I recently decided to give Exodus a try. For those of you who don’t know what this thing is, Exodus is a desktop wallet that supports multiple crypto currencies and gives you the ability to trade between them. I learned about it from a very positive review by Ofir Beigel at 99 Bitcoins.

The 99coins review makes a really good summary of the good stuff about Exodus. However it makes no effort to comment on the not so good stuff, and there are things that I find disturbing and I think you should know. You are welcome to read this whole post, but if you are in a hurry, then here is my conclusion in advance: I think Exodus is too expensive and I believe it is not safe enough to trust it with my coins.

Now that I have dropped the bomb, let me retrace my steps and start from the beginning. Here is how Exodus looks like:

It supports multiple crypto coins — as of August 2017, these include Aragon, Augur, Bitcoin, Dash, Decred, EOS, Ethereum, Gnosis, Golem, Litecoin and OmiseGo. Many more are promised to come; have a look at the unofficial roadmap of supported assets if you want to know more.

It is a beautifully designed piece of software; a true pleasure to look at. Gentle contrast, subtle animations and a very skinnable interface. From a pure UX point of view, Exodus is close to perfect. I don’t know anything about web programming, but it looks like a Google Chrome-based app (the Debug features of the Exodus app open the Chrome dev console). It feels similar to Ethereum Wallet and Ethereum Mist.

In the words of its creators (Exodus.io home page):

Exodus gives blockchain asset investors a platform to secure, exchange and manage wealth inside one beautiful application.

So basically, the Exodus folks assume the software will be used by people with some degree of sophisticated knowledge of ‘blockchain assets’… Right? Yet, they also say elsewhere (in an explanation on why Exodus fees are high):

Most users of Exodus are 100% new to blockchain assets and are not technical. When we set the fees at an average amount (or begin to give the user a choice on what fee to set) they ultimately will choose a lower fee without the understanding this could cause the transaction to not be delivered.

If being able to manually set a low fee is important to you Exodus is not a good software choice and we encourage you to use other bitcoin wallets. The good news is there are a lot of highly technical BTC wallets much better than Exodus in this regard. Electrum is awesome for highly technical details like this. With the current market reach of Exodus this will not be a focus for our company anytime soon.

In other words, Exodus creators are fully aware most of their users are newbies. And so they built a powerful platform, removed the training wheels & airbags, and gave it to the n00bz to play with. What could possibly go wrong?

Unclear Business Model

The first thing that I find annoying is that the business model of this software is unclear. When a software developer provides a program free of charge, it is reasonable to ask why he is doing this. Many people provide their software for free and don’t intend to profit from it. Usually, such folks make the source code freely available as well. Exodus do not do that: their program is closed-source.

It is also common to have free software supported by the community; developers have limited ability to support free software. But Exodus do provide extensive support on Slack and via email ticket system. They are also hiring new people, offering upwards of $60,000 USD/yr.

You can only do that when you either have a profitable product, or you expect your product to become profitable in the predictable future.

Exodus have mentioned multiple times on their support website that they don’t take any cut from the transaction fees. I fully believe that statement but it doesn’t answer my question about their business model. Exodus also clearly say they use ShapeShift, and ShapeShift do support business partnerships, but so far as I can see Exodus never state in plain text whether they turn a profit from ShapeShift commissions.

Even if they do, that is fine; I fully expect the authors of good, usable software to be rewarded for their work. However, if I don’t know what is the business model of a company, how can I know whether I am overpaying for their service or not? And here is the second, bigger problem:

High Transaction Fees

I can only comment on Bitcoin fees, because this is the currency I used when testing the service. Exodus say the following:

We have done extensive testing over the years to make sure bitcoin transactions are delivered the fastest way possible. Because Exodus prioritizes speed and reliability over low fees, Exodus will always dynamically set the highest price to deliver your transactions.

Most wallet programs I know of give the user the ability to adjust the transaction fee. Exodus assumes their users are too dumb to know better, and pushes high fees onto every transaction. Combined with the unknown profit model, this suspiciously looks like an effort to get a larger commission from each transaction by taking advantage of users’ lack of experience. See what happens when a business is not upfront about how they make money? Assholes like me get suspicious.

