The Future of Crypto Starts with Security | Own Your Crypto: Episode 1
In this episode, we take a look at security in the Stacks ecosystem, tips for how to keep your crypto safe, future improvements and integrations, and more!
Elizabeth (host): In 2021 alone, an analysis showed users lost 14 billion to crypto scams with 72% coming through decentralized finance protocols. Through the first quarter of this year, the federal trade commission reported over 329 million stolen in crypto. And most recently, just in the last few days of this month, we've seen headlines of various attacks, including the Solana Slope wallet, and most recently Nomad bridge lost a devastating $190 million due to security exploits.
Clearly, there's a lot of concern in the crypto community about security, and questions are being understandably raised around what steps are being taken to protect users.
Joining us today to address this important topic, we're thrilled to bring in the experts:
- Louise from Ryder, the world's first social wallet
- Chris and Dave from Multi Safe, a leading multisig management platform
- Mark, Farra, and Karen from Hiro, the original stack wallet
- Ken Liao from Xverse
Q: As the original wallet in the Stacks ecosystem, have you seen any major attacks or ongoing scams circulating in the ecosystem over the years, or do you have any concerns about possible threats that could be happening in the future for our ecosystem?
Mark (Hiro): I think we've been lucky so far as an ecosystem. We haven't really suffered a wallet-based attack yet. We've had various vulnerabilities that we've had to patch in the past. Hiro wallet's been around for a year and a half now. Since the launch of Stacks 2.0, and even Stacks 1.0, a technology from before then, we've had a lot of time to iterate and harden the security of the wallet. In the various times, there have been vulnerabilities we've had to patch so we've disclosed them, but to my knowledge, we haven't any large, actual exploits of a wallet. We've been lucky. It could happen any time, of course. I think we see in other ecosystems that it does happen all the time, and so we have to be very vigilant, making sure we reduce the possibility of that happening.
Q: Can you break that down to us just to shed some light on the steps that Hiro takes to prevent attacks that we've been seeing around the ecosystems?
Mark (Hiro): From time to time, we use third-party extra and expert eyes on our code. They can do what's called penetration testing and essentially try to break into the wallet. We worked with Least Authority, for example, on that. We did that last year, and we’ll do it again before too long. We're building bitcoin functionality into the Hiro wallet quite soon, and that will be a great opportunity for us to make sure we have outside eyes on it.
We also make sure that we don't have features that could be more prone to hacking. There was a vulnerability disclosed with the NEAR wallet recently. There's a custodial feature in which a very similar leak took place as far as secret keys. We don't have a custodial feature in the Hiro wallet anymore. That's one area which could be particularly prone to these sorts of things. Also, with any kind of third-party analytics or log-in like century which is involved with the hack last week at Solana. We're very particular about how we integrate those things. We make sure that we, in general, do not collect or report any personal information in any way. Especially those services, we have sort of an inclusion-based policy and programmatic approach instead of an all-inclusive one which I believe is what got that wallet into trouble.
We're also considering upgrades to the Hiro wallet to essentially cordon off the secret key handling so that it's in a safer, separated part of the code base that would make any kind of leaks, either client side or server side, even less likely. Looking into creating a security enclave of sorts in software for the Hiro wallet, just to ensure that the key is handled in a very separate part of the code base than the rest to prevent theoretical ways in which key values could be leaked.
Last week, during the Solana attack, people were speculating about supply side attacks. That’s essentially a malicious dependency that could be used by the wallet code base inadvertently that could lead to the stealing of funds. We're looking into LavaMoat to protect our software base from that. Then, this is industry standard, but recently we added ledger support to the extension, and we've had it for the desktop wallet for a long time now. But hardware wallets essentially are the safest way to keep your keys and your funds, and so making sure that ledger support has been a priority for both of the form factors, both the extension and desktop, has been an important way for us to help secure funds.
Then finally, we don't have multisig support yet, but we are looking into that, perhaps for early next year, in Q1, a protocol level multisig and more of a contract level multi-safe, which I think we'll be hearing more about today. I think both of those are very exciting ways to further secure funds.
Q: Louise, can you tell us about why you decided to create Ryder and perhaps also just start with the basics of helping our listeners understand the advantages of a hardware wallet?
