Navigating Web3 Wallets: Enabling a Secure User Experience

With our mission to support the development of usable technology solutions to advance digital security and preserve privacy as a fundamental human right, we see wallets as fundamental to empowering users and our security auditing efforts essential to enabling the effective use of wallets.

Wallet developers must implement robust security measures to protect the private keys of users and other key information that would allow access to digital assets stored within the wallet. Common security issues include the use of outdated cryptography, weak encryption, insufficient password constraints, lack of input validation, and clipboard vulnerabilities. In order to detect these issues, security best practices include security-by-design, internal security reviews, and the use of external independent security auditing firms, like Least Authority.

In 2019, we began performing security audits of wallets. Since then, we’ve been able to publish a number of these reviews. The following is a list of some of the wallet audits we’ve performed over the years and includes links to the published reports: 

Since before Bitcoin, the use of capability-based security has been a cornerstone of distributed systems and decentralizing control to implement the principle of least privilege. Least Authority has been a key contributor to Tahoe-LAFS, a secure, decentralized, fault-tolerant, distributed data store and distributed file system since its inception as free and open source software in 2007. Through our product development efforts on Gridsync – an application that helps users interact with Tahoe-LAFS and is used by PrivateStorage – we have strived to implement security-by-design along with human-centered design. Like wallet developers, we have direct experience with the challenges in making user-friendly interactions with capability-based security systems.

From Bitcoin, self-custody of the private key – the element of the code that facilitates the management of transactions — has been paramount to differentiating cryptocurrency, blockchain, and Web3 from traditional systems with centralized authorities. The use of digital wallets as user-facing software interfaces has enabled many consumers to ensure they are in direct control of their digital assets in a more user-friendly way. A non-custodial wallet is the term often used to describe a wallet that facilitates self-custody of the private key, allowing users a convenient way to manage their private keys and subsequent transactions. However, they do require users to depend on the security of the wallet software, instead of a centralized authority.

As an alternative to self-custody of private keys in wallets, custodial wallets have been developed by third-parties to provide such services for the users. In this case, the funds are held in accounts with the private key managed by an institution, offering convenience but transferring the security risks to the institution and requiring users to trust the institution will always act in their best interest. 

In terms of wallet design, there are variations of how the wallet functions, regardless of which party controls the private key (whether on their own behalf or for another party). A hot wallet has readily accessible private keys, often stored on a device (e.g., a mobile application wallet). Web wallets and wallet extensions operate within web browsers, like Metamask, designed for interacting with dApps. Mobile wallets are for smartphone operating systems, while desktop wallets run on computer operating systems. In contrast, a cold wallet stores private keys physically offline – thus limiting the access to the private keys – and is usually a hardware wallet, like the Ledger wallet, which uses encrypted storage on a USB device.

As wallets expand their features and offer additional approaches, including delegated custody and the use of multi-party computation to facilitate approval workflows with multiple users, it is becoming increasingly important for the users of these wallets to understand what type of wallet they are using to have appropriate expectations with regards to the wallet behaving as intended. Although the most secure option is combining self-custody with a cold wallet, ensuring only the user has access to the private keys and that they remain offline until needed, this approach is too limiting for many use cases, as digital assets are becoming more ubiquitous. 

In the case of the browser extension wallet, Metamask, they have implemented capability-based security in their recent Snaps integration using Agoric’s Secure EcmaScript (SES). Snaps provides a mechanism for developers to safely extend the functionality of the Metamask wallet and for a user to grant dApps permissions to execute actions in the wallet. SES creates a secure subset of JavaScript for object capabilities, such that even untrusted JavaScript programs can execute in the same environment safely. For more insight into our team’s experience on this topic, check out our recent blog, “Secure Development of MetaMask Snaps.” 

Regardless of the type of wallet, wallet developers should be transparent concerning the security measures they have implemented, including undergoing security audits to mitigate potential risks. Beyond the code, the terms of service, risks of use, and privacy policy need to be transparent. Wallet providers should consider building a comprehensive knowledge base or facilitating means for their customers to educate themselves on best practices for safeguarding their credentials, keys, and data. 

We encourage all of our clients to publish audit reports. This can contribute to the overall understanding of security risks, leading to a more globally secure digital environment. In addition to auditing, we offer support to wallet developers by advising them on risk management and issue disclosures. 

If you’d like to work with us or learn more about wallet security or how to utilize capability-based security solutions, reach out to us at consulting@leastauthority.com or schedule a call.

Archives