Reading 3 min Views 8 Published Updated
Crypto’s flagship cold storage tool, Ledger, came under fire this week from the crypto community following a Reddit post from a Ledger co-founder that suggested that outside companies could access users’ seed phrases on a voluntary basis. The situation is far from “clean and dry” and has led to some serious dialogue in the cryptocurrency communities about the degree of security Ledger owes its users.
Let’s look at both sides of the argument.
Ledger Lunacy: How It All Started
The emergence of this started with a new firmware update from the last day, which led to quick questions about the consequences of the update. A Reddit post on the r/ledgerwallet subreddit late Monday night/early Tuesday morning this week caused it all to start thanks to a thread called “Is there a backdoor? Yes or no.”
The Reddit poster asked in the body of the post:
The post opened the floodgates to speculation, and responses from Ledger co-founder Nicholas Bacca (u/BTChip) did not generate support among Ledger users. Bacca provided several answers to user questions throughout the thread, including this answer in the thread itself:
There is no backdoor and I obviously cannot prove it (because it is impossible to prove negative) – let’s just say you are already using the device, agreeing that the Ledger cannot update the firmware without your consent – this is the same recovery mechanism that is locked behind ownership your device, knowing your pin code, and finally your consent to the device. More information will be published soon describing how the service works – tldr is that no company will know your seed if you choose to use it. If you do not want to use it, it will not affect your previous experience with the device in any way.
Overall, users seem to be still struggling with one dying question: can a Ledger device reveal a seed phrase?
Bitcoin (BTC) sees a steady price move as users contemplate the security of their cold storage.|Source: BTC:USD on TradingView.com.
The Big Picture: Round-Trip Dialogue
While the crisis continued on Reddit, accompanied by new subreddit topics on the “hot” page, such as “consider switching to another cold wallet”, “how to kill your business” and many others, cryptocurrency Twitter also took over. Cryptocurrency resident Twitter dev Foobar further exacerbated the situation:
Stop using Ledger hardware wallets. Migrate away from them immediately. They’ve shown nothing but gross incompetence and wild misunderstanding of their own purpose. And now they’ve publicly admitted to intentionally backdooring their own proprietary hardware. Stop using Ledger pic.twitter.com/LLFFUsOW4y
— foobar (@0xfoobar) May 16, 2023
However, not everyone agreed, as another well-known developer, Udi Wertheimer, expressed his disagreement. Wertheimer responded that the message was “irresponsible hyperbole” and that “the Ledger remains as safe to use today as it was yesterday. For MOST people, this is the simplest hardware solution we can recommend.”
In general, it is right and expected in the cryptocurrency community that companies like Ledger are facing a huge amount of scrutiny: the integrity of the industry relies heavily on the security and integrity of the largest cold storage provided in the business. While it is likely that some members of the community are losing their heads too quickly, Ledger is likely to continue to face pressure to increase transparency about the extent of access to wallet keys.