Frostsnap wallet.

[satscraper]

Today I have met with a striking concept of hardware wallet based on  Flexible Round-Optimized Schnorr Threshold  ( FROST) signature technique.

Device is in fact the set of hardware keys (they called them Frostsnap devices) attached to each other in a daisy-chain connected to mobile, the aim being to generate  multisig  wallet and/or sign the relevant transactions.   The number of keys (required) depends on multisig quorum.

They highlighted the following pros:

• "Security that is clearly defined: access though a threshold number of devices."
• Indistinguishable (from singlesig)  transactions, (due to taproot technique involved)
• Ability to add/remove cosigner/s "after key generation while keeping the key the same." (traditional multisig doesn't allow this)
• "A FROST wallet will pay the same fees as single signature wallets. No matter the number of devices or the threshold of your key, the transaction fees will be the same."
• and some others

Demo can be found on their front page.

BTW, Code is open source.
 

[DaveF]

Looks interesting. There have been very few updates to the site in the year or so since it 1st came out.
Also, no mention of price. But I do like the concept. Lets see how it gets implemented.

Other minor nitpick is even at an early stage no github (or similar) link. So we can't watch the code as it's developed.

-Dave

[satscraper]

Looks interesting. There have been very few updates to the site in the year or so since it 1st came out.
Also, no mention of price. But I do like the concept. Lets see how it gets implemented.

Other minor nitpick is even at an early stage no github (or similar) link. So we can't watch the code as it's developed.

-Dave

Yeah, the concept is intriguing. I like hardware based security keys and widely use them in my routine.

Regarding github.  The link is present in my opening post (I assume you didn't follow it) and we can watch the development. It was highlighted that the code is open source:

BTW, Code is open source.
 

Right now  I have applied the bold font to the sentence so that no one would miss this point and proceed with  the link.
  

[DaveF]

Looks interesting. There have been very few updates to the site in the year or so since it 1st came out.
Also, no mention of price. But I do like the concept. Lets see how it gets implemented.

Other minor nitpick is even at an early stage no github (or similar) link. So we can't watch the code as it's developed.

-Dave

Yeah, the concept is intriguing. I like hardware based security keys and widely use them in my routine.

Regarding github.  The link is present in my opening post (I assume you didn't follow it) and we can watch the development. It was highlighted that the code is open source:

BTW, Code is open source.
 

Right now  I have applied the bold font to the sentence so that no one would miss this point and proceed with  the link.
  

On topic part: Spent some time poking around the github (now that I can see it) looks clean. I am not a programmer so I can't comment on everything. But the parts I do understand look good.
Thinking about it a bit, I am wondering if this is an answer in search of a question. I like it, and I can see it's use case. I just wonder how many other people will.



Off topic part:
Interestingly enough I didn't see the link on my tablet.

I know I have mentioned before but I routinely remote into a PC in either my home or office to browse and do things. It's a semi security thing, since they are static or semi-static known IPs I can more easily check logins. However, the software I use is not perfect and with the last round of Intel video driver updates is causing a lot of video glitches. What is now seen as the githib link, yesterday looked like a video artifact from the image.

-Dave

[SFR10]

When Maxi ^{[aka @maxirosson]} mentioned it a few months back on his thread, the PCB was visible, and it was using an old-looking smaller screen ^{[something along the lines of Trezor One screen]}, so it's nice to see they've improved those things on their latest prototype.
^{- Having said that, I still have mixed feelings about its overall design, which looks like a smartwatch without the straps and lastly, it appears to be incompatible with other apps.}

[satscraper]

~
 I still have mixed feelings about its overall design, which looks like a smartwatch without the straps and lastly, it appears to be incompatible with other apps.[/sup]

What design would you expect from Frostsnap device which is hardware based security key in its essence?

Regarding connectivity to other apps. All the  FROST juice will  come from the mobile app they are developing right now thus there is no wonder that other apps which know nothing about FROST technique will not be able to work with Frostsnap devices.

I may assume that should ^{(in the future)} any of the 3^rd party app implements FROST protocol there will be no problem to pair Frostsnap devices with that app.
  

[dkbit98]

I saw about Frostsnap wallet a while ago when it was posted on thebitcoinhole.com website, but I can't say more about it until I see some tests and actual pricing.
This is not something I would not choose to use myself with connecting multiple devices to a smartphone, but I guess it could work for some people.

[satscraper]

I saw about Frostsnap wallet a while ago when it was posted on thebitcoinhole.com website, but I can't say more about it until I see some tests and actual pricing.
This is not something I would not choose to use myself with connecting multiple devices to a smartphone, but I guess it could work for some people.

I would say for many people rather than some. They even develop app ^{(which will coordinate separate Frostsnap devices over their multisig activities)}  for Tails OS to make transactions as private ^{(and secure)} as possible. Regarding the price. I don't think it will be in the class of   jaw-dropping for a few devices needed to create let's say 2 of 3 multisig wallet. Besides Frostsnap device is based on ESP-32 microprocessor and its firmware is FOSS, thus you can assemble  DIY board and flash it.


