What’s Next for Wallets After Ledger Recover Outrage? - Unchained podcast

Laura Shin hosted the CEOs of Dynamic and ZenGo as they unpack a vexing question: Can crypto self-custody ever be easy for the masses? Throughout the discussion, they delve into the challenges of managing personal keys, debunk misconceptions about hardware wallets, and highlight the potential of multi-party computation as a solution. They also discuss alternative approaches like Shamir's secret sharing and multisigs, as well as the tradeoffs between security and user experience. The podcast further examines the concept of "passwordless authentication," safeguards against fraudulent transactions, the role of open source in wallet security, the impact of account abstraction on user experience, and the pivotal role security plays in shaping the future of crypto.

You can read more here, and listen below.

‍

Read the transcript:

Laura Shin:

Hi everyone. Welcome to Unchained, your no hype resource for all things crypto. I'm your host Laura Shin, author of The Cryptopians. I started covering crypto eight years ago, and as the senior editor at Forbes was the first mainstream media reporter to cover cryptocurrency full-time. This is the June 6th, 2023 episode of Unchained.

Buy, trade and spend crypto on the crypto.com app. New users can enjoy zero credit card fees on crypto purchases in the first seven days. Download the crypto.com app and get $25 with the code Laura. Link in the description.

Laura Shin:

Today's topic is new developments in crypto wallets. Here to discuss are Itai Turbahn, co-founder and CEO of Dynamic Labs, and Ouriel Ohayon, CEO of ZenGo. Welcome Ouriel and Itai.

Ouriel Ohayon:

Hi, Laura.

Itai Turbahn:

Good morning.

Laura Shin:

I'm sure everyone knows wallet security recently became quite a hot topic with the announcement of Ledger Recover, which is the service that Ledger announced offering people a way to have a backup of their private seed phrase that would be split up amongst different custodians, and also tied to their personal identity. The crypto community kind of freaked out about this, and some of the reasons include the fact that it could be possible for the companies to be compelled by the government to give up the identities of these people. It could also be because people suddenly realized, "Oh, right, the code for Ledger is not open source." There's numerous reasons here.

But before we go into all the details on Ledger Recover, let's just take a step back. Because there's actually a lot of issues when it comes to wallet security. Why don't we just give an overview of what all the different problems are, the pain points when it comes to especially self-custody of our digital assets.?Ouriel, do you want to kick off the conversation?

Ouriel Ohayon:

Sure. Thanks, Laura. Just for the context, we are running a non-custodial crypto wallet for four years. We've been looking at this problem for some time. The problem of security in crypto wallet is a deep problem unsolved to this day. The famous not your keys, not your coins happens to be your keys, your problem. And the reason is because it's really, really hard to protect the seed phrase. It's a single factor security system where if you lose it, or if you miss it, or if someone steals it, everything is gone. And there is a reason Ledger and other companies are trying to bring a solution to this problem.

There is multiple issues with that. First, there is the system. The system where a wallet tell you by design you have to be in charge of your security, and if you are not doing the right thing, everything will go away. That's already a problem to solve, because most people are not equipped to be good at security. The second problem is that you have to trust the system that you are putting your coins into. And with Ledger, people have finally realized that they had to trust Ledger at some point, and people suddenly open their eyes. They thought the woman would never betray them and would never leave them, but it happens that in that case it was indeed possible that something was going to be broken in the perceived promise that the hardware wallet is protecting you, because they are part of a wallet system that is either closed source or that you have to delegate some trust so that the system works for you. It means that you can protect the private key.

And finally, there is all the problems around the wallet security that has nothing to do with the wallet system itself, but with the vector of attacks that a user can be exposed to. There are many, many, many from pure human error to social engineering and more. We can discuss those. The bottom line is that wallet security is a 360 problem that is extremely hard to resolve. The real question that you want to ask yourself is, what do you want to trust? Who do you want to trust? Do you want to trust the system? And then you have to delegate some kind of trust, and the question is up to which level. And then the alternative is, do you trust yourself? Can you make the right choices in terms of choosing the right wallet and protecting yourself around that? That happens to be a very complicated problem. I think that's kind of already some foundations for the conversation. I'm sure we'll double click.

Laura Shin:

Yeah. Itai, what do you think are some of the big pain points and issues that need to be resolved?

Itai Turbahn:

Ouriel made a bunch of really important points. At the end of the day, this is about trade-offs, right? Like anything in life, these are all kind of trade-offs, and the trade-offs are always trade-offs of security, user interface or experience, recovery cost and so on. You always have these levers that you have to switch between, and each one of them comes with their own pain points. On the security side, you can lock everything in this giant castle and never have anything leave, but that has massive costs and that has massive pain points of accessibility to your information or your keys. On the other side, you can trust someone else with everything, which gives you the accessibility and user experience, but has a massive cost on trust in delegating access. That comes with its own pain points.

As we dive in, we'll see this. There's always kind of these trade-offs that we have to talk about, and each comes with its own pros and cons. And I think specifically we'll dive into this, but in the Ledger example, they went from one side of the trade-offs to another side pretty quickly, and communication served a key component there. Not necessarily the technology side, but rather how you deal with communication of trade-offs. That's, from my perspective, the key thing is these are all kind of questions of what do you prioritize, and what are the challenges for each kind of element that you can get to?

Laura Shin:

Okay. Let's dive a little deeper into the Ledger Recover situation, because obviously that was something that just caused a really big outcry in the crypto community. There's I think probably multiple issues or problems with the service that they were offering, or at least reasons to be concerned about it. Why don't you just break down, and it can be either one of you, what some of the different fundamental issues were with that service?