Louise (Ryder): My name is Louise and I'm the co-founder of Ryder. In a nutshell, we have a big thesis when it comes to the evolution of the wallet. For wallets, the prime examples are Hiro, MetaMask, and Phantom for Solana, and the next one is we also have a hardware wallet, such as Ledger. For Ryder, we're pioneering a new kind of wallet, what we call ‘social wallet’, wherein we bring real-life interactions to crypto.
Hardware wallets are essential because, by the end of the day, you don't want your private master keys connected to a device that's on the internet or your mobile phone, because if you have your master keys there, or even just your crypto, the attack factor is very large. You want a separate device off the chain that's offline. That's why you have cold storage such as Trezor, Ledger, and Ryder.
Q: Is there anything coming up in the next year that excites you regarding the future of Ryder and security?
Louise (Ryder): For us at Ryder, we try to opt for simplicity because, in order to have the highest security, the design should be simple at its core. The same with Bitcoin. You can see the architecture is quite simple, that's why it's the most secure chain in the world. Same for Ryder, we opted out WiFi and Bluetooth. There's not even a port for your Ryder. It's just like wireless charging NFC, secure enclave, and just like an LED display for your NFT. That's pretty much it.
By combining all those technologies, you have high security. We basically just embed your on-chain identity with what we call near-field communication. By combining both techs, you're able to bring on-chain assets within the physical space. That thing is special because it unlocks a lot of social features that we can implement with Ryder. That's what I'm excited about. But of course, I’m biased because I'm from Ryder.
Q: How would this make the wallet more secure? How does that tie in with the social aspect?
Louise (Ryder): You should just think of Ryder like an endpoint, such as Trezor and Ledger, but in a way, it's much more user-friendly, because right now, if you want to draw and send a transaction from these hardware wallets, it's quite cumbersome. You try to input a 6-pin 2FA on this tiny screen and press these two buttons to put numbers on it and then unlock it. My parents will never do it, even my friends of the same age won't do it. But what if there's a way where you can capitalize on the power of the single tap? Within a single tap, you're able to send a secure transaction. That's what we're trying to achieve with Ryder. I think it's going to be the future as well. You try to make everything seamless.
Elizabeth (host): Definitely. I think the more we discover ways to mitigate friction and make the user experience more seamless, especially when it comes to security, is going to be more and more impactful for the ecosystem in general, so thank you for sharing that.
Q: We have an exciting announcement today that we've begun to tease out coming up to this Twitter space. Chris, would you like to share the big news?
Chris (MultiSafe): The big news is that MultiSafe will be integrated into Xverse. There's been a team of us working on that. Tahla’s the lead dev. I want to say it was Ken and Alice and a bunch of people's collaboration on this over the past few weeks. But yes, this is coming.
Q: We also have David here from MultiSafe. Tell us about what is a multisig wallet and how this is going to be offering more security options to users.
David (MultiSafe): A multisig is a shared wallet. The analogy in the Ethereum world is Gnosis Safe rebranded to Safe recently. We've built that for Bitcoin Stacks so that naturally heightened security in order to deploy or spend funds from a wallet. Multiple signers need to sign off. That's MultiSafe which you can deploy today. We're actually rebranding it a little bit, updating the brand, and refining it, but you can go to app.multisafe.xyz to actually deploy your first Safe.
Q: Just to break it down a bit more. From my understanding, you can choose not only the number of users that have access to that wallet but also the number of users that would need to approve in order for a transaction to happen. Is that correct?
Chris (MultiSafe): That's correct. That's really the essence of it. It adds that really important layer of security in order to spend the funds from a MultiSafe wallet. The natural use case is you would have at least two signers, and you could add more signers as well.
Q: Can you let us know a bit more about what kind of impact this will have on communities and enterprises that need to be able to use shared funds?
Chris (MultiSafe): The big influence for us is the Gnosis Safe in the Ethereum ecosystem, which has just been such a flywheel of innovation over there. It's this really small thing. the ability to share and have multiple owners of assets. It's a small idea, but it's a really important first Lego block in order to build a lot of other ideas. We really hope that MultiSafe, as this open-source project that anyone can start using now as David said, is this first building block toward whether you're working with your ALEX token, or Stacks, or NFTs from Gamma, or you're thinking about Bitcoin funding or governance. All of this at the base can be this secure multiple owner. Really, it’s a smart contract that you're deploying. You own it. Every bit of it is just open-source and on the blockchain. It's a really composable part that can be a great building block for future projects on Stacks.
