As part of our Methodology, we ask:
Many hardware wallet projects aim to be as transparent as possible by using only off-the-shelf hardware with an open design and open code. If the product reviewed is not available in an assembled form - if the user has to source his own hardware to then maybe solder and compile software to install on the device it falls into this category.
But we also ask:
Bitcoin wallets are complex products and Bitcoin is a new, advancing technolgy. Projects that don’t get updated in a long time are probably not well maintained. It is questionable if the provider even has staff at hands that is familiar with the product, should issues arise.
This verdict may not get applied if the provider is active and expresses good reasons for not updating the product.
Do your own research!
Try out searching for "lost bitcoins", "stole my money" or "scammers" together with the wallet's name, even if you think the wallet is generally trustworthy. For all the bigger wallets you will find accusations. Make sure you understand why they were made and if you are comfortable with the provider's reaction.
If you find something we should include, you can create an issue or edit this analysis yourself and create a merge request for your changes.
The Analysis ¶
Background
Nemanja Nikodijević is a security researcher who has managed to create an Open Source hardware wallet called hwallet that uses significantly less lines of code than ColdCard, Trezor, Ledger and KeepKey.
He elaborates in this video:
In the below video Nemanja Nikodijević claims that his Open Source Hardware Wallet is significantly less complex than the top competitors. By his count, the lines of code are:
- 2.5 million in
Coldcard Mk3 - 346 thousand in
Ledger Nano S - 162 thousand in
Trezor One - 122 thousand in
KeepKey - 4 thousand in his product
Huge part he blames on the lack of hardware acceleration - if the chip used can’t do fancy cryptography natively, the software has to do it. While this is true, it doesn’t mean that those features are not implemented somewhere. They are implemented in silicon. We won’t go into details here but a more feature-rich chip might be more complex in other areas and from that increase the attack surface again.
The other part where his claims are flawed is that his product doesn’t support all the features the other mentioned products do.
Lastly, as he counts license headers - that is code comments - as “lines of code”, what else did he count? Empty lines? Code documentation, which only improves security as it helps with audits while not being executable and thus not increase the attack surface.
The hwallet is not commercially available and is a DIY bitcoin hardware wallet. He built the project in order to prove that there is a simpler and safer way to build bitcoin hardware wallets compared to current commercially available solutions.
Wallet Description
From his repository, the required components are:
- FRDM-K82F or FRDM-KL82Z
- Pmod OLED
Analysis
This is an Open Source DIY project.
(dg)
Share on
Twitter Facebook LinkedInOr embed a widget in your website
<iframe
src="https://walletscrutiny.com/widget/#appId=hardware/nemanjan.hwallet&theme=auto&style=short" name="_ts"
style="min-width:180px;border:0;border-radius:10px;max-width:280px;min-height:30px;">
</iframe>
and
<iframe
src="https://walletscrutiny.com/widget/#appId=hardware/nemanjan.hwallet&theme=auto&style=long"
style="max-width:100%;width:342px;border:0;border-radius:10px;min-height:290px;">
</iframe>