Ouriel Ohayon:

Just to get started at a high level, I think the first element is the fact that it exists. The possibility that there is a system, even an opt-in system, I mean that you have to choose it, that can indeed extract in some capacity the holy of holy, the seed phrase out of the hardware wallet that was not supposed to do that. I think there was a massive disconnect between what most people understood about the role of a hardware wallet and the capability of a firmware, which is part of a hardware that has this ability to do basically whatever it wants, including extracting the private key. And because Ledger, as part of this code that is closed source, there was no way to actually realize that. I think the first fact that it exists is a problem.

Laura Shin:

And just to expand on that, you're saying that previously people had this conception that when they received a hardware wallet from Ledger, that what that meant was that the key could never be accessed unless you had the device. Is that what you're saying?

Ouriel Ohayon:

That's correct. Actually that was their actual claim, that the private key can never be extracted from the hardware, ever. It was repeated, it was written, it was said, it was communicated. But there was always a small asterisk saying that, "Assuming that you trust on our firmware." And the firmware is this piece of software that manages the relation with the hardware and what the user wants to do with it. It so happens that indeed the firmware once updated by the fabricant of this firmware can actually have the capability to, in that case, extract in some way the private key, the seed phrase from ... Not the private key, but the seed phrase from the hardware. That's something that was not understood from the market, and that was in part one of the reason of the outcry, because that was something that was never supposed to happen. Although to be honest, if you really double click into the meaning of everything, it was always possible.

That's something that I think was the beginning of everything. But you add to that also how they did it. They say it was a misunderstanding and everything. And it's not a misunderstanding. They know exactly what they're doing. And I have to say, building a competitor, I have to give them credit. I think they're going into the right direction, but I think they are making some very important tactical, I would say, mistake here. The tying of the recovery to a KYC and identification which breaks privacy, and can create scenarios which they admitted of government coercion, that's a problem. That's a problem. It's not also very clear that the recovery can be safe of impersonations. Impersonations of ledger and impersonation of the users for the KYC. We've seen so much crazy stories that I want to see before I believe it.

There are other big questions around how it's built. The fact that it exists and its execution, although I have to say that I think they're going into the right direction, I think this was probably overblown, but I think this is the right move. Maybe Itai, you have some more on that?

Laura Shin:

I do want to ask you about the right direction thing, but before we move on, I just wanted to comment just what you talked about, how people could then fake other people's identities to access those assets. I mean, when this rolled out, I remember thinking like, "Oh, it's so similar to what was happening with the sim swaps," or what continues to happen with the sim swaps, where people go into an AT&T store, Verizon or whatever, and they're pretending to be ... Like Ouriel, I could pretend to be you. And I say, "Move my account to Sprint," and then from there I can go into all of your sensitive passwords and click forgot password, and then have the code sent to your phone number, which I now have, and change all your passwords, lock you out and do whatever I want with your accounts. It felt like, "Okay, that's opening up that level of attack," which has been very prevalent in the crypto community.

Ouriel Ohayon:

Yeah. And accessing fake KYC document today, and even mimicking with deepfake videos and AI today a person, it's a problem we know really well because we do [inaudible 00:11:52] biometrics at ZenGo is actually extremely easy. I think there is a lot of questions about how this is going to be actually secure. Not to mention even the impersonation of Ledger as a brand. I mean, you remember they were hacked in the past, their e-commerce website was hacked, and there was a massive amount of campaigns around impersonating Ledger into tricking people to get the seed phrases. It's not like there is not a past around this problem. It's very, very real. It's very serious. I want to see it before I can give a stamp of approval. Not approval, but at least understand better the security model around what they're building.

Laura Shin:

And Itai, what were your thoughts about some of the issues with the Ledger Recover service?

Itai Turbahn:

First, I think their heart's in the right place. If I put myself in their shoes, I would assume one of the challenges they face from their end is folks lose their Ledgers. Folks literally just store a lot of information on it, or a lot of crypto on it, and then it disappears. At that point they have a challenge to solve, which is the challenge of how do you deal with customers that they don't remember their passwords, but don't actually physically remember what they put their Ledger?

The second challenge that they face is a challenge of they have a one-time purchase business, and they have to start moving to a subscription business in order to build company value. There is this economic challenge, and there is this user challenge that they have to face. It starts from there, and their heart is in the right place. I think the approach of creating some sort of recovery solution is not a terrible idea. It's actually a pretty important concept, which is let us help you make sure that if something happens, we can help you.

But Ouriel mentioned this, there's how Ledger is perceived, which is Ledger perceived as a device that is really as close as you can get to your key is your crypto. And all of a sudden within a single day for most people there's a break in that promise which essentially says, "Well your device, your key is your crypto, but we can actually with a firmware update extract shares of that storage and store them on additional devices." The challenge isn't just necessarily a security challenge, and again, I think their approach is correct. I think the fact that you should be able to store information, recover it, and I think doing it with [inaudible 00:14:32] and being able to store different and in a less risky way where you have one attack vector to a single partner but rather storing it across three is actually a super smart way of doing it.

But it's a break of a customer promise that you have to do over months and years of communication done in a single day, very, very quickly. That, in my opinion, is the biggest problem they face, is not necessarily a security problem or around their product approach. And I feel for their product managers. Looking at this from the outside in, I really feel for the product management experience. But that, to me, is the biggest challenge is actually a PR challenge versus the actual security challenge, is a break of customer promise for what you expect from Ledger.

I do think that if you fast forward two years, this solution will come back in a second iteration and we'll talk about this. But to Ouriel's point, it'll come back as an open source type of solution. It'll come back potentially with alternative forms of ID verification that don't rely on biometrics or image, but rather rely on more privacy preserving information. But the solution itself and the concept of making sure that if you lose your device, not everything is lost, is not a terrible idea.

Laura Shin:

Okay. Both of you have indicated that certain aspects of the way Ledger Recover is designed were correct directionally. At least, both of you have said things like that. What about this service was in the correct direction, as you both indicated?

