Jade DIY hardware wallet

[Cricktor]

It would be nice to understand what caused the issue in the first place.

Maybe a cosmic ray particle or photons incident at the wrong place and time affecting the startup process when apogio turned on his device? Speculation...

As I said before, I still would be scared of using that particular hardware.

I assume apogio checked thoroughly the recovery of his wallet after reflashing the device. That should be fine then, except if you're scared that some bits or registers could be instable in his device. If this were the case, instability could occur more often or worse screws things up right when you don't need it, like when you sign a large transaction.

Should we have some function tests built into the firmware to be able to check manually that all major functions are performing properly?

[1714768475]

1714768475

[1714768475]

1714768475

[1714768475]

1714768475

[apogio]

Maybe a cosmic ray particle or photons incident at the wrong place and time affecting the startup process when apogio turned on his device? Speculation...

Wow, what's that? Sounds intriguing, my knowledge in physics sucks haha

As far a the backups are concerned. Yeah, obviously nothing bad happened. In fact, as I have said, my Jade is amnesiac. Every time I turn it off it erases its memory. So I always need to scan a QR code to load my wallet. Nothing is persisted once it's shut down.

[Cricktor]

Wow, what's that? Sounds intriguing, my knowledge in physics sucks haha

You might be interested to watch The Universe is Hostile to Computers. In the first minutes an election machines glitch is explained which likely happened due to radioactive decay or this cosmic ray stuff aftermath.

In fact, as I have said, my Jade is amnesiac. Every time I turn it off it erases its memory. So I always need to scan a QR code to load my wallet. Nothing is persisted once it's shut down.

I know, that's the purpuse and part of the security model of those signing devices. You still want to be sure that after you re-instantiate your wallet, everything from that point of usage of the device is working reliably.

I think, I wouldn't be as scared as fillippone is. After you can revive the device by re-flashing the firmware and it doesn't nag with further obvious instability or hangs, I'd dismiss the previous glitch as a one-time hiccup. Am I reckless?

[apogio]

I think, I wouldn't be as scared as fillippone is. After you can revive the device by re-flashing the firmware and it doesn't nag with further obvious instability or hangs, I'd dismiss the previous glitch as a one-time hiccup. Am I reckless?

You aren't. I don't care very much to be honest, but I understand fillippone's concern, because it's a natural behaviour to be concerned when things like this happen and especially when they happen to devices that are used to hold secrets of any type. Could be private keys, gpg keys, passwords, anything like that.

[Pmalek]

I know, that's the purpuse and part of the security model of those signing devices. You still want to be sure that after you re-instantiate your wallet, everything from that point of usage of the device is working reliably.

He can always fall back on his backup phrase in case the device starts acting up or becomes unusable for the purpose it was designed for (signing transactions). The worst thing I can think of from the top of my head is that it somehow starts generating addresses whose coins you can never spend (sign) because of a serious bug. Of course, I am just throwing ideas out there, and I don't think it's a realistic scenario.

[Cricktor]

The worst thing I can think of from the top of my head is that it somehow starts generating addresses whose coins you can never spend (sign) because of a serious bug.

Something of that category came to my mind, too. I don't say lightly, I'm not scared or not concerned. I would mostly assume, if a device starts to act wonky, it would produce enough garbage that errors creep in quickly that the network would simply reject a funky transaction, hopefully! But your described nightmare may still be possible if things go when Murphy takes over as he always does.

Some bad feeling likely remains with a device that showed signs of unreliability. A one-time bad day I would brush off, kind of.

[apogio]

The worst thing I can think of from the top of my head is that it somehow starts generating addresses whose coins you can never spend (sign) because of a serious bug. Of course, I am just throwing ideas out there, and I don't think it's a realistic scenario.

It is a realistic scenario, but not a likely to happen scenario. I mean, bugs can be found in the code, but the address generation process is a core process, which, I hope, has been tested by both software unit tests and human tests. I can't believe that there will be a flaw in such an important aspect of the software.

What can happen though, is that someone can use a fake website to update their firmware and that the installed software can be malicious. This is a huge problem if it happens... I hope that the device won't work with the fake website, but since I am a developer and not a security person, I don't know how easy this scenario is.

[fillippone]

I still don’t get it.

What is the risk of a fatal hardware malfunction once you have witnessed something like that one apogio experienced? 0.1%?
1 BTC is 70,000 USD.
1 Jade costs roughly 100 USD.

