Reproducible Build Proofs: Wallet Scrutiny and BitcoinBinary

635 sats \ 9 comments \ @cointastical 6 Aug 2022 bitcoin

This past week there was a hack of wallets (mostly related to Solana blockchain), resulting in the theft of millions of dollars worth of tokens. The root cause was that many users had been using the "Slope" wallet, which had a design flaw in its security that was eventually exploited. Slope is a closed-source wallet, so the source code for this software was never reviewed externally and the flaw was not discovered. Thus people using Slope thought they "held their own keys", but ultimately they didn't.

You are little better off using a closed-source wallet app than you are leaving funds on a custodial exchange. And even if there is source code published for your wallet app, what good does that do you? If the app you downloaded and installed doesn't match the source code, then having an "open source" wallet even means pretty much nothing!

The only surefire way to know that the software download matches the source code is to build it yourself and compare. Almost nobody does that. But there are two projects that aim to show proof that a software build available to the public can be reproduced from the software project's corresponding source code repo.

This post is simply to bring awareness to these two projects and to list the surprisingly very few software releases which are (currently) found to be reproducible.

BitcoinBinary:

"BitcoinBinary.org is a repository of Reproducible Build Proofs for Bitcoin Projects"

Reproducible: [13 brands]

BITBOX02
BITCOIN CORE (and BITCOIN-CORE)
BLOCKSTREAM GREEN (and BLOCKSTREAM-GREEN)
COLDCARD (and COLDCARD-MK3)
ELECTRUM
LND
MYCELIUM (and MYCELIUM-ANDROID)
SIMPLE BITCOIN WALLET (and SIMPLE-BITCOIN-WALLET)
SPARROW (and SPARROW WALLET)
TREZOR 1 (and TREZOR T)
WASABI (and WASABI WALLET)
ZAP (and ZAP-ANDROID)

Wallet Scrutiny:

To improve the security of Bitcoin wallets by examining products for transparency and potential attacks

Play Store:

Reproducible: [9 apps]

Bitcoin Wallet (Shildbach)
Mycelium Bitcoin Wallet
Electrum Bitcoin Wallet
SBW: Simple Bitcoin Wallet
Green: Bitcoin Wallet
Unstoppable Wallet
AirGap Vault- Tezos, Cosmos, Ethereum, Bitcoin
Zap: Bitcoin Lightning Wallet
ABCore [obsolete]

Unreproducible: [19 apps] Others not included (e.g., custodial, no source, not enough users, etc.): [Hundreds]

App Store:

Reproducible: [0 apps] Unreproducible: [16 apps] Others not included (e.g., custodial, no source, not enough users, etc.): [Hundreds]

Hardware Wallet:

Reproducible: [4 devices]

Trezor One
KeepKey
Trezor Model T
Foundation Passport

Unreproducible: [11 devices] Others not included (e.g., custodial, no source, not enough users, etc.): [Dozens]

view all related items

25 sats \ 4 replies \ @rijndael 7 Aug 2022

Just having a reproducible build doesn’t mean that it’s secure. That’s one of the things I don’t like about walletscrutiny. Their methodology for determining what to put a green label on and what to put a red label on is misleading at best.

There is a lot more to wallet security and trying to boil it all down to reproducible builds is actively harmful to the ecosystem.

Also iOS apps aren’t binary-reproducible, so there’s a whole thing…

25 sats \ 1 reply \ @l0k18 6 Feb 2023

Trusting Apple seems like a pretty bad idea anyway.

Reproducible builds at least guarantee the source makes the binary that is distributed.

Does walletscrutiny say something more than "we can build these and get the same hash as the one being distributed?"

25 sats \ 0 replies \ @rijndael 6 Feb 2023

the problem is that you can't get the hash of an ios app on your phone.

0 sats \ 0 replies \ @cointastical OP 7 Aug 2022

There is a lot more to wallet security and trying to boil it all down to reproducible builds is actively harmful to the ecosystem.

I disagree that Wallet Security is harmful to the ecosystem.

But to get further, there is the tragedy of the commons. Security audits on the code would help with that. Security audits are labor expensive. Who will pay for these security audits to vet the open source code on these wallets?

0 sats \ 0 replies \ @cointastical OP 7 Aug 2022

There is a lot more to wallet security and trying to boil it all down to reproducible builds is actively harmful to the ecosystem.

It's the tragedy of the commons. Security audits on the code would help with that. Security audits are labor expensive. Who will pay for these security audits to vet the open source code on these wallets?

0 sats \ 1 reply \ @cointastical OP 6 Aug 2022

Wallet Scrutiny created a Twitter thread recently. The Tweet that kicked off the thread is:

For the record:

We have never prioritized reviews based on donations and to our knowledge only one provider (Unstoppable) did donate to us at all.

We were asked repeatedly about the price to re-evaluate certain products but never agreed to such arrangements.

https://twitter.com/WalletScrutiny/status/1555707192367513601 https://nitter.it/WalletScrutiny/status/1555707192367513601

0 sats \ 0 replies \ @cointastical OP 6 Aug 2022

And this Tweet by the founder of Wallet Scrutiny, in response to Fiatjaf's Tweet which also happened to be on SN today:

But I'm more concerned about financing my project WalletScrutiny.com. I deem the content incredibly valuable and many experts agree but who should pay for it? It's currently geared towards early-coiners to raise their awareness of threat models. They would never pay.

https://twitter.com/LeoWandersleb/status/1555982693120315393 https://nitter.it/LeoWandersleb/status/1555982693120315393

0 sats \ 1 reply \ @cointastical OP 6 Aug 2022

There are a couple other posts, here on SN, where these two projects were shared:

BitcoinBinary.org - A repository of Reproducible Build Proofs for Bitcoin Projects #17501 https://bitcoinbinary.org

Is your Bitcoin wallet secure? #5436 https://walletscrutiny.com

0 sats \ 0 replies \ @cointastical OP 6 Feb 2023

Also see this post:

Wallet Scrutiny #131993