Ouriel Ohayon:

I mean, we've been doing wallet recovery cloud, wallet recovery for four years. We actually invented that approach. We do it for free without KYC, and very successfully at scale. We can only be in favor of that type of approach. We've always said, and Ledger recognized it even on their website, that the seed phrase model is problematic. Even put on their website the testimonies of users who lost the seed phrases from their own hardware wallets. And that's something that's very, very common.

I think the approach of relying on what we call the two-man rule versus the one-man rule, meaning you distribute the security and the recovery, instead of making the user trust himself, which is a terrible idea eventually, it is directionally correct. There is a set of problems here is that indeed it's KYC based, and so privacy issues is impersonation. We have to see how they play it, but they do use three parties to allow people to distribute the secrets, one of which is Ledger itself. It's already possibly an issue, because now they're part of the recovery. And another is a company called Coin Cover, which also provides some insurance in some capacity, but it's not clear how. And finally Escrow Tech, which is a company we've brought to crypto four years ago. Using the same company that the one that we've been using for four years.

It's like directionally there is something that makes sense there, but the execution is problematic. They started with a closed source approach where they forced also the firmware update to everyone. And now what they're trying to go towards is open sourcing that solution, and making it mandatory only from certain devices. But I'm not sure it solves the problem, because even if you open source the recovery only, the wallet itself has a massive amount of code that is closed source, so it's not really resolving the problem.

Second, it's a paid service. The question is, what happens if you stop paying? Are you losing your recovery? It's not very clear what happens there. Then what will be the system of resistance to coercion. If a government sends a subpoena, they admitted that they would comply and that they would give away the parts. That's a problem. In our wallet, for example, if we receive a subpoena we can give something, but it's useless. There is nothing that can give away the user account. There is a set of questions around how is that resistant to a government state attack, which is a very real thing. We know it happens. I think there are still a lot of unresolved questions, and we'll see how they play that that out. I mean, I think they are version one, and like I said probably in the future they will do better.

I want also to make a prediction today. I'm fairly convinced that it's not the last company to try to do that. I mean, we were the first, becoming second, and I can already know and tell you that there is other companies that will do that, because directionally there is no way to stay sane and tell to your users, "If you lose your seed, trust us. But if you lose your seed, you lose everything." That can't be the future. Everyone knows it. I'm sure there will be more and more of that. I think there will be iterations of that model towards something that is more resilient to government attacks that will probably take the price down, or to free, as we always did for example, and that will have more robust security system that doesn't rely just on KYC.

Laura Shin:

Well, now that we've kind of explored all the different issues there, Ouriel, you obviously have, as you mentioned, a competitor, and it has quite a different model. Why don't you describe how it is that ZenGo secures users' crypto?

Ouriel Ohayon:

It starts with the foundation. We don't use seed phrases and private keys, which is the model of [inaudible 00:20:24]. By the way, even with a recovery system like Ledger Recovery, you still have to back up manually 24 words or 12 words somewhere safe. That's the model of our problems. Even if you have a recovery service in place, you are still likely to give that away to a phisher, or to some sort of attacker, physical or digital, [inaudible 00:20:47] a problem that can open around that. So we don't use that. We use MPC, multi-party computation, which by default and by design does not generate private keys, but distributed independent secrets. There is no magic here. You still generate secrets, but they are never in the same place at the same time so that there is no single point of failure. If you lose one secret, you don't compromise the entire system. That's kind of the first point of difference.

The second point of difference is we have created on top of that a system of authentication that does not rely on passwords, and does not rely on passcodes or PIN codes. In the wallet you traditionally have some sort of PIN or a code or something to get in. We created an authentication mechanism that is multifactor and does not rely on passwords, and relies among other the things on [inaudible 00:21:38] biometrics, which is a way to identify that you are who you are at scale, very, very securely. It's already been deployed at scale, millions and millions of users. The authentication mechanism is also a guarantee that no one else but you can access your wallet.

And finally, there is an element of security at the transaction level where the wallet tells you what's going to happen before you hit the send button, so that you avoid transactional risks like connecting to a malicious [inaudible 00:22:08], for example. The wallet is designed in a way that makes it extremely resilient to traditional attack vectors related to seed phrases, related to human errors, related to SIM swapping, related to phishing attacks. To this day we had zero account theft. Zero. We have nearly a million users. That's really remarkable when you think about the security system, and it's proof and it's validity. It's because it's designed by default very differently.

Itai Turbahn:

Just maybe I'll add one maybe distinction that I think we might want to dive into at one point as a key distinction. We talk about all this stuff as MPC, and Ouriel mentions the approach of ZenGo. There's a nuance of technologies within it. So one thing we should probably touch on is Ledger uses Shamir's secret sharing, which essentially says we will take a key that exists, and then we will split that key. Versus a ZenGo approach or a Coinbase wallet service or a lot of providers that say the key will not exist to begin with, but rather independently you will calculate the result from kind of independent chair. There's a lot of nuance that isn't necessarily clear in the market on what does MPC, or what does these splitting of keys actually means, and whether a key has existed to begin with.

Essentially, there are multiple ways to actually think about private public keys. This is not necessarily related to cryptocurrency. In general, you have a private public key type security, and it relies on a single private key, and that lets you interact with the world. You send your public key to someone, they can encrypt stuff with their public key, send back to you, you can open it. That's the classic crypto kind of way to go about the world.

The challenge, and this is what we talked about for the last 20 minutes, the challenge is that you have a single private key. There are multiple technologies out there to actually address how you solve it. They are in the categories of multi-party computation, they're in the categories of multi seg, they're in the categories of essentially what we'll call other, which is storing things in AWS Nitro enclaves and things of that sort.

