Which wallet has been audited?

[jlp]

I had BTC in my Electrum wallet. Now, I have BCH after the fork.

However, there are news about scam wallets that are stealing coins, such as the mybtgwallet (Bitcoin Gold) and Coinpouch wallets: https://news.bitcoin.com/bitcoin-gold-wallet-stole-private-keys-scooped-3-3-million/

They blamed Bitcoingold.org for publishing a link to the scam wallet and for not having audited the wallet beforehand.

Has anyone reviewed or audited the source code of any BCH wallets?

Has Bitcoincash.org reviewed or audited the source code of any of the wallets on its site? If so, how can we confident that they have?

 

[freetrader]

Do you know of any open source Bitcoin wallets that have been audited?

 

[AdrianX]

@jlp I did not need to audit the software, I just used it. Moving from the base that I trusted electrum on the wisdom of the crowd knowing it had no reported hacks over many years I started there and imported my private keys.

I sent the BTC to new addresses I was confident were secure, once that had confirmed I opened those keys in electron wallet and moved the BCH to keys I was confident were secure. Once in electrum I used coinomi to sweep the GLD, on the BTC keys. There was no need to install any new software, I had to trust coinomi, I had been using safely for some time and electrum.

 

[jlp]

AdrianX:

I'm a little confused by your explanation.

Am I correct to assume that you did the following?

1. Sent BTC from Electrum wallet to another Electrum wallet
2. Installed Electron Cash
3. Exported private keys from Electrum wallet and imported to Electron wallet, in order to see your Bitcoin Cash
4. Imported the same private keys to Coinomi, in order to see your Bitcoin Gold

How do you know that your Electron Cash and Coinomi executables were compiled from the source code shown on Github?

 

[freetrader]

Electron Cash 3.0 has introduced reproducible builds.
Not sure about Coinomi. I'm aware some mobile wallets in the past have had their code looked at (mainly by researchers I think), but I'm not aware of published audits, though it would be interesting to see one.
Smaller companies / startups will likely not have the funds to do an audit, and would have to fundraise.

Good example of audit (not blockchain-related): https://ostif.org/the-veracrypt-audit-results/

 

[jlp]

freetrader:

What is "reproducible builds"?

 

[freetrader]

@jlp : Reproducible builds should answer this question

How do you know that your Electron Cash and Coinomi executables were compiled from the source code shown on Github?

i.e. two people compile the same source in the same way, should get exactly the same result.

This requires a carefully controlled deterministic build.

 

[AdrianX]

@jlp I had not used Electrum until recently.

Up until the fork I mainly used Armory paper wallets and mycelium.

step 1 I moved the BTC from existing wallets.

step 2 - Using Electrum to import my private keys from mycelium, Armory and my Paper Wallets.

step 3 Once the BTC had moved I used Electron, I opened the electrum wallets from Step 2 no problem. I sent the BCH to a new trusted offline wallet. I had no idea if electron or electrum were secure, I have multiple addresses so if one transaction was compromised I'd just stop and report it to the "herd".

Once that was completed I used Elctron or Electrum (they are literally identical) to display the private keys. I then used Coinomy to sweep the BTG from those addresses. I had been using coinomi for a while. It is not open source so I just have to trust them.

I then converted the BTG to BCH using the coinomi in app function, here again not putting all my eggs in one basket I did it one at a time, bigger amounts I sent to an exchange. (paper wallets i just swept one at a time going form BTC to BCH to BTG)

turns out there were no leaked keys. I have since been using bitcoin.com wallet, and sweeping the BTC and BCH with that.

I imported some keys into BU Cash but I grew impatient with the time it took to re scan the blockchain.

Electron Cash gave me all the functionality I needed when sending - more so than the full node. I've been very happy with electron and now use it to monitor watch only addresses.

 

[jlp]

@freetrader It seems that Electron Cash only has two signers, with anonymous usernames. This means that there is a chance that the two people could be the same person or colluding. Bitcoin Unlimited has several signers. Am I correct to assume that BU is likely to be safer than EC?