But of course, everybody can (and should) educate themselves about crypto currencies and be able to decide if these fee are worth it as compared to the convenience given by the software. So I let this issue slide.

This next thing however I just can’t let go.

Your Exodus Wallet Seed is Easily Exposed (And Devs Don’t Really Care)

When you start Exodus for the first time, it creates a wallet for you, but the software will only ask you to enter a password after you have received funds for the first time. Here is how this goes:

In order to protect your coins from loss, you are given two recovery options:

1. Write down the master key seed
2. Generate a recovery link and send it via email 1See my post, ‘On the necessity of having strong email’ — sending the link to it is a good use cause.

Once you have done these two things, you can be relatively sure that you won’t lose access to your wallet. You are also relatively secure when you launch the application: it will ask for your password every time. However once inside the program, all payment/exchange transactions are fulfilled directly (no password confirmation is required). The program gives you the ability to change the email address where the recovery link is sent, and to also see your master key seed. And here comes the trouble.

If you click on the ‘Reset Email & Password’, Exodus will tell you that it needs to restart. And as soon as you restart, you need to enter your password to proceed. So everything looks fine here. But if you click on ‘Show 12-Word Phrase’ instead, the f—ing program will just show you the seed, no questions asked. If you leave your PC unattended with Exodus open, I only need 10 seconds to walk away with your keys. I can then duplicate your wallet or another computer and monitor it constantly. I can choose when to screw you by emptying it completely, and you won’t ever know what got you.

I was so shocked with this, that first I couldn’t believe my eyes. What were the devs thinking?!

What Exodus Got to Say

I sat on this information for nearly 3 weeks, in case it was a recently introduced bug that went unnoticed. When Exodus version 1.3.2 was published and the problem was still there, I decided to send a ticket to Exodus support and draw their attention to this. Here is what I wrote:

On Fri, Aug 25, 2017 at 10:23 PM UTC, Ivan Arnaudov  wrote:
Hi,

I noticed improper behavior of Exodus 1.31 and 1.32 which allows easy exposure of the 12-word master key seed once I’ve logged into the program.

When I open Exodus and go to ‘Backup’, I can click on `Show 12-Word Backup Phrase’ and the program will just show it to me without asking for my password first. Obviously, this is a terrible lapse of security.

The other button, ‘Reset Email & Password’, behaves as it should: when I click on it, Exodus says it needs to restart, and as soon as it restarts, it will ask me for my password. This is normal safety logic which should be carried over to the Show Master Key Seed functionality as well. Otherwise the keys to any open wallet on any computer can be stolen while the owner is AFK.

I understand that limited circumstances are required to take advantage of this issue, but it should be fixed nonetheless. Please take care of this oversight! Otherwise Exodus is simply unsafe.

Thank you!

Ivan A.
Sofia, BG

They did reply fast — I wrote late Friday evening, and a very kind gentleman called Leonardo replied to me at the early hours of Saturday. Kudos for that, can we hope that Coindesk will one day provide such service? But anyway, I digress. Here’s the reply in full:

From: Leonardo Bilia
Sent: 26 August 2017 г. 03:39
To: Ivan Arnaudov
Subject: Re: Exodus exposes master key seed

Hi Ivan,
Thanks for reaching out to us.

I really appreciate your sincere feedback, and I believe that there’s only one path to follow that is listening and understanding our user’s thoughts and needs.

I’ll give you two different perspectives about your concerns. I personally, use Exodus as my everyday wallet, but the way I see my cryptocurrency wallet is exactly the same way I see my online bank account. I don’t see any reason to keep my wallet opened if I’m not in front of my computer using it. In this case, nobody will ever steal my 12-word phrase, because if I’m not using I will simply close the application. The same way I won’t leave my online bank account website opened while I’m not in front of my computer using it.

I always bring the responsibility to myself to take care of my own wealth.