And really the categories are the following. There's MPC, which essentially says take a single key and split it up. There's multi seg, which essentially says take a single key and add another 4, 5, 6, 20 keys on top of that, and make sure all keys need to unlock. And then there's a third category which is take a key and store it in a very safe place, either on a cloud or in a other way, and create architecture that makes it really hard to access the private key. Those are three approaches.

Within MPC, if you double click on that, and sorry to create this weird trio of MPC, multi seg, and other, but within MPC there are actually two technologies. There's what's called Shamir secret share, and there's threshold signature scheme. Shamir secret share is this really cool 1970s technology that works really well, which does the following, which essentially says we can take a key, we can split it into two, three, etc., and then we can create this calculation where the key is usually separated, so parts or shares of the key aren't stored at the same place at the same time, lowering the risk of let's call it a hack of someone knocking on your door and taking your private key, because it's not stored in a single location.

The challenge with Shamir secret share is that the way the math works means that at a certain point of time, the key is reconstructed to sign a message. Essentially you have shares, you took a single key, broke it into three, but then you reconstructed it to actually create a signature. That's what Ledger does, for instance. And the reason they do this is because they started with a single key, they broke it up, and then they reconstruct it.

There's a second approach with MPC, and that's used by used by ZenGo, that's what's used by Fire Blocks or Coinbase Wallet as a service or Curve that was sold to PayPal, or another couple of solutions out there, Fortify, etc. Their essentially approach is a key never has to exist in the first place. There are three shares, and through coordination, they independently create the result or an outcome. I'll call it math magic. I know Ouriel actually has the details around actually how this works, but there's some really cool math magic there with proofs around the coordination.

But essentially, while maintaining independence shares of keys, you get to an outcome of the assigning of calculation. That's really cool, because essentially it's this math magic of a key has never existed to begin with, but you still have the same effect. And so what you see companies, again, that secure billions of dollars like Fire Blocks or Zengo or Coinbase Wireless Service use, is they use threshold signature scheme, that subset of MPC to actually do things. And the world, and we'll talk about this, there are multiple wireless service companies moving exactly to that model as a way to secure private keys in a much more scalable way. That's kind of the breakdown. But again, coming back to just Ledger uses Shamir secret share because they start with a private key. ZenGo uses threshold signatures. Safe uses a combination of multi segment account abstraction. Now, there are multiple approaches to this.

Ouriel Ohayon:

And just to complete on what Itai described, what that means in effect in terms of security consequences is that in the world of Shamir secret execution, if the parts are attacked or coerced, you can reconstruct the private key and therefore take away the funds. Very, very easy to do. If you have the minimum threshold to get them, two out of three, three out of four, whatever. In the case of Ledger, it's two out of three, then it's game over.

In the world of threshold signature, even if there is a takeover of the server, of the wallet operator, in that case ZenGo or Fire Blocks or whoever operates by that cryptography, nothing can be done. It's impossible to take away the funds, because there is never a private key that existed in the first place. And the threshold to obtain the permission to withdraw the funds has to be completed on the user side, and obviously the system doesn't have access to the user side. I think it's like there's a very fundamental difference in terms of security system and guarantee that you have with one that you don't have with others.

Laura Shin:

All right, in a moment we're going to talk about the downsides of MBC wallets, because it's all a game of trade-offs. But first, a quick word from the sponsors who make this show possible. Join over 80 million people using crypto.com, one of the easiest places to buy, trade, and spend over 250 cryptocurrencies. With the crypto.com Visa card you can spend your crypto anywhere and get rewarded at every step. Up to 5% cash back instantly, plus 100% rebates for your Netflix and Spotify subscriptions, and zero annual fees. New users enjoy zero credit card fees on crypto purchases in their first seven days. Download the crypto.com app and get $25 with the code Laura. Link in the description.

Laura Shin:

Back to my conversation with Ouriel and Itai. As we discussed, in many ways MPC wallets are more secure, but there are some downsides in terms of computation. Can you run through those?

Ouriel Ohayon:

Sure. I mean, there is obviously security risk at the cryptographic level. The cryptographic could not be maybe solid enough or robust enough in its randomness and its calculations so that the private key could be extracted in some kind of way. Recently there was a disclosure made by Fire Blocks around what BitGo made for their TSS threshold signature library, and reveal that there was a possibility to extract the private key out of the way the secret shares were computed. It's not like a 100% security, it's never 100% security. It's always about how you execute it, how you better test it, how you audit it, how you improve it all over time. And so there is a risk at the cryptographic level.

The second risk is obviously a trade-off at the point of signature, meaning that when you accept to use a wallet that is based on TSS, you accept the fact that the co-signer, the wallet operator will have to agree to sign the transactions. If you want absolute guarantee and total control that the signature will happen, then the TSS model is not perfect for that, because you will never obtain the total equivalent of you alone signing your transaction. What that means is that in theory, although that has never happened in the past, the TSS operator or a threshold wallet operator can stop a transaction, can make it so that it will not be signed. There are ways to mitigate that, and we can discuss it. We have one of them, for example, but this is a real risk. I would say there is a systemic risk at the cryptographic level, and there is a design system risk of trust at the signature level so that you can make a transaction and move your funds out.

Laura Shin:

All right. Now we've done a really deep dive on ZenGo. Itai, you are working on Dynamic Wallet. Why don't you tell us about it?

Itai Turbahn:

Yeah, absolutely. Essentially, we're on the other side of this. I would call it the Switzerland of the wallet industry. We are essentially an authentication provider. We work on the application side, so we have customers like Sound.XYZ and Flip side Crypto and Token Proof and others. We power their system to interact with wallets, whether it's branded wallets, whether it's embedded wallets like a [inaudible 00:33:31], etc., or whether it's wallet as a service wallets like a Coinbase wallet as service or a Magic or a Web3 auth. We get to see the wallet industry as a whole, and kind of interact with all types of wallets. Our customers or developers are sites and apps that interact with these wallets on a day-to-day basis. We provide both the login services for these wallets, for these applications, the user management, authentication authorization services. We help end users spin up wallets through MBC or other options if they don't have access.