Do you know how to create a BU wallet on an off-line computer and have a wallet on an on-line computer to watch the addresses, similar to how Electrum worked?

@AdrianX In regards to:

step 3: According to
https://medium.com/@itsjameswhite/how-to-claim-bitcoin-cash-from-electrum-to-an-spv-wallet-111c65c5a131 and https://electrum.org/bcc2.txt , you’re supposed to export the private keys from Electrum wallet and import them into Electron Cash wallet. Did you bypass these two steps, and simply "opened the electrum wallets”?

What are leaked keys?

What do you mean by: "I have since been using bitcoin.com wallet, and sweeping the BTC and BCH with that.” ? How and why do you sweep keys on the bitcoin.wallet?

Bitcoin.com’s wallet is not open source and not signed. Am I correct to assume that you simply have to trust that it is safe?

I chose Electrum because of its off-line wallet and watch-only wallet. It was open source, it’s been around for a while and the source code was probably reviewed by many people over the years. However, Electron Cash seems risky because I don’t know if the code has been reviewed by many people. Also, the developer is adamant on being anonymous. I really wished Electrum added support for BCH. You don’t see Electron Cash as risky?

Thanks to both of you for your help.

 

[AdrianX]

@jlp if you haven't figured it out by now your are pity patient.

I used the portable version and once I had imported the wallet into electrum it made a wallet folder \electrum\electrum_data\wallets\walle-name

Electron could open that wallet file so no need to export a seed and do it over again. The same wallet file is read by both versions. No need to export or import keys again. I now have a system for managing off line keys and I use electrum and electron for importing the private key on my online computer.

also you can create a seed on an off-line computer in electrum and export a watch only key - and in electron import the watch only key, so totally trustless way of using electron.

Bitcoin.com’s wallet is open source, it's a fork of the copay wallet by bitpay. Roger Ver is an investor in the Bitpay so it's rather fitting he used that version.

You don’t see Electron Cash as risky?

I'm not capable of reviewing the code so I have to trust in someone. I am skeptical of all wallets and HD wallets, and key generators, they are all risky. I have a secure system it's not perfect but I only ever at most expose one key at any time. Should I ever get hacked I'll know where the trust was broken.

my gut feeling is electron is as trust worthy as electrum, but I'm not exposed if either is untrustworthy I hope that answers your question.

 

[jlp]

@AdrianX I downloaded and tried to launch Bitcoin.com's wallet on my Mac. I got the following warning:

""Bitcoin.com" can't be opened because it is from an unidentified developer.

Your security preferences allow installation of only apps from the Mac App Store and identified developers."​

Should I be worried? Did you get this warning?

Where is the wallet file? (If I use this, I will want to make a backup copy of it.)

@jlp : Reproducible builds should answer this question

i.e. two people compile the same source in the same way, should get exactly the same result.

This requires a carefully controlled deterministic build.

@freetrader How does one confirm that two people compiled the same code for Electron Cash and got the same result?

 

[freetrader]

@freetrader How does one confirm that two people compiled the same code for Electron Cash and got the same result?

By finding their signatures for some known release, and building the code of the same release yourself - you should get the same checksums for the software.

 

[gmctec]

Actually, (depending on the application / code) it is quite unlikely compiling the same source code on different computers will lead to the same has value. The problem is the long, complex layers and chains of code libraries and other dependencies that called when compiling code. It is highly unlikely two machines have the exact same libraries everywhere as needed. As such, the hash values are will not match to what is published (unless they authors were delberately careful about what dependencies were being called).

 

[Toros]

Right now there are a lot of cryptowallets that can turn out to be simply a scam. There are plenty of swindlers, besides, if we're talking about bitcoin, it's the most desired one.

 

[Eianz]

Scams are part of this industry, and follows great risks. The best is to avoid new offerings and rely on well established ones with the better trust factors. I personally use Exodus wallet and no complains so far. I cannot say of their audits but Exodus has good repo you can check..