I don't know if it got mentioned yet but I got booted. We'll pretty soon have native Bitcoin integration with Magic likely around October. It's already in the smart contract. It has been audited and it passed the audit and everything, but we'll have the UI rebranding, so you'll be able to send native Bitcoin straight to the MultiSafe, and then have that custody with multiple wallets, which really doesn't even exist in a great UI right now. There are a lot of things out there like Electrum, which is okay of an experience. There's Casa, [unintelligible 12:47], and stuff. I think having this really composable piece that can now accept Bitcoin, swap that into Zest or ALEX or all these different tokens, and use it for DeFi and different projects, is just like a world of possibility.
Q: I imagine this would also open up so many more use cases for companies’ payroll.
Chris (MultiSafe): A hundred percent, yes. Actually, it was Grace from Crash Box's original idea, where she wanted to pay people for our work. She had a problem doing it out of her own Hiro wallet, and really just needed a way. We're talking about security. She didn't want to bear, not only being the sole person to have custody of the funds which were the community's funds but also executing those transactions on behalf of creating the leap from Crash Box, as just a community and bringing it to the DAO level.
Credits to Grace. We chatted with probably about 40 different people on the Stacks ecosystem about this. She said, “Payroll is a problem for me.” So that's funny you mentioned it because that's definitely a great use case that Grace is already starting to get off the ground with MultiSafe.
Q: Is there something in particular that you're really excited about partnering with Xverse for this?
Chris (MultiSafe): Yes. It's a smart contract, and we have one user interface for it, but just integrating it more naturally into the flow of how people use these apps. Some of the best technologies are the invisible ones that you don't have to think about so much. If you're in your Xverse wallet, and you have to approve a transaction, it's nice to just have it all in one place. You don't want to have to go to all these different sites for every single thing. That's why we made it its own kind of composable piece because we were hoping for that kind of integration to bring it to where people are. We're big believers that just making it easy for people on the UI which is a lot of what Xverse is doing for us, is great.
On the back end, we have the power of trust machines really supporting the security of it with bug bounties and multiple audits that we've already passed. We have others coming up. I think the security plus the UI is really what we need, and so thanks to Xverse for helping us get that next step forward.
Elizabeth (Host): Absolutely, and I think this is probably particularly exciting that people will be able to do all of this on the go as a mobile wallet.
Q: Ken, as the leading mobile wallet in the ecosystem which can be often criticized as being more vulnerable to attacks, what engineering practices are in place to keep our users safe?
Ken (Xverse): I'm very excited to have MultiSafe integration in the works with Xverse. As Chris said, one of the problems with multisig wallets is that, at least in the Bitcoin space, there haven't been any really good wallets that offer multisig with a good user experience. If you actually try to set up one, it will be very difficult unless you really know what you're doing. With this step, we are making multisig wallets easy to create and use, especially with Xverse being on mobile first which offers a lot of the convenience features. For example, you could share a notification with another wallet owner really easily through a mobile app with push notifications and a bunch of other user interface improvements.
I’m super excited to have MultiSafe as one of our next features. And then to your question, it's actually not true that mobile wallets are any less secure than desktop wallets. With most modern smartphones, there are actually hardware security modules built into the phones which help secure the keys, so it prevents applications from being able to access the user's private key. That's one of the things that is an advantage of a mobile wallet.
Also just on the protocol level, Stacks has a really different transaction system compared to Ethereum where there is something called a post-condition that's attached to each transaction. These are essentially safety conditions in which you can specify whether or not any asset is moved in this transaction. If any asset is moved while it's not supposed to, this transaction will actually fail. This offers users some protection against potentially malicious, smart contracts, or just faulty smart contracts. I think those are the differences in which Stacks can be much more secure than some of the existing blockchains out there right now.
Q: In this case, a lot of the attacks that we were seeing in 2021 and even most recently, would you say that some of these would therefore not be possible on the Stacks blockchain?
Ken (Xverse): The recent attack on Nomad, what happened there is that in Ethereum, a wallet can give a smart contract or basically access to move user's funds after they grant permission, and you can actually give unlimited permission which means that the malicious smart contract can actually drain your entire wallet without you doing anything. That type of functionality actually does not even exist in Stacks. You can only grant permission on a per transaction basis to move assets. You can't just say, “I grant this smart contract the ability to move any asset in my account for an indefinite amount of time.” Specifically, that Nomad attack probably will not happen in Stacks.