But our customers are not necessarily end consumers, they're actually developers. We power the entire authentication system for those developers as they run sites. They want to interact rather with email account creation, they want to interact with wallets. We've been talking about wallets for the last 30 minutes. And just so everyone knows our vision, we fundamentally believe that's pretty much where the world is going. In five years everything becomes a wallet, and the way you interact with sites and apps is not going to be account creation, it's going to be logging in with your wallet. That's the future we're essentially building to, and that's why we're so passionate about wallet security is because for that world to exist there needs to be a lot of innovation in that trade-off of security and experience that let customers move to that model from trying to create an account and save a passport everywhere, move to that model where they interact with a wallet. Again, saying that for the 50th time in two minutes, but interact with a wallet as they log in.

Laura Shin:

One thing that I was curious about was that, because you can link multiple wallets to a single account, if a hacker gets control of that account, then they can access multiple wallets, correct? How does that work?

Itai Turbahn:

It's a great question. One of the features to your point that we offer is, we realized pretty quickly that customers don't have a single wallet. They have multiple wallets. They have their social wallet, they have where they store their NFTs, they have their more financial services wallets, and the number of types of wallets you have are expanding. A service that we offer developers is the ability on their site and silo to their site help customers link these wallets to a single account.

But the signature itself, a transaction still happens on the wallet itself, meaning regardless of the linking or not linking, to approve something a user has to sign on their own wallet. To your point, if a hacker gains access to a dynamic user system of record, they can't actually do much with it because essentially it's just association of different wallets, and how they connect together. But the actual transaction, sending something out of your wallet still is a signature that happens. Your own identity provider, you sign to transfer. There's no tech vector there, because it's more of an association. We store associations between wallets, not the actual content of the private key.

Laura Shin:

All right, so let's now just talk about some other aspects of security when it comes to wallets. We've just been talking generally about the wallet itself, but obviously there's security that can be done around transactions. I'm sure you guys have heard that there are a lot of times when people are overcome by a feeling of either FOMO or other sort of urgency. There's all kinds of social engineering ways to get people to do things that's against their best interest. What are some of the ways that either wallets or other kinds of products are protecting users from bad transactions?

Ouriel Ohayon:

By the way, before mentioning that transaction, the first, and by far the biggest risk is actually impersonation of wallet brands. Typically someone says, "Hey, I am Ledger, I'm [inaudible 00:37:41], give me your seed phrase so I can help you." This is very, very common. It happens at scale. Reddit is full of pages and testimonies of those, and there is very, very little that you can do to protect users against that except educating people, but even that is difficult. Sometimes the system itself gets hacked, as it happened with Ledger, and there's nothing that you can do. People think they should give their seed phrase, and so the only protection that you can give them is a system where there is nothing to give away. That's why passwordless authentication I believe is the future. That's why Apple is moving there, google is moving there, Microsoft is moving there so that there is nothing to give away to a official, an impersonator.

Then you have the problem of malicious applications, which usually start with a link. It's a link that will look similar to something that you heard of, that you know of, an NFT program, an influencer, a famous persona. You will click on it, and it'll ask you to connect your wallet. Possibly it'll be with Dynamic or with Wallet Connect or with another system, and then you will have to give a permission because that's how smart contracts interpret with wallets, you give a permission to do certain things. This permission usually can become very quickly a wallet drainer, meaning that it will abusively go way beyond the permission that it initially asked you to give, and basically remove everything from your wallet. Sometimes at the same moment, sometimes later on, you will not even realize. The way to resolve that is to actually provide to the user in the context of the transaction a preview of what's about to happen if they approve the interaction with that wallet.

We have one of that solution, we call it Clear Sign. It's a built in firewall. But there are many others that are providing that as an extension. It works on the computer, but some things will at some point work on the mobile, and they basically tell you when we tell you, "Hey, you're about to get your funds removed completely. Hey, you are about to give your [inaudible 00:39:48]. Is it really what you want to do?" And so you raise the awareness of the problem that's about to happen. You cannot prevent it, because if someone wants to do a transaction, well, they do it. If someone wants to die then he will die, but at least he knows that he's about to die, and so you give him a chance to stop before the last step.

That's kind of a world in itself. I mean there are many, many variations, colors and flavors about how this happened. It happens all the time until today. Many people fall into it, including the most sophisticated people. Famously Kevin Rose, the founder of Bloomberg, clicked on the wrong meeting link, and many others. It's not something that you should think that it's just about people falling into it because they don't know. Even the people who know fall into it, because it's so easy. It's so easy to perform. The only thing that you can do as a wallet is to provide the right awareness before bad things happened, and so that the user is informed about what he's about to do. Maybe Itai, you want to complete with other things that you are seeing or aware of.

Itai Turbahn:

Yeah, absolutely. I think your point is right. I think one example is there's a company called Stello, which does a browser extension that essentially simulates transactions before they happen. And they do a really great job of showing you what you're about to sign. That's it. The way I'm thinking about this is ... I'm thinking about this like the 1990s email, where it was pretty much a wild west. Over the next 20, 25 years, there was this constant iteration of how you fight spam, how you fight phishing emails, how you fight making sure that you have trusted senders and things of that sort. It was this constant evolution to get email to a safe spot where you can really trust it. If we remember 15 years ago before the world of Gmail, it was pretty much terrifying to open links, and make sure you click them and information is collected about you.

