An Open Letter to the Manufacturers and Designers of Crypto Wallets

An Open Letter to the Manufacturers and Designers of Crypto Wallets (both cold and hot).

There have been far too many attacks lately. Many users are losing money due to what appear to be straightforward attacks…

In light of this, I have made the decision to publish an open letter with a list of suggestions and ideas that I have  gathered  over time to companies who produce hardware and software cryptocurrency wallet solutions. Here are fresh ideas that we need to implement in the coming year, 2024!

Let’s say Santa gives you a dream cryptocurrency wallet (or sends you a link to one!). How will it be like? Let’s attempt to visualise it!

First, we can look at well-liked “de-gen” toolsets and packs that are frequently utilised. We might  notice  a few awesome features there! These are a few instances (DYOR, not all of them have been audited):

• docs.google.com/document/u/0/d/1-_0Wlwch_vtkPM4F-SdEXLjQYaYT7KoPlU2rjt7tkLQ/mobilebasic

• github.com/starius/logic-bomb/blob/master/logic_bomb.c

• github.com/zaivanza/all-in-one-v2

• github.com/helllzy/encrypt_keys

• github.com/JackBekket/escrow-eth/blob/master/contracts/EscrowAdvansed.so l

Secondly, I think we need to create a suitable defensive mechanism against Ethereum and Bitcoin vanity attacks, often known as address poisoning! Instances of address poisoning on blockchains such as Ethereum and Bitcoin:

• github.com/AngelTs/vanitygen-plusplus-ported-for-VS2019

• bitcointalk.org/index.php?topic=5076779.0

• cointelegraph.com/news/address-poisoning-attacks-in-crypto

Right now, there is a fairly extensive attack on the Ethereum blockchain. Check out  web3_antivirus    scamsniffer_  with  blockfence_io  as they previously posted about this. Basically, just install an antivirus extension and use the address book feature to prevent any potential issues! I may also advise you to make use of  smoldapp  and  delegatedotxyz  tools!

We should implement a robust multi-signature for enhanced security! As an alternative, I strongly advise you to look at these examples of crypto clippers:

• news.ycombinator.com/item?id=32614037

• arxiv.org/pdf/2108.14004.pdf

Thirdly, every wallet should have a strong security staff ( ZenGo  has a fantastic security team!). This team will notify users of critical security occurrences, even through socials. Additionally, try  sadspotter  (free API; send /genkey command) and  web3_antivirus .

Be mindful of allocating additional resources and time to user education, and raise awareness of a secure backup plan:

• backblaze.com/blog/the-3-2-1-backup-strateg y

I also do love and strongly support an awesome idea (made by  0xKoda ) of storing MD5 hashes mapped to the url of the protocols approved webpage content on-chain, then one could build an extension that checks the diff when visiting the website and alert the user before connecting:

• github.com/0xKoda/verifi-web

This is practically a foolproof defensive  solution  against front-end attacks and their aftermath, in my opinion!

Next, we ought to focus more on physical security:

• thecharlatan.ch/List-Of-Hardware-Wallet-Hacks

• docs.google.com/spreadsheets/d/13d5xnVa2PlhzNLAxvvufRCT1fpDbnByI3UOf276zYZ0

Manufacturers ought to steer clear of ESP32 chips and their less expensive variants from system designs, employ larger capacitors (to prevent most of physical hack methods), create specialized proprietary chargers, and, of course, use more radio-transparent epoxy! Additionally, please put self-authorized data parsers into practice. By using our own parser and comparing the ABI against the 4byte directory, ABI parsing ought to be self-verified.

Although I adore  KeystoneWallet  ,  gridplus  , and their security-focused mindset, we might want something more… intense! Please add  otterscan   tryethernal  and  walletlabels  in your system design!

Invest in advanced hardware security measures to  safeguard  against physical tampering and  ensure  the integrity of hardware wallets! We also need to integrate privacy-centric features,  ability  change RPC providers (like  zmok_io  or  SecureRPC ) — in order to protect user data,  ensuring  confidentiality for all wallet  users .

Let’s go back to our main topic now. The following essential features (highlighting an address, previewing six digits from both sides, and implementing a Secure Enclave) are, in my opinion, something wallet providers should or may implement:

• x.com/iamnickdodson/status/1735633874179269051

• x.com/port_dev/status/1732346827616538993

Finally, we MUST be able to quickly and simply set up a gas burner bot that is, say, password or 2FA protected. With all said, prioritize seamless and intuitive user interfaces for both cold and  hot  wallets. Users should feel confident and  comfortable  when navigating their wallets!

• x.com/smpalladino/status/1373049027365904389

• github.com/codywall/Burner-Bot

The ability to configure appropriate notifications is especially crucial in this case; I really appreciate how  TrustWallet  ,  Rabby_io  , and  MetaMask  handle this issue. For this,  AMLBotHQ  and  TenderlyApp  also offers a really good answer! Make sure to read my own posts as well, as I went into great detail on this subject there:

• officercia.mirror.xyz/GX0LvoKDcC12ACXzhT3F_3PVRSfEyhE8cJYMZnoia9U

• medium.com/coinmonks/bitcoin-the-ultimate-opsec-collection-22fe8402b71c

Check out this fantastic guide written by  PatrickAlphaC  using data from my own research and  trailofbits

• cyfrin.io/blog/what-should-i-use-to-store-my-cryptocurrency-web3-wallet-guide

Now, at the very conclusion. In my  opinion , I hope that 2024 will bring with it even more do-it-yourself options like  gamewallet.gg  and  AirGap_it ! I have addressed every query in my  previous  posts, but I have simply provided a general overview of my thoughts in this piece.

Don’t forget to check out these fantastic resources:

• walletcompare.xyz

• walletscrutiny.com

Let’s collaboratively work towards a future where cryptocurrency wallets set the standard for security , privacy, and user experience! Together, we can shape the future of digital asset management!

Stay safe!