After really liking this wallet, I upgraded to 1.28.1 today since it now can hold your Decred coins. I send a few coins to it and after confirmation about 10 min later, I requested another 'receive' address from Exodus for a second transfer. Guess what? It was the same address!
Yep, Exodus reuses addresses. After chatting with some local bitcoiners in one of my Telegram chats, I was shown this piece:
In short... not open source and they ignore a number of 'Security 101' best practices.
Well just DAMN IT right?
I had been touting this nice to use wallet for a few days to some people and I feel like I let them down.
I hope to hell they start doing security rather than the usual coin o' the week stuff, and do it soon!
Amended below with response from JP RIchardson of Exodus... this is encouraging.
Hey James, Exodus co-founder here…
Thank you for writing this and sharing your thoughts and perspectives with everyone. Positive and negative feedback is what helps us to improve and to build a better product. Without feedback like this, we’d be blind to our own problems.
I’ll take each on of your criticisms one-by-one…
Exodus forces address reuse
Many people believe that multiple addresses increase privacy for a user. There is a degree of truth in this – if done properly and appropriately (UTXO selection matters). Exodus has always had many change addresses for UTXO based assets (BTC, DASH, DOGE, LTC) – so when you send funds, the change goes to a different address each time in your Exodus wallet.
Until recently, we forced a single ‘receive’ address. We viewed this decision partially through the lens of a new user. Eventually we got so many requests to change this, that we decided to allow multiple receive addresses for Bitcoin. You wouldn’t believe the amount of support requests we received stating that we had no right to change the customers’ Bitcoin addresses. Wow, did we mess that one up. So we tweaked the feature a bit, so it always shows the first receive address, but you’ll notice there’s more by clicking the right arrow next to the QR code. We started with Bitcoin first to get the UX correct. I’m still not convinced we have it right. When we do, we’ll start allowing it for other assets where it makes sense (not ETH).
Exodus accepts insecure passwords
I agree. We could do a much better job here. I dropped in the this code library from Dropbox https://github.com/dropbox/zxcvbn and never looked back. This is 100% my fault. I should have spent more time on how this all works and fits into Exodus. Moving forward, we may just have to remove the strength estimation altogether or see if we can improve it. I’ll have to put more thought into this, but thank you for pointing this out.
Exodus is closed source
Exodus is not 100% closed source as be seen here: https://github.com/exodusmovement/ – we’re working on open-sourcing more of Exodus.
Why is Exodus not 100% open-source? Because we haven’t validated our business model. That’s it. In the long-term, we’d like to open-source all of Exodus. I think I have credibility making this claim given how much I love open-source (https://github.com/jprichardson && https://www.npmjs.com/~jprichardson) so I have the track record to prove it.
However, we do understand that many people will not agree with this decision in the short-term and we are okay with these people choosing not to be our customers at this point. Fortunately there are so many desktop wallets in this ecosystem to fulfill most people’s preferences.
there is no 2 factor authentication available.
We are actively working on a solution to this now. Hopefully this will satisfy the security needs of most people.
Finally, I want to close by saying that we really appreciate the comments and criticisms. We realize we won’t be the perfect solution for everyone, but we like people telling us where we failed so that we can at least try to be the perfect solution for some.
All my best,