Telegram crypto trading bots spark fears over security vulnerabilities

A rising influx of crypto traders are being drawn to bots integrated with the messaging app Telegram, some of them including Unibot, Swipe, WagieBot, and Bolt. Since May, over 63,000 crypto users have executed trades totaling close to $186 million using the bots, Dune Analytics data indicates.

Yet, as activity flourishes, experts are casting a critical eye, particularly concerning how the bots handle user assets.

The allure lies in the remarkable simplicity — trading with them is as easy as sending a message. Based on predefined rules, upon receiving a message they can identify trade commands, interpret them and then promptly execute trades on linked decentralized exchanges.

While the bots provide features that streamline the process for traders eager to quickly buy or sell coins on decentralized exchanges, many experts believe their security is among the poorest available in the crypto sector.

“I think the rise of Telegram bots is a terrible development — closed source and you are handing over your private keys. This is even worse than back in the day when you sent some funds to an unknown exchange website,” Christian Seifert, a former Microsoft security lead and researcher-in-residence at the Forta Network, told The Block. "The bots might even be riskier than interacting with an unknown smart contract where you can specify and limit the approval. With bots, you essentially hand over everything and hope they don’t take your funds."

The key concerns

To make crypto trading easier for users, Telegram bots are designed to streamline the intricate processes involved in establishing a crypto wallet and authorizing necessary permissions for smart contracts behind decentralized exchanges that handle asset transactions.

Initially, a crypto bot creates a wallet for its users, providing them with private keys to facilitate trading. Users are then asked to deposit funds into these wallets to start trading. This presents an issue, however, as it challenges the principle of maintaining secure self-custody of funds.

Blockchain security firm BlockSec has expressed apprehension regarding the growing trend of Telegram bots, with co-founder Yajin Zhou emphasizing the potential dangers associated with transferring tokens to third-party wallets created by the apps or disclosing private keys. He pointed out that while the bots excel in offering speed and ease of use, they often come at the cost of security.

When these services automatically generate a wallet for users, there’s an inherent risk pertaining to the continued storage of the private keys on the platform, Zhou explained. Should there be a data breach or hack, it could spell disaster for bot users, leading to potential loss of assets to cybercriminals.

“To use the bot, users must transfer tokens to a third-party wallet or share their private keys. Who can guarantee that these shared keys won’t be leaked, or that the bot owner won’t misuse them?” Zhou told The Block.

When a bot generates a wallet, it’s essentially creating a cryptographic key pair. The public key is the destination for incoming funds. The private key, being the exclusive access point to these digital assets, can potentially become a prime target; if compromised by malevolent actors, they can drain the associated funds. On the other hand, if a user misplaces the private key without a backup, they’re locked out of their own assets.

Zhou further elaborated that since users aren’t the ones generating the private keys, their security is not always assured, opening doors for potential misuse. He also cautioned about the grim prospect of dishonest bot developers exploiting users in the future. Drawing parallels with past market frenzies, like memecoin projects and DeFi, Zhou reminded that many were unmasked as exit scams, defrauding countless investors.

Operational ease

With the rising adoption of the bots, several experts amplified worries about the glaring absence of code security audits that suggests that the safeguarding of user assets could be at risk, especially if there’s a veil of opacity around the project’s mechanics.

“These bots lack a proper security audit, provide no insights into the storage methods for private keys, and there’s an utter void of security documentation on their websites,” said Dave Schwed, COO of the security firm Halborn.

Security audits, executed by third-party specialists, evaluate a system’s susceptibility to breaches. Their role is pivotal in ensuring that systems adhere to best practices, safeguarding both user data and assets. A lack of such audits raises red flags, signaling possible omissions or compromises, Schwed highlighted.

Moreover, Schwed drew attention to the missing end-to-end encryption on Telegram itself, presenting potential vulnerabilities. “While Telegram chats are encrypted, they lack end-to-end encryption. This means Telegram has the ability to decode messages, except when users choose ‘secret chats.’ Unfortunately, these secret chats don’t support bot interactions,” he said.

End-to-end encryption, featured in “secret chats,” guarantees that only the conversation participants have the capability to decrypt messages, effectively barring even Telegram from access. This distinct disparity carries significant consequences for both data privacy and security.

"Given that bots function within Telegram’s non-end-to-end encrypted domain, any instructions reflecting a user’s financial actions might be at risk," Schwed added. Any confidential information relayed to the bot, be it transaction specifics or mere commands — stands the risk of potential exposure, he continued.