Chivo wallet is presenting privacy issues

Key facts:
  • Chivo wallet is the wallet promoted by the government of El Salvador to use Bitcoin.

  • According to the terms and conditions of the wallet, it is not responsible for loss of funds.

Like any new application, bugs or errors are the order of the day in the Chivo Wallet. After its launch, it has been discovered that some of these bugs not only affect the user experience, but also compromise, to a large extent, the privacy of its users.

The compilation of some of the bugs was made by Matt Ahlborg (@MattAhlborg) who is head of research at Bitrefill. After performing some tests with Chivo Wallet, Matt published from his Twitter some bugs, which he considers to be “non-standard behaviors of Bitcoin wallets”.

One of the most serious bugs that Chivo Wallet is presenting is when creating Lightning payment invoices. This is because, the invoice information generated shows the full name of the user who owns the wallet. As Matt himself points out, this would be a serious privacy issue that “should be resolved”.

Another important point in the field of privacy is that, according to a tweet quoted by Ahlborg, Chivo Wallet, in its Android version, requests access to the microphone and contact list. It should be clarified that a “normal” behavior of a Bitcoin wallet, does not require any access to this type of information or peripherals.

Matt believes that this problem could be one of the reasons why it has taken so long to be listed in the Android Play Store.

See also  Solana (SOL) continues to set records, $200 goal within reach

Usability issues with Chivo Wallet

Being a very recent app, it is possible to find bugs regarding the user experience. In this area, Matt highlights errors such as the case of scanning invoices with a defined amount, since, although the amount to send is fixed, the application still asks you to enter the total amount to send. This causes the application to throw an error message.

Another bug is in the compatibility of invoices. According to Ahlborg’s research, when trying to scan a Bitrefill invoice, an invalid invoice error occurs. While this could be a one-off compatibility bug between Chivo and Bitrefill, Matt clarifies that he “suspects this is happening with other Lightning Network wallets” when used in conjunction with Chivo.

On the other hand, Matt highlights a bug that can negatively affect the experience of using Chivo Wallet, in this case, for those less skilled in the use of Bitcoin wallets.. This is because, this wallet deducts the transaction fee from the total to be sent and not from the remaining within the wallet. For example, if you are sending 0.0001 BTC with a fee of 0.000005, the receiver to whom you are sending from Chivo Wallet, will receive 0.000095 BTC.

In use cases, such as the Bitrefill example used by Ahlborg, where an exact amount needs to be sent, the user must calculate the total by adding the network fee plus the net amount to be sent. According to Ahlborg, these are not standard Bitcoin wallet behavior.

Chivo is not liable for loss of funds due to system failures

While Chivo has been experiencing problems, there is one aspect to consider and that is that, as shown in its terms and conditions, the app, and consequently the government of El Salvador, are not liable for “damage, harm or loss caused to the user by system, internet server, or Chivo Wallet failures” that end up causing the loss of funds.

See also  Users report stolen funds from Coinbase exchange

While the terms and conditions refer to no liability for lost funds, they could be extrapolated to mean that Chivo is not liable for the “theft” of personal information caused by poor security and data protection on the part of Chivo. This, taking into consideration the current privacy flaws the app is suffering from.