 I will definitely buy at least 3 devices to separate  (geographically) backup. Thinking also about use such devices in my    inheritance scheme.

[NotATether]

Has anyone wondered if the USB port will be able to take the strain from the weight of all these devices under it, or is this some sort of magnetic connection?

Because unless the devices are extremely light, I can see this becoming an issue when you're using 3+ devices in this setup as the FROST algorithm is intended to be used.

I wonder if they have taken that into account in the design.

[ABCbits]

The concept is definitely interesting, especially part where you add/remove signer without generating new address. If they do their marketing right, their HW will stands out on crows of HWs.

Has anyone wondered if the USB port will be able to take the strain from the weight of all these devices under it, or is this some sort of magnetic connection?

Because unless the devices are extremely light, I can see this becoming an issue when you're using 3+ devices in this setup as the FROST algorithm is intended to be used.

I wonder if they have taken that into account in the design.

Demo on the website shows it can take strain of 3 device, although without device's case/cover. But i would just put both phone and the signing device on table.

[SFR10]

What design would you expect from Frostsnap device which is hardware based security key in its essence?

I was expecting or rather hoping for a less flashy design, in a smaller form factor to bring the cost down ^{[despite knowing almost nothing about its specs, I have a strong feeling a pack of three will probably cost north of a hundred and fifty dollars (I hope I'm wrong)]}.

I may assume that should ^{(in the future)} any of the 3^rd party app implements FROST protocol there will be no problem to pair Frostsnap devices with that app.

And until that happens, I'm considering the incompatibility part as one of its disadvantages ^{[I prefer not to be in a situation where I'm limited to using only a certain amount of features]}.

Has anyone wondered if the USB port will be able to take the strain from the weight of all these devices under it, or is this some sort of magnetic connection?

Because unless the devices are extremely light, I can see this becoming an issue when you're using 3+ devices in this setup as the FROST algorithm is intended to be used.

Based on what I'm seeing from "this image", I don't think the outer case comes with magnets.

[satscraper]

Because unless the devices are extremely light, I can see this becoming an issue when you're using 3+ devices in this setup as the FROST algorithm is intended to be used.

I wonder if they have taken that into account in the design.

You need the whole chain to be connected to coordinator's device ^{(mobile/laptop/anything-else)} only once i.e. at time  when generating the FROST key. After FROST key is generated  its shares have become distributed between Frostsnap devices.  There is no need to connect the whole  Frostsnaps-string  at once  to coordinator app ( let's say on mobile) at signing FROST-multisig transaction. You may connect to coordinator the quorum-devices one by one . More on that ^{and some other relevant  details} are in this podcast.

[SFR10]

Pre-orders are finally open for Frostsnap ^[source] and a pack of three Frostsnap Frontiers costs $484 ^{[triple the amount I estimated "last year" ]} and each additional device is going to cost another $161.
- Based on "this video" and the "pre-order" page, it appears that each device is going to have a different color (other Frostsnap colors).

[Mitchell]

Their official topic seems to be here: Frostsnap Frontier ❄ Next Gen Bitcoin Security Now Available for Early Adopters .

[satscraper]

Pre-orders are finally open for Frostsnap ^[source] and a pack of three Frostsnap Frontiers costs $484 ^{[triple the amount I estimated "last year" ]} and each additional device is going to cost another $161.
- Based on "this video" and the "pre-order" page, it appears that each device is going to have a different color (other Frostsnap colors).

In my view individual users are unlikely to take much interest in this for two main reasons. First, the price point is too high for most. Second ^{and more importantly} it undermines the very reason many users opt for multisig wallet in the first place, namely, to reduce the risk of intentional ^{or unintentional} compromise from the single device manufacturer. That said, corporate or institutional users might find Frostsnap Frontier more appealing ^{provided they have a high degree of trust in the team behind Frostnap devices}.

[satscraper]

Looks like Frostsnap related things are shaking down rapidly:

I found video revealing their manufacturing line:

and was surprised to learn that Frostsnap elements don't have SEs but rely on SE inside the phone they are connected to. This raises the mystery for me, i.e. how do they arrange the recovery procedure in case the given phone is lost? They hinted that the key may be reconstructed from the Frostsnaps themselves, but I can't completely understand how they do it

[Forsyth Jones]

and was surprised to learn that Frostsnap elements don't have SEs but rely on SE inside the phone they are connected to. This raises the mystery for me, i.e. how do they arrange the recovery procedure in case the given phone is lost? They hinted that the key may be reconstructed from the Frostsnaps themselves, but I can't completely understand how they do it

Ok, that's a really strange point. What if the decryption key is compromised by malware on the phone? How will the phone's secure element protect against that kind of attack?

