Home - Coinspect Security
wallet security benchmark 2

Introducing the Wallet Security Framework

Security Engineer
Wallets

We are expanding our wallet security work into the Wallet Security Framework (WSF), a unified open-source resource for evaluating the security of web3 wallets. The WSF brings together two complementary components: the Wallet Security Controls (WSC) and the Wallet Security Benchmark (WSB), the latter being a new addition.

From the WSVS to the WSF

Those who have followed our wallet security research will recognize the WSC under its previous name: the Wallet Security Verification Standard (WSVS). We published the WSVS as a white-box control catalog for wallet developers and auditors, and it has served as the technical foundation behind our Wallet Security Ranking since its launch. The ranking recently became open source, as announced in Coinspect’s X profile.

As our research expanded, it became clear that the WSVS alone was not enough. As a white-box catalog, it describes how a wallet should be built, but applying it depends on source code access. Black-box testing lets us evaluate wallets at scale, independent of source access, capturing how integrations and dependencies behave in real environments.

The WSF is our answer to that gap. We evolved the WSVS into the WSC, introduced the WSB as a black-box companion, and consolidated both under a single project. Our goal is for the WSF to become the go-to wallet security reference for developers, researchers, and auditors, broad enough to support hardware wallets, operational security controls, threat models, automated testing tooling, and more.

Wallet Security Framework diagram
The Wallet Security Framework combines the WSC and WSB into a unified open-source resource.

What Expanding the Framework Means

Supporting those areas is not just a matter of adding LLM-generated checklist items. Each check requires a clear security rationale, the attack scenario it prevents, a way to evaluate it during an audit, and, when possible, a black-box test. Checks should come from real interactions with the products, be adjusted to apply across a wide range of them, and be refined through successive iterations. That is the same process behind our Wallet Security Ranking: not a simple list of checks, but a sustained effort of proposing, polishing, and testing that turned it into a security product with proven value. Applied to hardware wallets, these tests could eventually support a Hardware Wallet Security Ranking.

Operational security introduces a different layer. Here the wallet is part of a broader process involving roles, authorization policies, signer management, backups, transaction review, incident response, and vendor or service-provider dependencies. The work is to model realistic organizational failures: compromised workstations, unclear ownership of keys, weak recovery procedures, or missing out-of-band verification due to rushed approvals. The WSF should turn those scenarios into controls that teams can actually assess, not abstract governance advice.

Scaling With Threat Models and Tooling

  • Threat models help explain why a control exists, what attacker it addresses, what assumptions it relies on, and which risks remain outside its scope.
  • Automated testing tooling provides stable test definitions and repeatable interaction flows with integrated evidence capture, with the goal of retesting wallets more often and reducing the chance of human error.

The Wallet Security Benchmark (WSB)

The WSB is a set of interaction-based tests that anyone can run against a wallet, observing how it responds to real inputs (crafted signing requests, RPC calls, physical access scenarios) rather than reviewing its internals.

The current scope focuses on areas where users consistently lose funds: phishing and physical access. These map to four test categories:

dApp Permissions (PERM) verifies that the wallet asks before granting dApps access to accounts or allowing sensitive RPC methods. This includes connection consent flows, WalletConnect request handling, and chain-switching confirmations.

Intent Verification (VERI) measures the wallet’s ability to present clear, human-readable summaries before a user approves a transaction or signs a message. This covers transaction simulation, EIP-712 message parsing, token approval dialogs, and whether users can see the full content they are signing before confirming.

Threat Prevention (THRE) checks whether the wallet is integrated with threat intelligence for known malicious addresses, phishing domains, and spam tokens. It also evaluates how clearly the wallet presents context during connection prompts, including full URL display and dApp access disclosure.

Physical Access (PHYS) evaluates device-level protections: authentication strength, biometric support, seed phrase access controls, clipboard leak prevention, and automatic and manual locking behavior.

WSB and the Wallet Security Ranking (WSR)

Our Wallet Security Ranking is, by design, opinionated. It turns expert knowledge into a practical tool that helps users decide which wallet to use. Opinionated does not mean opaque: the ranking is open source, and outcomes are public and verifiable in its repository, from the checklists we use to the passing criteria and weights used to compute ranking positions.

There is a natural separation between a neutral, long-term body of knowledge and the practical decisions required to evaluate real products. The WSB can define a requirement like “wallets should use the strongest authentication mechanism available on each platform.” That kind of statement is stable and broadly agreed upon. Turning it into a real-world evaluation requires additional decisions, such as:

  • What counts as the strongest authentication on each platform,
  • How to test whether a wallet actually enforces it,
  • What thresholds define a strong password, etc.

These questions are more fluid. They change with platform updates, new attack patterns, and repeated testing cycles. Because we evaluate wallets multiple times per year, this layer needs to move faster than a consensus-driven checklist. It also evolves in the open, where anyone can discuss new ideas and outcomes.

The WSF reflects this separation: the WSC and WSB capture the stable, shared foundation of wallet security knowledge, while the ranking methodology evolves independently to remain practical, current, and useful to end users.

Most WSB tests feed directly into our Wallet Security Ranking, with a clear division of responsibilities:

  • The WSB defines what and why to test, without prescribing outcomes.
  • The ranking layers its own pass/fail thresholds and scoring criteria on top. As we described when we launched the ranking, the goal was a scalable, objective way to evaluate wallets continuously, not just through point-in-time audits.
Wallet Security Ranking diagram
How WSB tests feed into the Wallet Security Ranking, with separate layers for test definitions and scoring methodology.

Get Involved

The WSF is fully open source and we want it to grow beyond what we can build alone. If you work on wallet security as a developer, researcher, auditor, or just someone who tests wallets, we are looking forward to your contribution.

New test cases, platform coverage for hardware wallets, mobile wallets, and browser extensions, threat model documentation, automated testing tooling, scoring methodology feedback, and corrections are all welcome. The goal is a shared, community-maintained standard that raises the bar for the entire industry.

Start at github.com/coinspect/wallet-security-framework. Open an issue, submit a pull request, or reach out directly.