So 100 USD /0.001/70,000 USDBTC≈1.42 BTC

Ok, then it is not worth handling UTXO bigger than 1.42 BTC with such an hardware.
Provided you already have a functioning backup of the seed phrase (Master key).

This is how I would approach the question.
Also, I am irrationally risk-averse when it comes to losing Bitcoin (I said irrationally!) so I would further lower that threshold.

[apogio]

This is how I would approach the question.
Also, I am irrationally risk-averse when it comes to losing Bitcoin (I said irrationally!) so I would further lower that threshold.

Some bad feeling likely remains with a device that showed signs of unreliability. A one-time bad day I would brush off, kind of.

You are both correct. And since I have been asked the question a lot, about why I keep trusting the device and why I still use it, I want to make something clear.

1. I can read and understand C, so I feel confident reading the code. Which is important for me.
2. My usage is pretty limited. Once a month, I scan a private key QR code, I sign a transaction (usually a pretty small one), I erase the memory of the device (using temporary signer option).
3. Blockstream doesn't know my address, nor my name, since I received the product elsewhere, where I don't have the ability to access now, so if I request a change, or buy a new one, I will need to use my real name and address.
4. I own other devices that I use for more frequent transactions.
5. I always know that my backups are safe.
6. I always use QR codes, which is safer than USB cables. Still, QR codes are not a panacea, but, you know, I feel more confident.
7. The Jade is a reputable device.

Warning:
Finally, always be very cautious when it comes to using browser-based products (software & updates). Always verify what you download. Always think twice before downloading something.

[BlackHatCoiner]

It is a realistic scenario, but not a likely to happen scenario. I mean, bugs can be found in the code, but the address generation process is a core process, which, I hope, has been tested by both software unit tests and human tests. I can't believe that there will be a flaw in such an important aspect of the software.

I checked Jade's github repository a little bit. It doesn't use libsecp256k1 as the library for performing elliptic curve operations, at least as far as I can see. It isn't a very good sign, considering that it's the most tested library for that sensitive purpose, and used by the most reputable pieces of software like Bitcoin Core.

To me the portion of the project that is cryptography-related is the most crucial. I wouldn't care if the UI had a bug. However, if there's a bug in cryptography like a non-random R-value in a signature, that can be catastrophic. But, again, I'm not totally sure they use another reputable library for EC operations.

[Pmalek]

the address generation process is a core process, which, I hope, has been tested by both software unit tests and human tests. I can't believe that there will be a flaw in such an important aspect of the software.

I didn't mean there would be flaws in it b default. I am sure we would have heard about it by now. The Jade doesn't have the userbase of Trezor or Ledger, but whatever it's got, we would have heard about something like that.

The bugs I was speculating about could perhaps be the result of certain software/hardware issues and not a scenario you would see if everything was working top-notch.

I checked Jade's github repository a little bit. It doesn't use libsecp256k1 as the library for performing elliptic curve operations, at least as far as I can see. It isn't a very good sign, considering that it's the most tested library for that sensitive purpose, and used by the most reputable pieces of software like Bitcoin Core.

To me the portion of the project that is cryptography-related is the most crucial. I wouldn't care if the UI had a bug. However, if there's a bug in cryptography like a non-random R-value in a signature, that can be catastrophic. But, again, I'm not totally sure they use another reputable library for EC operations.

This is a question and topic that should be directed to their customer service team, instructing them to push it further to their development team to clarify. I will do it during the weekend if I don't forget. Feel free to add something more if you want to.

[BlackHatCoiner]

Feel free to add something more if you want to.

As it turns out, I was not totally right.

It doesn't directly use libsecp256k1, indeed, but it does use secp256k1-zkp, which is a fork of the former. As you can see in here, it says that their EC library calls secp256k1_surjectionproof_verify() and secp256k1_rangeproof_verify(), which are defined only over secp256k1-zkp. You can verify by searching in libsecp256k1 (empty) and in secp256k1-zkp (non-empty).

I should think about it twice before questioning Blockstream for their lack of research. 

[apogio]

I should think about it twice before questioning Blockstream for their lack of research. 

Especially since the founder has invented the core mining mechanism of bitcoin 

Seriously though, nice catch and nice study. You have provided us with some knowledge.