Why do people avoid using closed source wallets?

[mikeauerbach]

I've noticed that experienced crypto enthusiasts recommend not to use closed source wallets like Coinomi and Ownr. Open source ones are supposed to be more trustworthy. Why? Only a small number of hodlers can read the code in fact.

[1715451688]

1715451688

[1715451688]

1715451688

[1715451688]

1715451688

[1715451688]

1715451688

[bob123]

I've noticed that experienced crypto enthusiasts recommend not to use closed source wallets like Coinomi and Ownr. Open source ones are supposed to be more trustworthy. Why? Only a small number of hodlers can read the code in fact.

Because with closed source software (this doesn't only apply to wallets, but also your operating system for example), you can't be sure of what the software is doing.
It might be malicious, might have serious bugs/vulnerabilities or might use outdated libraries which are known to be exploitable.

With open source software on the other hand, you can check which libraries are used as well as check every new update being performed.

While you are right that the majority isn't able to read the code (and even if, they probably wouldn't), a few technically versed people did look at it. Some bugs or malicious backdoors are found way faster in open source software than in closed source.
If there was a malicious backdoor in electrum/wasabi/core, you can be sure that you would have already heard about it. This does not apply to closed source wallets.

[o_e_l_e_o]

Open source ones are supposed to be more trustworthy.

It's not that they are more trustworthy - in fact, the exact opposite. Open source wallets do not require trust, since you can personally review the code and then compile it yourself. You can verify that the wallet software is going what you think it is, with no hidden surprises. Closed source wallets, on the other hand, cannot be be verified, and therefore you must place complete trust in the developers.

To expand on what bob123 has said, and since you mentioned Coinomi specifically: Coinomi was found to have a critical bug where whenever a user entered their seed phrase to restore a wallet, it was sending the words they entered unencrypted to a Google spell checking service. A user alleges that this bug resulted in him losing $65,000 worth of cryptocurrency. Now, I'm not saying that something like this couldn't happen with an open source wallet, but with many sets of independent eyes looking at the code, then even if you don't look at the code yourself it is still far better than only two or three developers reviewing the code.

[fer_coinomi]

To elaborate on the above, we now have solid evidence that AW money being referred to was stolen by a group of hackers who were active before we even published the first version of the desktop software with the problematic code. The detailed report can be found here: https://medium.com/@cipherblade/how-not-to-react-when-your-cryptocurrency-is-stolen-92f7c72616af. Further to that and unlike what was written on media, nothing was transmitted in plain text and no user ever lost money by this bug or by using Coinomi since its inception back in 2014. We strongly advise you to double-check the facts behind a story before reproducing it because all we've ever done all these years was to support the crypto community and help spread the message around the globe and now we need your support, however this forum seems to keep a really harsh stance against us for reasons that are beyond our understanding. And to contribute to OP's question, there are several open-source wallets that were hacked or had serious bugs that resulted in permanent loss of funds, something that never happened with Coinomi.

[mk4]

Why? Only a small number of hodlers can read the code in fact.

While this is very true, it's only going to take probably one person(or a few people) that can read code to publicize it if ever a certain wallet software has some malicious code in it. Only one Twitter/Reddit/Bitcointalk post would probably be enough to expose the nefarious wallet's developers.

[Pmalek]

Snip

The problem with closed-source software is that independent coders don't have access to your code and can't verify your claims. One side claims that the seed was sent in plain text, you claim it was broadcasted in a HTTPS request. The community can't check and verify for themselves so they have to take your word for it or the word of Cipherblade, or not.

I hardly believe though that someone at Google was searching the records, discovered something that looked like a seed, restored the wallet, and emptied his funds. It is possible in theory, but I don't believe that is what happened.

In the report, it is said that the first transactions into the addresses associated with those where hacked funds were sent received deposits in October 2018, but the Coinomi desktop app that had the vulnerability wasn't released until December 2018. Again, the community has to take your word for it because they can't verify your code and check older versions of the Coinomi desktop client or the mobile apps.

