1. Home
  2. Seed Phrases

Seed Phrases

Users are going to decide if they can still trust Ledger with their wallet keys

Ledger’s decision to introduce a third party to your wallet seed phrase created an exploit that could appeal to both governments and hackers.

Self-custody is important in crypto, and security is essential to self-custody. Ledger, a notable hardware wallet manufacturer, has built its reputation on the secure storage of users’ private keys. Hardware wallets create a secure offline environment for storing keys and using keys to execute transactions.

The user’s private keys are generated and stored within the device and are supposed to never leave it. This “cold storage” provides an unrivaled level of security compared with “hot wallets” or online wallets. The problem is that lots of people lose their keys.

Ledger rolled out a seed phrase backup product this week called Ledger Recover. If you give the company your ID and personal information, you can pay for a service that takes your seed phrase within your device, encrypts it into three “shards” and then shares them with various custodians.

Introducing a third party inherently centralizes control, creating a single point of failure that could be exploited by hackers or be subject to regulatory actions.

Related: Throw your Bored Apes in the trash

I don’t begrudge Ledger its effort to grow as a business to reach non-OG and non-cypherpunk-ethos users. Millions of normies, like our skeptical baby boomer in-laws, will only ever be onboarded to crypto through this type of custodial backup approach. Its mistake may have been in trying to use the same product to appeal to both crypto self-custody OGs and the broader future customer normies.

Ledger’s rollout of its backup product met with some strong reactions among its community of customers. Many were surprised to learn that Ledger has always had the capacity to touch your secret key with its hardware updates. Many of us view our hardware devices as sacrosanct. I clearly wasn’t knowledgeable enough about this device that I trust to protect my crypto assets.

Haseeb Qureshi chimed in that while he also reacted negatively at first, he realized that this was always true about Ledger. We’ve always trusted it not to insert malware in its firmware updates to steal our seed phrases. He’s not wrong, but I wouldn’t say that’s a comforting thought.

In the end, nothing bad can happen on your hardware device unless you sign a transaction. You retain the power. I don’t know about you, but I’m not a coder — I can’t tell a malicious update from a legitimate one, so I’m trusting Ledger on that too. And I don’t exactly have the option not to approve the latest firmware update that includes Ledger Recover capability, as Ledger warns that failure to update your firmware is a security risk.

I do trust Ledger — it’s a great company. It has been the linchpin in the technology stack for crypto self-custody, at least in my own crypto journey.

But the goal of a crypto self-custody tool should be to minimize trust requirements. And that could be improved at Ledger through open-sourcing more of its software and hardware. Ledger’s chief technology officer was asked about this on May 17’s Bankless podcast and responded that Ledger has signed nondisclosure agreements that preclude it from doing so and argued that people are unlikely to crowdsource security audits anyway.

I’ll bet security researchers like Andrew Miller, who uncovered vulnerabilities in the Secret Network, would take up that task.

While Ledger’s communications regarding the rollout have been a disaster, its crisis communications have been enlightening. I have certainly realized I had an insufficient understanding of how hardware wallets work. But “Sorry, we can’t open-source anything because of NDAs” is an insufficient answer to those in the community who have concerns that Ledger Recover could be used by a malicious actor to trick users with a fake update and steal their seed phrase.

Ledger could also give me the option to continue to update my firmware without adding the Ledger Recover code to my device. But in the absence of open-sourcing its firmware, it won’t do much, as we won’t have any way to verify its claims.

This could be a branding win if Ledger pivoted to roll out a “cypherpunk”-branded dimension to its hardware and software that appeases the OG crypto community such that they might be willing to opt into it, and lets existing hardware owners opt into it for their previously purchased hardware such that new updates are cypherpunk-branded and -approved, as open source as possible, with crowdsourced security audits — the whole package. All would be forgiven.

For now, it doesn’t seem Ledger plans to do that. So, the options are to use open-source hardware wallets, but those do not have Ledger’s wide-ranging interoperability with emerging blockchains. Or you could build your own, or just use the new refurbished Gameboy open source hardware wallet.