Elizabeth (host): Wonderful. I think that's really ensuring for everyone listening today who has a wallet on Stacks, whether it's Xverse, Hiro, or Ryder. We know some of these attacks are not even possible on our blockchain and can be prevented. Especially, I think this is why in the first place we're looking to build on Bitcoin, which is the most decentralized and secure blockchain.
Q: I also wanted to ask, I guess this could be for Ken or for Mark, since both Hiro and Xverse are using Least Authority, how did you go about deciding which auditing service to use?
Ken (Xverse): I think there's nothing particular about Least Authority, but they are really experienced and experts in the field. To really have great security, you want to have multiple security audits done by multiple firms that the resources allow. I've worked with Lease Authority for many years, and I think their work is great. Xverse also had a security audit done with Lease Authority, and we want to continue using them in the future, but we would also be looking at other firms as well.
Mark (Hiro): Yes. I’ll just add to that. I think Lease Authority, in our experience, has been very thorough and detailed with their audits. We've worked with several providers in the past, and CertiK, for example, was another one of them. We also see the value of having a diversity of different companies, but we've used the work of Least Authority, I think twice with the Hiro wallet because we've been very impressed with their attentiveness.
Q: Wonderful. Ken, I want to pass the mic back to you. Just curious to know, if there are plans for Xverse to offer custodial options for users in the future, for example, in the case of a secret recovery phrase going missing. I don't know about you all, but I remember being quite shocked joining the crypto community, amidst all the cutting-edge tech we have, that you're actually required, or it's encouraged to write down a secret phrase, something so important, on a piece of paper, which feels almost a bit medieval. Just curious, what are your recommendations around secret recovery phrases, and do we plan to offer some custodial options with Xverse in the future?
Mark (Hiro): I can take a stab at that if Ken's not here. From my point of view, we've done user testing around this and seen what kind of options users gravitate towards whether it's storing their keys on paper or in the Notes app on their phone, et cetera.
My general suggestion, and of course, each person's different in what they choose, but password managers like 1Password are actually pretty good go-to secure places to put your key and make sure that they're available later and you won't lose them. People might have concerns about password managers, but they're relatively safe.
Q: What are the things that you want to educate people about in relation to security? Nowadays, interacting with smart contracts is a very tough problem for users. I don't know if you have some tips you can recommend for how to read a post-condition.
Ken (Xverse): If you're using Stacks, you should take advantage of the post-conditions. Not every transaction will have post-conditions, but if the smart contract developer is good, they should have built it into their transactions. They're made to be relatively simple to read, so you can see if assets are supposed to be transferred or not, and you have a reasonable assurance that something unexpected is not going to happen after your transaction executes.
Mark (Hiro): I might just add that because it is relatively early days as far as all these different ecosystems, blockchains, wallets, et cetera. Maybe a tip would be, as you're trying different wallets and trying different ecosystems, to just generate new keys and new wallets. You're just experimenting. Of course, as you build trust, you can share keys between different wallets, but Slope wallet, for example, wouldn't have happened if users had just set up separate keys for either Slope or Phantom or whatever else they used on Solana.
Ken (Xverse): Definitely. You should separate your holdings in the hot wallet versus the cold wallet. If you're holding large amounts of crypto, definitely use a hardware wallet which is not constantly connected to the internet because any hot wallet like MetaMask, Xverse, or Hiro wallet is at a higher risk than something that is stored offline.
Chris (MultiSafe): That's all great advice. I'll just chime into it. Security's really important to me for MultiSafe, but Dave and I are also building console.xyz, a web3 chat. I'm really excited about this blog post next week specifically about the Discord hacks. We worked with a cybersecurity firm and we're going to have nine tips in there specifically for Discord and NFT communities. One of my personal favorites there that I learned during the cybersecurity thing, and I think this is going to apply to everybody, is when you're filling out those things like, “What's your mother's maiden name?” And you're so earnestly honest about what those answers are, but the problem with that is you end up reusing those and they become as bad as reusable passwords. I've gotten into the habit when asked, ‘what's your mom's maiden name?’, I write, “pink dog frog 54”. You're actually just adding these other layers. Basically, if somebody knows your mom's maiden name, they can get into your bank. Anyway, I'm going to go down this whole journey of security and I'm going to be starting to share a little bit more of that. I’m happy to talk to anybody if you want to follow me and look for more.
Stay tuned to our latests news and updates