That is still not proof that what he says is true, but there is also no proof when and how many of your apps had the vulnerability.   

[Coinomi]

Snip

The problem with closed-source software is that independent coders don't have access to your code and can't verify your claims. One side claims that the seed was sent in plain text, you claim it was broadcasted in a HTTPS request. The community can't check and verify for themselves so they have to take your word for it or the word of Cipherblade, or not.

I hardly believe though that someone at Google was searching the records, discovered something that looked like a seed, restored the wallet, and emptied his funds. It is possible in theory, but I don't believe that is what happened.

In the report, it is said that the first transactions into the addresses associated with those where hacked funds were sent received deposits in October 2018, but the Coinomi desktop app that had the vulnerability wasn't released until December 2018. Again, the community has to take your word for it because they can't verify your code and check older versions of the Coinomi desktop client or the mobile apps.

That is still not proof that what he says is true, but there is also no proof when and how many of your apps had the vulnerability.   

Thank you for your comments. We don't believe that any side claims that the seed was sent in plain text, the "victim" (aka blackmailer) has always claimed that his seed was sent encrypted to Google and then a Google employee used it to steal his funds. We have millions of users but only his funds was stolen - and stolen by Google. We expect people on this forum to be smarter than that. And yes, you can verify that everything was broadcasted over HTTPS, just ask the "researchers" who made a case out of it in the first place to send you a copy of the wallet executable, install it on a sandbox and run a packet sniffer to see for yourself.

As for the date of release of the first Desktop clients you can also verify it from our announcement on Twitter: https://twitter.com/CoinomiWallet/status/1079825494420451328, you see it's 31 December 2018.

As for your question on how many of our apps had the vulnerability we were totally transparent about it from the very beginning, it was just this version of the desktop client. We have millions of active users, don't you believe that if the "victim"'s claims were true that more people would have lost money with it? Nobody lost any funds with Coinomi though and you can also verify this by a quick search online.

For what is worth, we are working on a solution to address these concerns, although we can't say much at the moment.

Hopefully this answers your questions. Thank you for your support.

[bob123]

[...] We don't believe that any side claims that the seed was sent in plain text, the "victim" (aka blackmailer) has always claimed that his seed was sent encrypted to Google and then a Google employee used it to steal his funds. We have millions of users but only his funds was stolen - and stolen by Google. We expect people on this forum to be smarter than that. And yes, you can verify that everything was broadcasted over HTTPS, just ask the "researchers" who made a case out of it in the first place to send you a copy of the wallet executable, install it on a sandbox and run a packet sniffer to see for yourself.

Wait.. are you actually really trying to justify yourself by saying your wallet did at least encrypt the seed before sending it over to google??
Like.. are you serious?

A closed source wallet sending the seed via google API to check the spelling.. and then you come here and say "..well at least it was encrypted via https"... are you kidding?!
I rarely encounter such incompetence, ignorance and arrogance in one person. Congratulations.

Such statements are a really good reason to absolutely discourage the use of your wallet.

[Karartma1]

[...] We don't believe that any side claims that the seed was sent in plain text, the "victim" (aka blackmailer) has always claimed that his seed was sent encrypted to Google and then a Google employee used it to steal his funds. We have millions of users but only his funds was stolen - and stolen by Google. We expect people on this forum to be smarter than that. And yes, you can verify that everything was broadcasted over HTTPS, just ask the "researchers" who made a case out of it in the first place to send you a copy of the wallet executable, install it on a sandbox and run a packet sniffer to see for yourself.

Wait.. are you actually really trying to justify yourself by saying your wallet did at least encrypt the seed before sending it over to google??
Like.. are you serious?

A closed source wallet sending the seed via google API to check the spelling.. and then you come here and say "..well at least it was encrypted via https"... are you kidding?!
I rarely encounter such incompetence, ignorance and arrogance in one person. Congratulations.