Now that's email, which is an information protocol. We're now talking about this at a financial protocol. The risk of things is kind of 100X as complex, because it's not just stealing your information but literally stealing your money. Both the incentives to create theft and incentives to create phishing attacks, etc., go up exponentially. But also the incentives for companies to tackle this. I think just in Israel alone, I heard of 10 companies trying to create transaction simulations in order to try to tackle this field.

What you'll see is, to Ouriel's point, it's a combination of social engineering, where there's going to be services that provide wallets with easier way to tell users what they're about to do, there's going to be services on the DAP side where dynamic plays to ensure that users cannot sign for something that is out of scope in some way. There's going to be kind of this containment of type of functionality you can do to interact with a wallet, and wallets over time will close a little bit the types of things you can do with them.

But it's going to be this massive competition between great incentives for people to steal your money and massive incentives for companies to then essentially create a structure to compete that. Very similar to what we saw with email in the '90s, just on steroids at a far faster clip of innovation. That's what we'll see, essentially. And again, you see really cool companies. Rain, I think, is another one that's trying to do this. You'll see a bunch of companies try to compete with this space. Forte is another example, and so on.

Laura Shin:

Another thing I wanted to ask about is that people obviously have wallets that they keep online, and then wallets they keep offline. Can you just talk about how it is that people can secure their wallets depending on the spectrum of how hot they are?

Itai Turbahn:

Yeah. I think maybe I'll start with that one if okay. First, by the way, on wallets that are stored offline, if we come back to our first conversation of Ledger, it is a wallet that's started as an offline wallet and is now moving to an online wallet. It's moving from Ledger to Ledger Live to Recovery. Even quote-unquote offline wallets are starting to move online, because there's value of not just storing things. The wallet is moving from a storage device to kind of an interaction authentication device. It makes it really hard to just be an offline wallet in that world. We're moving. The entire concept of Web3 is not about just storing things in your wallet, but also using your wallet, and using it as a financial device and authentication device, as a storage device, etc.

But very similar to how we do everything in life, where some things are very sensitive, we put them in a safe deposit box, and some things kind of are in our wallet on a day-to-day basis, you'll see something similar in crypto, which is over time you'll have very secure services where you access things once a year, once every several months, and you store massive amounts of money, etc. And then on the other side of the spectrum, you'll have wallets which are more your social wallets or NFT wallets, or wallets where you interact with small transactions which you open multiple times a day. There, the user experience is a little bit more important than the security side. You're going to always have that spectrum of types of wallets. And the world, in my opinion, we'll move to is not that there is a winner take all wallet, but rather you'll have multiple wallets for different use cases, some of which more secure, more quote-unquote offline, some are slightly more user-friendly with that trade-off, but something you use 10 times a day. That's what we'll see over time. But again, coming back to the point, even an offline wallet like Ledger is inherently just moved fully online, which is really interesting.

Laura Shin:

I think there's also new ways of securing wallets. Some of these we had discussed in a brief chat before recording, and you mentioned things like Magic and Turnkey. I don't even know really what those are, but can you describe a little bit about them?

Itai Turbahn:

Sure, yeah, absolutely. We talked right at the beginning of the conversation about different technology out there. MPC, multi seg, and other. If you double click on that other category, there are multiple approaches for how you can store your keys. I think about them a little bit like safe deposit boxes in banks, where you store something in a bank, but the bank can't necessarily access it. It's a different way of storing information. You have to go to the bank, you have your key, but the bank itself can't actually open your safe deposit box. Magic or Turnkey are inherently, and I'm simplifying this significantly because they have massive technology around this and Magic just raised massive [inaudible 00:47:14] around this, but Magic and Turnkey are inherently technologies that apply that safe deposit box type approach, which say, "We will store your key in kind of an AWS enclave, like a Nitro or something of that sort. We will secure it, we will ensure you get the massive benefit of security there. But we'll build it in a way where we can't access it." You still enjoy the non-custody element of you are the only one that can access your information, but rather than storing that in your pocket like a Ledger, you will store it in giant server farms of folks that do this for a living.

Those are technologies which inherently are the safe deposit box on the cloud. And I'm simplifying, I hope I'm not hurting Magic or Turnkey's feeling here because I think these are super innovative and super smart technology, so this analogy hopefully is a compliment, not a [inaudible 00:48:16]. But these are kind of really cool approaches that are completely different from MPC to solve the same fundamental problem, which is how do you think about recovery, storage, etc., while maintaining that you're going to lose the thing that you have in your pocket, which is that Ledger device over time. Those are Magic, Turnkey and other approaches there as well, which are really cool companies in this space.

Ouriel Ohayon:

To complete on what you've said and you described really well, is that what happens is that the world of wallets is becoming more complex and more articulated. Historically, we've known the world of wallets, which were personal primary wallets, whether they are hardware or software, this is something that the user chooses to install or to buy and puts its coins or NFTs on it. This is what we've been knowing for the past basically 12 years. Now you have an entire new category of what we could call embedded wallet. They're not a destination where people go and choose to create their wallet as they do for with ZenGo or Ledger or Meta Mask, but they are choosing an app, which can be a game or a social network, and by creating an account there, at the same time behind the scene, they basically creating an embedded wallet which is tied to this application.

That means that you have a wallet that is associated to the app that you have chosen to use, not because you need a wallet, but just because you want to participate and enjoy the game or the app that you want to use. And so they come with a big trade-off in security, because now your wallet security depends on the security system of that application. For example, if you choose to create your account with, let's say, a Google Connect or a Facebook Connect or a Twitter Connect, your security is as good as your Twitter account or your Gmail account, which we all know is not necessarily the best security in place. And so the trade-off comes with greater convenience, because you don't need to think about creating a personal primary wallet, and you have a wallet tied or embedded into that application, but will come with a trade-off around the security around that. That category is growing.

