El Salvador’s official government bitcoin wallet leaks user data

After the passage of the Bitcoin Law in El Salvador, the government has been working to launch its own portfolio from bitcoin, to Chivo. With this, to encourage citizens to download the official wallet, the government promised to distribute 30 dollars in bitcoin to each user.

However, even though it took months to develop the project, the wallet had problems with distribution in the app stores, as well as several inconsistencies in the system.

lack of privacy

One of the problems mentioned by users was the lack of privacy. In the description of transactions, the name of the person making the payment appears, something that does not happen in conventional wallets, the “open source”, that is, open source portfolios where people can check the code and suggest improvements to developers.

Invoicing a transaction on Lightning Network.  Username deleted for privacy reasons.
Invoicing a transaction on Lightning Network. Username deleted for privacy reasons.

This generated dissatisfaction to users, as it is pointed out as a serious problem of attacking privacy.

In addition, the Huawei version of the application was found to require access to voice features such as a microphone. This suggests that the App can listen in on conversations through the phone’s audio input, which severely compromises the user’s privacy.

no privacy wallet
no privacy wallet

limited transactions

Another problem identified is that the user has difficulties in withdrawing the initial US$30 that the government distributed from his wallet. Apparently, it is necessary that 3 to 5 transactions are carried out between Chivo users for the value to be sent to another type of wallet.

It is possible to send bitcoins to Chivo, make transactions within it via Lightning Network, however On Chain sends (using the blockchain) are not yet available.

bugs found

When generating Lightning invoices, the address usually contains the number of sats (amount to pay). However, in Chivo Wallet, when the invoice with the amount is entered, the application asks the user to manually enter the amount and after that there is an error in the payment.

The wallet can scan QR Codes from Lightning addresses, but it often fails when the address is just pasted in manually.

Another problem encountered was when using the services of Bitrefill, a company that sells gift cards paid for with bitcoin.

When sending bitcoin via On Chain, Bitrefill requests a minimum of 0.0001 BTC, when the Chivo Wallet user enters the amount, a fee is discounted and Bitrefill receives less than expected.