Such statements are a really good reason to absolutely discourage the use of your wallet.

Basically Coinomi confirmed why we should avoid using it.
That's the first rule of crypto: learn how to securely store your keys, therefore your coins. With closed source wallets I don't feel secure while having to rely on open source alternatives, independently verifiable by anybody, make me more confident when storing my assets.
Sometimes letting go security over convenience can be a terrible mistake.

[Coinomi]

This is the part that you get wrong. We're not trying to justify anything or convince anyone about anything. We just set the record straight because you were reproducing inaccuracies. And you should definitely not use Coinomi if you don't feel confident about it, and the same goes for all wallet services out there, open-source or not.

[bitmover]

I made a brief research, and open source wallets are not the most used

https://www.researchgate.net/figure/Top-10-most-downloaded-Bitcoin-wallet-apps_tbl5_329220825

Sadly, none of them are open source. I don't even see electrum or samourai lsited there...

It would be nice to educate people how important it is to use open-source software. especially for bitcoin.

[suzanne5223]

This is the part that you get wrong. We're not trying to justify anything or convince anyone about anything. We just set the record straight because you were reproducing inaccuracies. And you should definitely not use Coinomi if you don't feel confident about it, and the same goes for all wallet services out there, open-source or not.

You make a good point because before someone will decide to use a wallet he needs to be reassure his coins are safe with the wallet he want to use and this is the reason why open source wallet are hot cake within the crypto community because the community will have the chance to review the wallet code and check is theres any malicious module, drawbacks, hidden code etc.

[mikel_012]

remember that if you want to use an wallet open source because you think its safer at least compile the software or its the same as using an closed wallet and you need to trust the developers

[pooya87]

We just set the record straight because you were reproducing inaccuracies.

the record is as straight as it ever was. Coinomi wallet was caught sending the seed (something that should be created locally, stored locally and kept from the outside word) to the outside world (a third party server).

and the same goes for all wallet services out there, open-source or not.

wrong. the same doesn't go for open source wallets because we can easily look at the source code and know what the hell it is doing and then make the decision whether we want to use it or not. with closed source wallet we don't know anything.

[o_e_l_e_o]

however this forum seems to keep a really harsh stance against us for reasons that are beyond our understanding.

Because you are not open source. In a previous thread you said you went closed source to prevent scams, even though there is no evidence to suggest that going closed source helps to prevent scams. Please don't take it as a personal attack - I am equally disdaining of all closed source software and projects, from web browsers to wallets.

We have millions of users but only his funds was stolen - and stolen by Google. We expect people on this forum to be smarter than that.

Because Google are so completely trustworthy? They've never done anything shady ever? I can't think of a single entity (not even Facebook) I trust less than Google. And again, we can't verify any of the claims that Google stored the information securely, kept it encrypted, did not spread it around various servers, couldn't be access by employees, etc., because they are not open source.

[goatpig]

Why trust when you can verify?

Half of these aren't even wallets, they're custodians. The client side is just a dumb interface talking over a web API. Bitcoin Wallet and Mycelium are actual mobile wallets, both open source.

[DaveF]

I have made other posts about it before but it is worth mentioning.
I am a firm believer that closed source wallets are bad.
However, the *majority* of my crypto holdings are offline, encrypted, multisig storage.
But some of them are in....wait for it....a closed source, multicoin wallet.
And although this is the BITCOIN wallet software part of the forum it's important to note that people are using all forms of crypto and we can't forget that.

Which is better? Having SOME funds in a wallet that might or might not be vulnerable or having to track say 10 wallets are known to be good.
That's 10 places you can screw up, 10 wallets that can have issues, 10 wallets that may have had a developer go evil.

Opening up the hot multicoin wallet on my phone I have BTC, LTC, ETH, DOGE, XMR, DASH, and a few others. The total value of the coins is not going to matter to me if they all go away tomorrow. The amount of time I would have to spend keeping an eye on the wallets and updates and everything else would cost me more in time then the value of the coins.