I don't know, I found this product quite complicated for me, maybe I'm not the target audience.🤔

[SFR10]

This raises the mystery for me, i.e. how do they arrange the recovery procedure in case the given phone is lost? They hinted that the key may be reconstructed from the Frostsnaps themselves, but I can't completely understand how they do it

https://www.talkimg.com/images/2025/11/09/U6bBn8.png

The decryption key part is confusing for me... If it's kept in the SE of a certain phone, then how can it be reconstructed on a new phone when a required number of devices are available? I have a feeling they could've used better ways to explain it, but decided not to give more information away ^{[at least for now]}.
^{- BTW, someone posted a video that covers the restoring process on the same phone and it also revealed that you can also use backups as well (19:16).}

[satscraper]

This raises the mystery for me, i.e. how do they arrange the recovery procedure in case the given phone is lost? They hinted that the key may be reconstructed from the Frostsnaps themselves, but I can't completely understand how they do it

https://www.talkimg.com/images/2025/11/09/U6bBn8.png

The decryption key part is confusing for me...

I've been thinking about this for a while and I think I’ve come up with the most likely solution. It seems highly probable that the decryption key itself is split into shares ^{apart from the main ones} , which are then distributed across Frostsnap devices. Once the required quorum of devices connects to the new phone with the relevant app, the key is reassembled and stored in its SE. That’s the only explanation that makes sense to me at the moment.
  
But again, why to encrypt shares with the key which can be reconstructed from media that hold these encrypted shares? New mystery...

[utxoclub]

Hello, co-founder of Frostsnap here, thanks for making this thread and for the discussion!

there is no wonder that other apps which know nothing about FROST technique will not be able to work with Frostsnap devices.

This is true (for now). We're the first team to ship FROST in production. We implemented FROST, tailored it for bitcoin UX, and designed custom hardware around it. It'll take some time for the rest of the ecosystem to adopt, and we look forward to seeing that happen.

For your questions:

No secure element in the devices

In some way this stems from one of our most deliberate design decisions: no PINs nor biometrics. Secure elements typically function through PIN verification: the PIN unlocks a decryption key which gets passed to the main MCU, and the secret is decrypted in regular memory on the microcontroller. Note: there is a widespread misunderstanding that signing happens inside the secure element. The SE is really just a PIN-gated key locker.

For Frostsnap, do we even want PINs? We decided no. PINs are another secret you have to remember, back up, and hand off. They brick devices when forgotten. They complicate inheritance. And they're trivially extractable under duress. We didn't want to bolt on a second secret to protect the first -- we wanted to eliminate the need for it.

We have built the entire security model to focus on one simple question: Can you get physical access to your threshold of devices?

Can an attacker? No PINs to forget, no biometrics to be unavailable for inheritance.

That said -- device secrets are not sitting around unencrypted on the device. Each device's share is encrypted using a key derived from the "root public key," and that decryption key lives in the secure element of your phone. Phone SEs are far more battle-tested than anything in the hardware wallet space. So to extract a secret from a device through physical attacks, the attacker would need to defeat the eFuse protections on the device AND break the phone's SE.

Phone malware

What if the decryption key is compromised by malware on the phone?

Even if someone did manage to get the decryption key off your phone, it's not a signing key that can move bitcoin. They'd still need access to your threshold of device keys to undergo a signing session. In a geographically distributed device setting, the decryption key alone gets an attacker essentially nothing actionable.

Recovery onto a new phone

how do they arrange the recovery procedure in case the given phone is lost?

why to encrypt shares with the key which can be reconstructed from media that hold these encrypted shares?

We've devised an elegant solution here. Any threshold number of devices (or backups) can share the public images of their secret shares, and interpolating them rederives the root public key. So restoring to a new phone is straightforward: connect 2-of-3 devices to the new phone -> the phone learns the root public key -> it can now provide this key (to the device) to decrypt device shares during signing sessions.

The reason we encrypt shares with a key reconstructible from those same shares is that it collapses security and recovery into a single requirement: do you have t-of-n devices? That's what you need to spend, and that's what you need to recover. One simple rule with no extra secrets to manage separately.

Pricing

Frostsnap devices are priced in bitcoin. The fiat prices have shifted if you'd like to take another look.

Single manufacturer risk

We've thought hard about this and our approach is to involve your phone in every sensitive operation, acting as a second hardware manufacturer. During wallet creation, the phone verifiably contributes entropy to the distributed key generation process. During signing, the phone contributes nonces, which prevents exfiltration attacks like Dark Skippy.

So even if every single Frostsnap device were compromised, the phone (completely different manufacturer, different supply chain) would also need to be compromised. You're getting multi-vendor security without needing to juggle different wallets and interfaces.

The device firmware can be reproduced deterministically (verifying our releases), and the app is open source.

USB durability

Has anyone wondered if the USB port will be able to take the strain from the weight of all these devices under it, or is this some sort of magnetic connection?

Haven't had a single breakage yet! The cases align tightly so there isn't much room for the connectors to bend, and we designed the board+case with a forgiving amount of wiggle room without feeling loose. That said, you only need the full daisy-chain connected during initial wallet creation. After that, signing only requires connecting devices one-at-a-time up to your threshold.

For anyone who wants to look deeper into any of this, especially the reasoning behind no PINs, no secure elements, and no airgap, see our design decisions writeup.

Let me know of any other questions!