An Open Letter to the Manufacturers and Designers of Crypto Wallets (both cold and hot).
There have been far too many attacks lately. Many users are losing money due to what appear to be straightforward attacks…
In light of this, I have made the decision to publish an open letter with a list of suggestions and ideas that I have gathered over time to companies who produce hardware and software cryptocurrency wallet solutions. Here are fresh ideas that we need to implement in the coming year, 2024!
Let’s say Santa gives you a dream cryptocurrency wallet (or sends you a link to one!). How will it be like? Let’s attempt to visualise it!
First, we can look at well-liked “de-gen” toolsets and packs that are frequently utilised. We might notice a few awesome features there! These are a few instances (DYOR, not all of them have been audited):
-
docs.google.com/document/u/0/d/1-_0Wlwch_vtkPM4F-SdEXLjQYaYT7KoPlU2rjt7tkLQ/mobilebasic
-
github.com/JackBekket/escrow-eth/blob/master/contracts/EscrowAdvansed.sol
Secondly, I think we need to create a suitable defensive mechanism against Ethereum and Bitcoin vanity attacks, often known as address poisoning! Instances of address poisoning on blockchains such as Ethereum and Bitcoin:
Right now, there is a fairly extensive attack on the Ethereum blockchain. Check out web3_antivirus & scamsniffer_ with blockfence_io as they previously posted about this. Basically, just install an antivirus extension and use the address book feature to prevent any potential issues! I may also advise you to make use of smoldapp and delegatedotxyz tools!
We should implement a robust multi-signature for enhanced security! As an alternative, I strongly advise you to look at these examples of crypto clippers:
Thirdly, every wallet should have a strong security staff (ZenGo has a fantastic security team!). This team will notify users of critical security occurrences, even through socials. Additionally, try sadspotter (free API; send /genkey command) and web3_antivirus.
Be mindful of allocating additional resources and time to user education, and raise awareness of a secure backup plan:
I also do love and strongly support an awesome idea (made by 0xKoda) of storing MD5 hashes mapped to the url of the protocols approved webpage content on-chain, then one could build an extension that checks the diff when visiting the website and alert the user before connecting:
This is practically a foolproof defensive solution against front-end attacks and their aftermath, in my opinion!
Next, we ought to focus more on physical security:
Manufacturers ought to steer clear of ESP32 chips and their less expensive variants from system designs, employ larger capacitors (to prevent most of physical hack methods), create specialized proprietary chargers, and, of course, use more radio-transparent epoxy! Additionally, please put self-authorized data parsers into practice. By using our own parser and comparing the ABI against the 4byte directory, ABI parsing ought to be self-verified.
Although I adore KeystoneWallet , gridplus , and their security-focused mindset, we might want something more… intense! Please add otterscan tryethernal and walletlabels in your system design!
Invest in advanced hardware security measures to safeguard against physical tampering and ensure the integrity of hardware wallets! We also need to integrate privacy-centric features, ability change RPC providers (like zmok_io or SecureRPC) — in order to protect user data, ensuring confidentiality for all wallet users.
Let’s go back to our main topic now. The following essential features (highlighting an address, previewing six digits from both sides, and implementing a Secure Enclave) are, in my opinion, something wallet providers should or may implement:
Finally, we MUST be able to quickly and simply set up a gas burner bot that is, say, password or 2FA protected. With all said, prioritize seamless and intuitive user interfaces for both cold and hot wallets. Users should feel confident and comfortable when navigating their wallets!
The ability to configure appropriate notifications is especially crucial in this case; I really appreciate how TrustWallet , Rabby_io , and MetaMask handle this issue. For this, AMLBotHQ and TenderlyApp also offers a really good answer! Make sure to read my own posts as well, as I went into great detail on this subject there:
-
officercia.mirror.xyz/GX0LvoKDcC12ACXzhT3F_3PVRSfEyhE8cJYMZnoia9U
-
medium.com/coinmonks/bitcoin-the-ultimate-opsec-collection-22fe8402b71c
Check out this fantastic guide written by PatrickAlphaC using data from my own research and trailofbits
Now, at the very conclusion. In my opinion, I hope that 2024 will bring with it even more do-it-yourself options like gamewallet.gg and AirGap_it! I have addressed every query in my previous posts, but I have simply provided a general overview of my thoughts in this piece.
Don’t forget to check out these fantastic resources:
Let’s collaboratively work towards a future where cryptocurrency wallets set the standard for security, privacy, and user experience! Together, we can shape the future of digital asset management!