So telling people NOT to use closed source wallets without knowing what they are going to do with them is not always good advice. One size does not fit all and we have to remember that when dealing with people.

I posted this last year: https://bitcointalk.org/index.php?topic=5205304 and it's still important to remember it.

-Dave

[o_e_l_e_o]

But some of them are in....wait for it....a closed source, multicoin wallet.

The only altcoin I have any interest in is Monero, so I don't have much experience in the field of multicoin wallets, but why are experienced users like yourself settling for closed source multicoin wallets? Are there no open source options? Why not? There is no fundamental reason that multicoin wallets cannot be open source. Coinomi itself used to be open source, and the reasons they have given in previous threads for closing their source code are unsatisfactory at best. Why aren't altcoin users pushing for a good open source wallet rather than settling for second best?

[DaveF]

But some of them are in....wait for it....a closed source, multicoin wallet.

The only altcoin I have any interest in is Monero, so I don't have much experience in the field of multicoin wallets, but why are experienced users like yourself settling for closed source multicoin wallets? Are there no open source options? Why not? There is no fundamental reason that multicoin wallets cannot be open source. Coinomi itself used to be open source, and the reasons they have given in previous threads for closing their source code are unsatisfactory at best. Why aren't altcoin users pushing for a good open source wallet rather than settling for second best?

There are a few BUT unfortunately none that have the 100+ coins that coinomi has. Or the ETH (and other) token support.
On some of them it's close but the performance sucks. On others they think multicoin support is only the "major" coins
At home, I can run a bunch of VMs that each have their own coin wallet, or at most a few low value coins on one VM.
But in a hot wallet, on a phone, in terms of going "Oh, today I want to get this oddball coin" there is almost no choice.

Now, we can go around and around as to if you should be getting those coins, or if you should be storing them in the same wallet as your BTC.
But, to say you should not keep $250 of BTC and other random coins in one is a bit of a stretch.

I have posted the same thing a few times, and will probably keep posting it.
You should not keep your life savings in a closed source hot wallet on your phone
On that same note, you should not keep any significant amount of ANY crypto in a hot wallet on your phone.

If I loose my phone the phone itself is (well was) worth more then if my wallet gets hacked and I loose everything. Everyone has a different level of risk. Bill Gates can keep 275BTC on his closed source wallet on his old windows phone because if he looses it all it does not really change his day. I am going to go out and guess here but most people on the forum can't say that. For me $250 is a nice number. It allows me to move $100 here and there when I with friends, buy some gift cards with bitrefill if I want to get some Chipolte for lunch, etc. You might have a higher amount, or a lower amount. But there does come a point when if you are using several coins then it's worth the risk.

Or to put it another way, if I can go get a part time job for a week and cover the entire amount I would loose if it gets hacked it's worth it TO ME. Because if over a year I spend more time downloading, checking, verifying a dozen wallets then that 1 week part time job it kind of becomes a zero sum time thing. And then if you move to a new phone and have to re-import all those different seeds then it's even worse.....

Just my view, YMMV.

Happy Halloween.

-Dave

[1GUARDIAN]

If we explain everything using the example of the psychology of human relations, then the presence of open source code for an application is about the same as the sincerity and openness of the person with whom you communicate.

If during communication you see that your opponent is sincerely disposed towards you, is open and does not try to hide something from you - your degree of trust in his direction increases, since you perfectly understand that nothing unpredictable should be expected from such a person.

 "Closed" people who seek to hide something during a conversation, or those towards whom you feel obvious insincerity, - in this case you will always feel stressed because you will not know what to expect from such a friend.

This is a pretty simple but straightforward way to explain why people are more likely to trust open source applications.

Openness is synonymous with the sincerity of developers towards their customers. And now it's an unofficial "rule of good manners" for all developers - open source is the ability to attract the same open-minded people.

Thus, a healthy ecosystem is formed around the one who professes such principles.