This work conducts a systematic security evaluation of Chain-FS’s “trustless” security claims. We identify two critical vulnerabilities: (1) its end-to-end encryption is susceptible to efficient offline dictionary attacks when users choose passwords meeting only the minimum length requirement; and (2) file sharing relies solely on TLS-protected transmission of decryption passwords, introducing plaintext password relay risks. Using cryptographic analysis, controlled dictionary attack experiments, protocol reverse engineering, and TLS traffic auditing, we are the first to expose how weak passwords trigger encryption bypass in such lightweight cloud storage systems. We propose three concrete mitigations: strengthened password-based key derivation, secure shared-key negotiation for file sharing, and TLS-hardening recommendations. All findings and remediation proposals were validated and acknowledged by the vendor.

We examine the security of a cloud storage service that makes very strong claims about the ``trustless'' nature of its security. We find that, although stored files are end-to-end encrypted, the encryption method allows for effective dictionary attacks by a malicious server when passwords only just meet the minimum length required. Furthermore, the file sharing function simply sends the decryption passwords to the server with no protection other than TLS.