Trust issues of open and closed source light wallets for Bitcoin
Currently there are around 250,000 confirmed bitcoin transactions per day, but only 9,200 full bitcoin nodes (nodes are interconnected servers that store Bitcoin’s blockchain), which could mean that Bitcoin users are averaging 27 transactions per day. This could also mean that there are a lot of users connecting to the network via an external node i.e. a node that runs on someone else’s computer. Trust us, it’s the latter. The main reason behind this, is that to run a full node for the Bitcoin network, it requires you to download a 100GB database or blockchain and keeping it running in order to validate transactions which uses a fair amount of your computing power.
If you’re a casual Bitcoin user, you are somehow connecting to an external node. Unfortunately the Bitcoin original or ‘core’ wallet has it user interface integrated with its node running functionality, meaning that you can’t connect to an external node. Due to this reason, ‘third party’ or ‘light’ wallets have become increasingly popular.
We will limit the focus of this article to security issues regarding third party Bitcoin wallets as security in Bitcoin is a massive topic and would blow the scope of any normal sized article.
Closed source wallets
The most popular closed source wallets are Exodus and Jaxx*. Both of them are multi-token wallets which mean that they will hold several different cryptocurrencies. In addition, these wallets connect you to external blockchains which mean you do not need the database for each cryptocurrency that you are using.
For the casual cryptocurrency user, a wallet such as Exodus seems ideal, one software sized at around 60MB to manage all your coins. This convenience however comes at a cost in the form of trust – a huge amount of trust.
When you create a wallet with any bitcoin software, what happens is that the program will generate a pair of keys. One key (a hashed version of it to be technically accurate) you can share with others so that they can pay you – this is known as your address. The other key is known as the “private key” and it is required by your wallet to spend any funds that belong to your Bitcoin address.
When using a closed source wallet, there is no guarantee that after generating or importing an existing private key, that key will or will not somehow be forwarded over the internet (knows as “phoning home”). Exodus gave an honest response on Twitter that did not downplay the seriousness of the issue when confronted about the nature of their source code.
Exodus and Jaxx are both maintained by companies that would serve jail time as a result of stealing from their users – a strong non-incentive. However one would have to prove in court that the developers were cheating, which might prove difficult as reverse engineering binaries from closed source project is hard (especially when using binary code protection). Also you could ask yourself the question, does someone’s prison sentence make up for your lost coins?
Open source wallets
It is important from a security point of view that cryptocurrency wallets are open sourced and that the project is maintained on a repository (e.g. Github) that records and tracks changes. The reason for this, is so that anyone can check if malicious code has ever been rolled out in a software release.
However, even if you audit a wallet’s source code yourself, instead of trusting a developer’s pre-compiled version of the wallet, you compile it yourself. There are still some serious privacy concerns to be aware of. This is due to the fact that your light wallet will most likely connect you to random nodes that you can’t necessarily trust.
Quoting wumpus, a regular on Freenode’s (a IRC chat server) bitcoin channel: “it’s best to connect to a node run by yourself, or someone you trust. Lacking that, you might expose privacy-sensitive information to the node, such as what addresses are part of your wallet and where you go (by IP). They could also withhold transactions from you. They cannot steal your funds, though.”
Below is a screenshot of the Electrum (a popular open source Bitcoin wallet) network selection window. Users have the choice to select a Bitcoin node they trust, or have Electrum rotate between several random Bitcoin nodes – the best choice if you don’t have a trusted node as you are spreading your activity. Auto rotating nodes is a default setting in Electrum.
If you are concerned about the safety of your funds, we recommend using an open source wallet, ideally one that is commonly used. The reason for this is simply because more people are looking over the source code and will likely report anything suspicious. If you are however paranoid about security in Bitcoin or any other cryptocurrency for that matter, we recommend staying away from light wallets and running your own node.
Jaxx*: Jaxx does publish part of its source code but you need the entire source code to compile a program yourself in order to ensure what it’s doing.