But, for the wallet development perspective, I agree with you. People are different and for me to have that section pin protected is not necessary, but for our users, it can be the complete game changing. I really appreciate your description and be sure we will discuss all the possibilities to make our products even better and safer in the future.

We’ll get there with time.
I took a note of your interest, so we will email you when we have updates about that.

By the way, we are also working on more advanced security and hardware wallet functionality. We are working hard to bring more advanced tools to our users. =)

Kind Regards,

—
Leonardo Bilia
Customer Success Engineer

He was very kind, and was also very wrong. Of course keeping my crypto wallet safe is my responsibility. But it is one thing to take care of your money, and another thing to have to care for an unprotected piece of software that happens to be running on your laptop when it gets stolen. So I wrote to Leonardo again:

Hi Leonardo,

I appreciate your detailed reply on the early hours of Saturday — even if I fully disagree with you comparing Exodus and online banking about the premise of how AFK situations are handled. Any online banking software I use and know of (and I have used several, for myself and my company, over a period of 18+ years in multiple European countries) has means of safeguarding against unauthorized payments by asking for a second form of authorization for an active operation even after the user is logged in. And need I mention that online banking software will always have short session timeouts, while an open Exodus wallet can apparently operate for weeks and months on end without asking for password reentry from time to time?

Besides, the program is obviously designed to prevent an unwanted change of backup email address; so apparently some thought went into the process of defending the customer against some forms of wallet breach. I fail to see any reason why the designers of the program may have decided to protect one form of recovery against wrongful use but have totally neglected the other. (A side note: exporting private keys via the Developer menu appears to be equally unprotected as the ‘Show the seed words’ functions.)

Charging the user with the responsibility to safeguard their money and property is one thing; designing software to make it so very easy to punish a user for a momentary lapse of care, let alone a targeted attack, accidental loss or theft of equipment, is another.

I fully understand that you (both personally and speaking on behalf of Exodus) may have different views of the use cause for this software. But as things stand at the moment, I have no recourse but to remove my funds from this wallet and delete it from my system. It is a very beautiful piece of software that simply cannot be trusted with non-trivial amounts of money in its present state.

That being said, I do wish the Exodus project well. Blockchain tech is still a toddler; a lot of mistakes will still be made before we all get to ‘safe to use for everybody, easy to use by everybody’ heaven.

Sincerely,
Ivan Arnaudov

To which he replied (again, very quickly):

Hi Ivan,
Thank you for so rich and detailed message. It for sure will help us a lot to understand what our users see and want for their “perfect Exodus wallet.” I cannot thank you enough for taking the time for sending the feedback.

Technically speaking, since the private keys are stored on your computer, to build a really effective second layer of protection such as 2FA in a way to actually add security is complicated. As I said, we are working on more advanced security and hardware wallet functionality. However, it will not be ready for a while.

To maximize security, if you are planning on holding plenty of blockchain assets Exodus shouldn’t be your first option. I recommend a multisig wallet like Copay, a hardware wallet like Ledger or creating offline paper wallets.

Once again, thank you for your message and be sure we will take it into consideration.

I wish you all the best.

Kind Regards,

—
Leonardo Bilia
Customer Success Engineer

Conclusion

After this exchange with Exodus customer support, it seems to me that the whole premise of the Exodus software is broken. They give you ‘a platform to secure, exchange and manage wealth inside one beautiful application’ but they don’t bother to protect you against the simplest imaginable form of local attacks. If you press on the issue, they will tell you that if you are serious about crypto assets, Exodus shouldn’t be your first option anyway.

So if serious users who trade between multiple crypto currency pairs should not use this service, then who is the target customer for Exodus, exactly? Is it the Bitcoin newbie who is so uninformed that he doesn’t mind overpaying transaction fees so long as he gets to use their shiny app? Is it fair to push higher fees and profit from the newbie’s lack of knowledge?

 

After I wrote my second message to Leonardo, I removed my coins from my Exodus wallet and deleted it from my system. You have been warned.