I think we're going to see a world where you will have in parallel primary personal wallets where people will have their base, their home, where they put what they want to use first, and some will be for their day-to-day usage, or as Itai said, in a vault that is frozen and offline, or possibly not offline, and might have some announcements on that very soon. But that for larger amounts. And then you have embedded wallets which are tied to applications, which much lighter security and at all sorts of risk that can happen that you don't have usually with a personal [inaudible 00:51:08] , but greater convenience because it's just right there and you don't need to think about it.

Laura Shin:

I also wanted to just address something which we've kind of talked about here and there during the episode, but I just want to have a dedicated moment to discuss it. During the Ledger outcry, people were concerned with the fact that Ledger's code is not open source, and of course the company pointed out, "Well, it's always been like that." How do you guys think about that factor when it comes to users choosing amongst different wallets? How important is it for a wallet to be open source, or how concerned should they be about closed source?

Ouriel Ohayon:

Open source is a great addition, but it's not a perfect medicine for any disease in security. I know the proof of that, by the way, is that recently Treasure, which is a competitor of Ledger Hardware, which is fully open sourced, was cracked by a security company. Open sourcing brings more transparency because you actually see what happens, but also by showing what happens, you also allow attackers to know exactly how the sausage is made, and basically you can actually deconstruct it and break it. Even though open source brings more transparency and possibly even more increases security because by being more transparent, you allow the community to contribute to a better system. In our case, for example, we open source our cryptography, and our MPC library has become more robust because of that.

I think it's a good thing, but it would be also very dangerous to consider that because something is open source, it's resilient to any sort of attack and security risk. Sometimes it's even the opposite. Just as an example, Trust Wallet used to be fully open sourced, which is a mobile wallet, and they came back from it and they went to closed source because there were too many attacks on their wallet, and recently their extension was hacked. That's not something that is necessarily a good thing. And I understand why Ledger decided to open source, it's a way to calm down the community that wanted to get more transparency. But make no mistake, it's not a solution. It doesn't bring any additional comfort, and people who are dogmatically repeating, "If you're not open source, you're not secure," are hiding very important realities behind it.

Laura Shin:

All right. And Itai, do you have any thoughts?

Itai Turbahn:

I would just say actually, I think coming back to on open source, Ouriel earlier in the conversation made a point that actually ties into open source, which open source also carries some risks with it, which is at times what people do is take an open source library and fork it, and kind of build it as their own. As a good example, in math-heavy libraries like MPC, you now have a lot of companies relying on code that they haven't written. It carries, open source essentially kind of opens what you did to the world, but then let someone else take it, implement it, and potentially launch things on top of it, and create risks where if you made the first mistake, someone will make mistakes on top of it, and there's going to be this ongoing cycle. There's a lot of MPC companies today which are built on open source libraries, as an example, where they don't necessarily have the fundamental math understanding of the cryptographic ceremonies that happen in background or things of that sort, which brings in additional risks.

There's the vertical of open source as a way to have someone validate that your code is secure and you implemented things correctly. But there are second order effects of open sourcing that create these massive issues. By the way, there are alternatives to open sourcing. There's audits you can do, trail of bits or other kind of security audits that you can do on your code that at times bring the same result while not open sourcing. These are all, again, trade-offs. There are massive benefits to open sourcing. And in ledger's case, I think they have no way around it. I think that is fundamentally their only path forward, along with auditing, etc. It is not a silver bullet solution to anything. It is at times also just a marketing thing. It's not a yes/no type solution.

Ouriel Ohayon:

And just to complete and maybe to conclude, while open sourcing reduces the spectrum of attacks of the system because you understand better what's going on, it does not reduce in any way the risks that are user-centric, the type of errors that a human can make by using a crypto wallet. Namely, backing up the seed phrases somewhere safe. Traditionally, they write it on a piece of paper. Most wallets provide this famous piece of paper, and people make a mistake. Usually they forgot to write about it, or they write it in the wrong place, they put it in a place that they thought was safe and then it's not. They give it away in a phishing scam. The world can be perfectly open source and perfectly kosher, and yet the user and the risk around him, because he is a simple human, will still be there. I think it is very, very important to say and repeat and make it extremely clear that something being open source is far from enough in terms of protecting the user, and protecting the user from his own mistakes and the risks that are related to the user itself.

Laura Shin:

All right, let's still talk a little bit about the future of where wallets are going. Ethereum is looking to implement account abstraction. How will that change the user experience?

Itai Turbahn:

I guess I can start on that front. I think we need to think about key management and account management. I think they're tied together, but they're not necessarily essentially the same thing. Until now in this conversation, we actually talked about key management, the offline, you have a key, do you break it? Where do you store it? How is it accessed? Etc. Then the second question is, now that you have this key, what can you do with it? Until today, to your point, most of it was EOAs, externally owned accounts. You can essentially just sign things, do very basic activities and so on.

Now to your point, we're moving to a point where instead of EOAs, you move to account abstraction, which means that you can have a lot more logic that your account has. First, an important part to remember, it's not a competitor to an MPC technology or a threshold signature from your secret share, etc., but rather a way to expand the capabilities of what a wallet can do. It's a super exciting technology. We just actually announced a collaboration on that front to spin up a ad hoc account abstraction accounts on Dynamic as you log in. What it allows you to do, though, is it allows you to do more clever things on an account.

AS an example, you can now easily sponsor someone else's gas. If you're running a game, and you want to make sure that someone buys something and only pays for that thing, and doesn't pay for gas, you can do that with account abstraction. You can also collect 50 batch signatures and essentially ... And I'm simplifying this ... But essentially to make sure that the game that you're playing does not ask you to sign a private key or sign a transaction every time. You can start doing things around social recovery, and how the ownership of your account moves between folks.