For now, and for many coins, the safest option is probably to trust Ledger while staying open to competing developers of open-source hardware wallets.

J.W. Verret is an associate professor at George Mason University's Antonin Scalia Law School. He is a practicing crypto forensic accountant and also practices securities law at Lawrence Law LLC. He is a member of the Financial Accounting Standards Board’s Advisory Council and a former member of the SEC Investor Advisory Committee. He also leads the Crypto Freedom Lab, a think tank fighting for policy change to preserve freedom and privacy for crypto developers and users.

This article is for general information purposes and is not intended to be and should not be taken as legal or investment advice. The views, thoughts and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.

Bitcoin Runes loses all momentum by 2024 end

Ledger Faces Backlash for Controversial Backup Tool as Crypto Community Expresses Discontent

Ledger Faces Backlash for Controversial Backup Tool as Crypto Community Expresses DiscontentHardware wallet maker Ledger is facing significant backlash for its recent introduction of a tool enabling users to back up their seed phrases through the transmission of encrypted key fragments to third-party firms. The crypto community has not embraced this new feature, with numerous digital currency users venting their frustration on social media platforms. Ledger’s […]

Bitcoin Runes loses all momentum by 2024 end

Hackers Are Cloning Web3 Wallets Like Metamask and Coinbase Wallet to Steal Crypto

Hackers Are Cloning Web3 Wallets Like Metamask and Coinbase Wallet to Steal CryptoConfiant, an advertising security agency, has found a cluster of malicious activity involving distributed wallet apps, allowing hackers to steal private seeds and acquire the funds of users via backdoored imposter wallets. The apps are distributed via cloning of legitimate sites, giving the appearance that the user is downloading an original app. Malicious Cluster Targets […]

Bitcoin Runes loses all momentum by 2024 end

Solana integrates Web3Auth to lower DApp barrier-to-entry

Web3Auth's technological infrastructure has already been implemented by the likes of Binance Chain, Ubisoft and Rarible across an array of Web3 projects.

Solana Labs and Web3Auth have announced a collaborative digital wallet initiative designed to eliminate the prerequisites for seed phrases in cryptocurrency interaction, and in turn, streamline a presently tedious and complex process to drive consumer adoption in the Web3 sphere.

The Solana Torus Wallet is a non-custodial product that enables users to access all decentralized applications (DApps) and associated wallets within the Solana ecosystem.

Upon creation of a cryptocurrency wallet, a user has required the record and remember a seed phrase; a random computer-generated list of words, typically twelve to twenty-four, which acts as the wallet holders master key to their asset safe. 

Web3Auth’s cryptographical infrastructure enables users to interact and log in via a multi-factor authentication approach, whether this is through a personally created backup code, via Apple’s inbuilt touch identification mechanism, or through traditional networking platforms such as Google, Facebook, Twitter and Discord.

The primary purpose of this technology is to construct a simplified, easy-to-interact user interface by integrating accounts, profiles and platforms that consumers are already vastly familiar with.

This zero seed phrase technology has already been adopted by more than 500 DApps, as well as implemented into a number of leading Web3-orientated platforms and initiatives, such as Binance Chain, gaming giant Ubisoft’s nonfungible token launch and NFT marketplace Rarible, among others.

Related: Dormant Bitcoin wallet holding 321 BTC activated after eight years

Cointelegraph spoke exclusively to the Co-Founder and CEO of Web3Auth, Zhen Yu Yong, to discover more about the industry's concerns of seed phrases, and specifically their vulnerability in securing digital assets.

"Seed phrases are far from ideal. They’re a one-size-fits-all solution to a far more complex process, deceptively easy to steal or misplace, and they hinge on a single point of failure.”

Just last month, Web3Auth raised $13 million in an eighteen-investor Series A funding round led by Sequoia Capital India, with additional participation from FTX, Bitcoin.com, DARMA Capital, among others. Following the round, the team pledged to enhance the efficiency and security of the service, in addition to pursuing decentralization of the Torus Network.

Bitcoin Runes loses all momentum by 2024 end