Wallet Logo

Delio

latest release: 1.3.3 ( 2nd November 2021 ) last analysed  21st October 2021 Custodial: The provider holds the keys 
4 ★★★★★
13
26th February 2020

Jump to verdict 

Help spread awareness for build reproducibility

Please help us spread the word discussing the risks of centralized custodians with Delio  via their Twitter!

Do your own research!

Try out searching for "lost bitcoins", "stole my money" or "scammers" together with the wallet's name, even if you think the wallet is generally trustworthy. For all the bigger wallets you will find accusations. Make sure you understand why they were made and if you are comfortable with the provider's reaction.

If you find something we should include, you can create an issue or edit this analysis yourself and create a merge request for your changes.

The Analysis 

(Analysis from Android review)

App Description

Delio Lending app claims to be in a partnership with Bithumb.

However, apart from some media mentions in CoinTelegraph and Delio.io’s own Medium post, other sources are sparse.

Delio’s services include: lending (cryptocurrency guaranteed loan), deposit and cloud mining.

The Site

Delio.Foundation does not link back to the Google Play app. The Google play app does link to Delio.Foundation.

We also tried using Google’s search parameter, but did not find links from delio.foundation to the Google Play app.

site: https://delio.foundation “play”

site: https://delio.foundation “play.google”

As described above, Delio.Foundation does link to @delio.io on Facebook. The Facebook page links to Delio.io. Delio.io links to the Google Play and ios apps.

The terms of use can be found here.

The App

We downloaded the app and registered on the service.

It is possible to log-in via a Bithumb account.

More Details

Delio signs cryptocurrency custody contract with Ledger

In addition, Delio has completed stronger security by adding its own ‘wallet owner authentication and direct withdrawal’ function to the wallet.

Unlike general wallet services, this feature authenticates the owner through a security token sent to the owner’s mobile phone when withdrawing cryptocurrency, and the owner withdraws cryptocurrency directly from the blockchain node.

Savings

Delio has many offerings and this includes Savings. To quote:

Any time you deposit Bitcoin(BTC), we will give you 12% of Bitcoin APR profit. You can deposit Bitcoin anytime you want, and the deposit will automatically end 90 days after the deposit approval date. Profits will be pain in Bitcoin on the day after the deposit ends. Bitcoin can be deposited from at least 0.01 BTC. You can check the Bitcoin deposit in your wallet.

Lending

Bitcoin Lending Basic

Bitcoin lending with Bitcoin as collateral

  • Lending available up to 90% of the collateral amount
  • Repayment based on the number of coins ex) Borrow 10 Bitcoins and repay the same amount of 10 Bitcoins

Vault

Medium.com - Delio Ducato launches crypto-asset private safe, ‘Vault’

Delio Vault is a ‘private safe custody’ service that stores and manages large amounts of assets. The security of storing and managing assets was strengthened, and it can be linked to crypto-asset financial services such as lending, deposit, and payment, thereby increasing the convenience of users. Delio Vault has a personalized system but no storage fee, and it will provide 2% annual staking revenue to Vault users from August.

Delio Vault can be logged in only after complex authentication processes such as ‘cell phone customer authentication’ and ‘OTP authentication’, and a customer should proceed with the ‘owner authentication’ on the blockchain node after the process. It is possible to withdraw with the withdrawal address that a customer registered in advance, which is ‘white list address’ and the withdraw is suspended for 24 hours if the withdrawal address is modified or changed.

Ducato.io - Delio Wallet, Why is it safer than others?

  • Wallet service provider (Delio) does NOT proceed (sic) withdrawal
  • When withdrawing, the wallet owner must authenticate at the wallet (blockchain) node
  • Withdrawal directly from the wallet (blockchain) node
  • Tokens are NOT directly managed or stored by Delio

However, Delio Wallet adopted a new ‘wallet owner authentication and direct withdrawal’ system in the withdrawal process of existing companies and introduced a safer process for wallet hacking.

The system verifies that the customer is the owner through a security code sent to the owner’s mobile phone when withdrawing a virtual asset, and in this process, Delio cannot participate in the withdrawal of virtual assets, so it has high security.

Delio wallet boasts stronger security than other wallets, even if Delio, a wallet service provider, attempts to withdraw money since withdrawal requires direct authentication of the wallet owner at the blockchain node. Even if Delio is hacked, it is designed so that withdrawals are impossible, so customer can rest assured.

The wallet also features insurance and multi-sig through Hexlant, and Ledger Vault.

Verdict

Deciphering the nature of Delio’s service proved quite challenging and we would be humble enough to admit if there’s any misunderstanding. At its core, Delio is a lending service that requires users to “lock in” funds so that others may borrow. This entails custody.

What made our testing of the app more difficult was the SMS verification did not arrive. This disallowed us from properly seeing first-hand how the wallet works. We were able to access some portions of the wallet.

The way it describes its services is at times vague. But the presence of insurance, partnerships with other parties, the lack of specific instructions on the provision of the private keys and multi-sig may indeed point to Delio as a custodial service. This makes the app not verifiable.

(dg)

Verdict Explained

As the provider of this product holds the keys, verifiability of the product is not relevant to the security of the funds!

As part of our Methodology, we ask:

Is the product self-custodial? If not, we tag it Custodial! 

A custodial service is a service where the funds are held by a third party like the provider. The custodial service can at any point steal all the funds of all the users at their discretion. Our investigations stop there.

Some services might claim their setup is super secure, that they don’t actually have access to the funds, or that the access is shared between multiple parties. For our evaluation of it being a wallet, these details are irrelevant. They might be a trustworthy Bitcoin bank and they might be a better fit for certain users than being your own bank but our investigation still stops there as we are only interested in wallets.

Products that claim to be non-custodial but feature custodial accounts without very clearly marking those as custodial are also considered “custodial” as a whole to avoid misguiding users that follow our assessment.

This verdict means that the provider might or might not publish source code and maybe it is even possible to reproduce the build from the source code but as it is custodial, the provider already has control over the funds, so it is not a wallet where you would be in exclusive control of your funds.

We have to acknowledge that a huge majority of Bitcoiners are currently using custodial Bitcoin banks. If you do, please:

  • Do your own research if the provider is trust-worthy!
  • Check if you know at least enough about them so you can sue them when you have to!
  • Check if the provider is under a jurisdiction that will allow them to release your funds when you need them?
  • Check if the provider is taking security measures proportional to the amount of funds secured? If they have a million users and don’t use cold storage, that hot wallet is a million times more valuable for hackers to attack. A million times more effort will be taken by hackers to infiltrate their security systems.
The product cannot be independently verified. If the provider puts your funds at risk on purpose or by accident, you will probably not know about the issue before people start losing money. If the provider is more criminally inclined he might have collected all the backups of all the wallets, ready to be emptied at the press of a button. The product might have a formidable track record but out of distress or change in management turns out to be evil from some point on, with nobody outside ever knowing before it is too late.