a lot of powers to control not just the wallet as the developer, but as an entity with the power to coerce intermediaries by force and by law.
As a custodial app, it is not verifiable.
As the provider of this product holds the keys, verifiability of the product is not relevant to the security of the funds!
As part of our Methodology, we ask:Is the product self-custodial? If not, we tag it Custodial!
A custodial service is a service where the funds are held by a third party like the provider. The custodial service can at any point steal all the funds of all the users at their discretion. Our investigations stop there.
Some services might claim their setup is super secure, that they don’t actually have access to the funds, or that the access is shared between multiple parties. For our evaluation of it being a wallet, these details are irrelevant. They might be a trustworthy Bitcoin bank and they might be a better fit for certain users than being your own bank but our investigation still stops there as we are only interested in wallets.
Products that claim to be non-custodial but feature custodial accounts without very clearly marking those as custodial are also considered “custodial” as a whole to avoid misguiding users that follow our assessment.
This verdict means that the provider might or might not publish source code and maybe it is even possible to reproduce the build from the source code but as it is custodial, the provider already has control over the funds, so it is not a wallet where you would be in exclusive control of your funds.
We have to acknowledge that a huge majority of Bitcoiners are currently using custodial Bitcoin banks. If you do, please:
- Do your own research if the provider is trust-worthy!
- Check if you know at least enough about them so you can sue them when you have to!
- Check if the provider is under a jurisdiction that will allow them to release your funds when you need them?
- Check if the provider is taking security measures proportional to the amount of funds secured? If they have a million users and don’t use cold storage, that hot wallet is a million times more valuable for hackers to attack. A million times more effort will be taken by hackers to infiltrate their security systems.
Share onTwitter Facebook LinkedIn
Or embed a widget in your website
<iframe src="https://walletscrutiny.com/widget/#appId=iphone/com.chivo.wallet&theme=auto&style=short" name="_ts" style="min-width:180px;border:0;border-radius:10px;max-width:280px;min-height:30px;"> </iframe>
<iframe src="https://walletscrutiny.com/widget/#appId=iphone/com.chivo.wallet&theme=auto&style=long" style="max-width:100%;width:342px;border:0;border-radius:10px;min-height:290px;"> </iframe>