Exploring the tech behind crypto

one block at a time

Was this newsletter forwarded to you?Sign up here.

Hi, Bradley Keoun here, editor of The Protocol.

In today’s issue, our Sam Kessler has an analysis of what was likely the biggest imbroglio in crypto over the past week – the admission by hardware wallet maker Ledger that the devices might not be as isolated as many users previously assumed.

Also, we have exclusive details from the “Zuzalu” two-month gathering in Montenegro of crypto elites, including Ethereum co-founder Vitalik Buterin. (Cold plunges, anyone?) We also detail one security firm’s claim to have physically hacked the Trezor T wallet and highlight the race for dominance in the growing field of “smart accounts.”

Ledger PR Gaffe Shows Importance of Managing Expectations

Blockchain industry executives often say they idealize “decentralization,” “self-sovereignty” and “trustlessness” – espousing a vision for a future internet and financial ecosystem free of rent-seeking intermediaries and unreliable middlemen.

But time and time again, major blockchain companies and projects come up short – with users surprised and angry to realize that they unknowingly placed their trust in shoddy code, centralized entities or security-challenged hardware.

The latest example comes from Ledger, the Paris-based crypto hardware wallet company, which, following a public-relations firestorm last week, announced Tuesday that it would delay plans to release a controversial new wallet-recovery feature called Ledger Recover.

When it revealed the proposed feature last week, Ledger inadvertently drew attention to the fact that the company could theoretically move wallet seed phrases off-device via user-approved firmware upgrades. Previously, the company left some users with the impression that its devices were engineered to avoid this specific scenario.

Screen grab from video purporting to show a user smashing a hardware wallet with a hammer and then setting it ablaze with a blowtorch. (@oklahodl1/Twitter)

Once the potential “backdoor” was revealed, outrage flooded Crypto Twitter, with posters panning Ledger for being out of touch with its own customer base – ostensibly self-sovereign types who want nothing but to be entirely in control of their own crypto. Ledger vehemently denied allegations that its capabilities amounted to a “backdoor.”

But the company’s initial response to the outrage – pointing out (in a now-deleted tweet) that users were always trusting Ledger not to extract user keys – only served to fuel the furor: One widely-circulated video appeared to show a user smashing a Ledger device with a hammer and then blowtorching it into flames.

In a letter posted to Twitter on Tuesday, Ledger CEO Pascal Gauthier apologized to customers, promised to open-source “as much of the Ledger operating system as possible,” and said he’d delay the release of Ledger Recover.

Delay or no, Ledger’s theoretical ability to move user keys via future software upgrades remains intact – mainly as a by-product of technical constraints with how Ledger and similar wallets are engineered.

The fiasco served as a valuable crash course on the limitations of hardware wallets, generally considered the most secure way to hold crypto. It was also a reminder that the current state of crypto technology doesn’t always match up with the industry’s ideals – and a lesson on the importance of carefully managing expectations.

Network News

Discussion circle at Zuzalu, with Ethereum co-founder Vitalik Buterin on the turquoise beanbag chair, listening to Asymmetry Finance's Hannah Hamilton. (Hannah Hamilton)

Zuzalu is the crypto-friendly “pop-up city” in Montenegro that you probably weren’t invited to. But roughly 200 people, most notably Ethereum blockchain co-founder Vitalik Buterin, have spent the past couple months co-working in the marina town of Lustica Bay, staying in a five-star hotel, Airbnb or even onboard a catamaran – while taking in occasional discussions of zero-knowledge cryptography and longevity in a hemispherical structure known as the Dome filled with beanbag chairs. Daily rituals include taking “cold plunges” in the Adriatic Sea, and for some, measuring postprandial glucose levels. How people got invited, or who had the original idea to bug off for two months to the Balkans, remains a bit of a mystery, but our Margaux Nijkerk has a lot of details on the elite gathering, in case your Twitter feed isn’t already saturated with the images of attendees taking selfies with Buterin.

Crypto recovery specialist claims it can physically hack into Trezor T wallet. In yet another reminder of the fact that complete security remains elusive in crypto, the firm Unciphered provided a demonstration for CoinDesk of how, if it has physical possession of the crypto wallet, a sophisticated hack is possible. It’s pretty technical, but the team documented the efforts in a video while declining to disclose details of its methods. A Trezor representative told CoinDesk that its team didn’t have enough details about the specific attack Unciphered performed to respond fully, but noted that it looked like a type of attack that the company had previously flagged as a risk, and said it was working on a fix. Commenting on the fact that this attack vector only works if the wallet is in the physical possession of the attacker, Nick Federoff, head of marketing at Unciphered, said that “the threat can often be coming from inside the house.”

Also:

Protocol Village

Money Center

Data Corner

Calendar

The Protocol: A newsletter from CoinDesk

Were you forwarded this newsletter? Sign up here.

Don't want this newsletter? Unsubscribe.

Copyright © 2023 CoinDesk, All rights reserved.

250 Park Avenue South New York, NY 10003, USA

See all of CoinDesk’s newsletters | Manage subscriptions | Opt out