Cryptocurrency hardware wallet manufacturer Bitfi has officially closed its bounty program, according to an August 30 tweet, in addition to removing the “unhackable” claim from the wallet’s marketing materials.
In its statement, the company admitted “vulnerabilities,” and yet avoided speaking about multiple alleged hacks of the device. Bitfi also confessed to hiring a “Security Manager who is confirming vulnerabilities that have been identified by researchers.”
The company expressed appreciation for “the work and effort of the researches,” stating that the bug bounty program was officially closed. Any further comments on remuneration and the project’s roadmap are postponed until early September. Bitfi officials remained silent about the $100,000 reward they announced in July.
The recent Bitfi post quickly prompted a response from the community. While some insist on recalling current vulnerable hardware using #RecallBitfi hashtag, others blame the wallet’s team for misleading promotions and harming the industry.
Bitfi’s executive chairman, cybersecurity pioneer and crypto evangelist John McAfee, had claimed that wallet was “the world’s first unhackable device.” He further challenged security experts to breach the device for a $100,000 bounty starting July 24.
Photos of Bitfi components surfaced online in late July, prompting some commentators to claim it was “a cheap Android phone,” which did not deserve the accolade of the “most sophisticated instrument in the world”.
Though several attempts to hack the Bitfi wallet have been made since then, the company has not paid out any bounties. Researchers claimed that they could track the device and extract the necessary information to qualify the device as “hacked.”
In August, an alleged 15 year old Twitter user Saleem Rasheed (@spudowiar) cracked the wallet and launched Doom on it. Hours before the recent statement withdrawing the “unhackable” definition from the wallet’s branding, Rasheed posted a video where he managed to extract a secret phrase from Bitfi using a cold boot attack.