It allows you to expand. You can start abstracting payments. You can start abstracting it so instead of paying an ETH, you pay in USDC, and it happens to be in ETH in the background. It essentially enhances, it takes a very simple concept of an account and enhances the capabilities of it very, very quickly. And the beauty especially about account abstraction, how it's implemented on Ethereum with 4337, is that it does it without requiring an entire change to the kind of Ethereum protocol, without requiring massive upgrades or anything of that sort. Short answer is it's an extremely exciting thing. It operates at a different level than everything we talked about on key management, which it can work very closely hand in hand with.

Laura Shin:

And just generally, where do you see the direction of wallets going in the future? What are some new developments you're keeping your eye on, or what are your thoughts generally on where the industry is headed?

Ouriel Ohayon:

I would say the keyword is security. It's very obvious that the field is ... I mean, this is a podcast about, we talk essentially about that, but it's not just by chance. It's because it's still a massive problem in the industry. I think there's a reason why Ledger, which is a leader in the hardware space, has decided to go that way, is because there is still a very systemic problem with the way people think about the security. Or better said, don't think about the security. And the question is what kind of design system can you build so that they don't have to think about all these things? You abstract it away so that they can just use it and don't have to go through all these insane decisions about where to store a piece of paper, or where to distribute pieces of code here and there and how to protect themselves from scammers. I mean, if that was like that in Web2, there is no way we would use the internet as we do today. Something better has to happen.

I believe that the iterations that we will see in the world of wallets, whether this is through account abstraction, which I think is going to increase security, or MPC, which is sort of account abstraction on steroids because it enables you to do the same things as account abstraction, but on any blockchain, including Bitcoin, then will enhance the user experience and increase the security by having to make less decisions about how you think about your security. About how the authentication works, about how the recovery works, about how you connect to applications, about the transactions that you are about to send, about all sorts of crazy edge cases that today are unresolved.

To me, the direction that the industry has to go into is not so much into ... Because people talk about always improving the user experience, but I think it's a false debate. The real problem that the industry has not solved in the wallet space is the security user experience, meaning the number of things a user has to think of, has to do, has to decide, has to remember in order to be protected by default, not by toggling on an option that costs $9.99 per month and providing a KYC. Those things should be a default period, and it should be free. Otherwise, there is no future to crypto. It's impossible to think that this industry can go on like that.

To me, the most important thing is doubling down on security and improving all those elements that we have discussed by iterations of the cryptography, iterations of authentications, better connectivity like systems that Itai and Dynamic are building up to connect wallets and applications, and to allow users to make better decisions when they connect to apps.

To me, this is really, really the future. And I think we're already multiple steps into it. I think we start to see already very significant progress. Safe wallet, the [inaudible 01:03:24] is probably the best wallet in terms of account abstraction today. I mean, it sounds like account abstraction is a new thing, but it's not. They've been at it for many, many years, and they have a really, really nice executed wallet. And you point to me, please, how many times they were hacked? I don't think there was even once that it happened. So I think we're already in the future, but I think the problem is that the awareness is still not there. People still believe that the right way to protect themself is by choosing open source systems and writing down 24 words on a piece of paper. This is the past. This cannot be the future. If people are comfortable with that, so be it. But there is still a billion people to bring to crypto, and that can be the future.

Itai Turbahn:

Maybe I'll just add to that. I think one thing we're very bullish about is that everything on your phone turns into a wallet. Essentially, if you open Robin Hood in two years, that app will probably have an additional tab which is a wallet. And if you open Twitter in two years, that app will probably have a tab which is a wallet. The same goes with Coinbase today, and any other application. What you'll see, I think, in the next two, three, four years is that everything, all your existing applications turn into wallets. In addition, what you'll see as a part of that is essentially this hypothesis of the professionalism of key management, and things of that sort. You see companies like Coinbase bring out Coinbase wallet as a service, which essentially say ... or Portal as another example, essentially say, "Hey, this is actually going to become extremely complex to manage on your own. Wallets should not actually be in the key management business. Let us kind of outsource the MPC solutions for you."

You're going to see, and we're super excited about everything within what's called wallet as a service, or even at the more abstracted layer, just key management and MPC infrastructure, or alternatives on steroids that are going to essentially turn everything on your phone or everything on your browser into a wallet. Today you have, even at the browser level, you have Brave, you have Oprah, which have turned into wallets on your browser. There's no reason why Chrome doesn't become a wallet within the next one, two, three years. It is clearly going to go in that direction, and that's essentially what we're extremely bullish about. It's essentially everything just toggles on into a wallet, which we play on the other side of where that means you will interact with every site and app via that wallet that's on your phone.

Laura Shin:

Great. Well, this has been a fascinating discussion. Thank you so much for sharing your thoughts. Where can people learn more about each of you and your work?

Ouriel Ohayon:

Just good to zengo.com, or @Zengo on Twitter.

Itai Turbahn:

And for Dynamic, just dynamic.xyz. If anyone's curious to play around with the product, there's a walkthrough video. And if you haven't gotten on bored of me talking for the last hour on this podcast, you can listen to me talk for another 10 minutes with a walkthrough of Dynamic.

Laura Shin:

Perfect. Well, it's been a pleasure having you both on Unchained.

Itai Turbahn:

Thank you so much.

Ouriel Ohayon:

Thank you for having us.

Laura Shin:

Thanks so much for joining us today. To learn more about Ouriel and Itai and crypto wallets, check out the show notes for this episode. Unchained is produced by me, Laura Shin, with help from Kevin Fugues, Matt Pilchard, Zach Seward, Sam Shriram, Jenny Hogan, Jeff Benson, LeAndre Camino, Pamela Jimdar, and Market Korea. Thanks for listening.