WalletScrutiny

Know your wallet like you made it!

Our goal is to improve the security of Bitcoin wallets by examining products for transparency and potential attacks.

Public Key

npub1j9kttlc86w63emmldd4h74rekyqpksqup6p9trhp5gjsf374qlyszvuswx

NIP-05 Address

[email protected]

NIP-57 Address

[email protected]

Profile Code

nprofile1qqsfzm94lura8dguaalkk6ml23umzqqmgqwqaqj43ms6yfgycl2s0jgprpmhxue69uhhyetvv9ujumt0d4hhxarj9ecxjmntqy28wumn8ghj7un9d3shjtnyv9kh2uewd9hs3gqkuy

Publishing to

relay.momostr.pink

relay.damus.io

nos.lol

Author Public Key

npub1j9kttlc86w63emmldd4h74rekyqpksqup6p9trhp5gjsf374qlyszvuswx

Show more details

Last Notes

2024-09-19 20:57:46

- reply

Funding is actually looking pretty good right now for achieving this tiny selection within months. If you want to help with funding to further expand our scope, donations are always welcome.
As for priorities with the many desktop wallets, we have not decided which ones to test first. Obviously Bitcoin Core is being tested intensely by others already but if you have ideas on how to prioritize desktop wallets, let us know. There is no easy popularity heuristic to go by. Google search results? Self reported downloads? Stars on GitHub? ... It's all sort of flawed.

2024-09-19 19:33:36

We have long been working on testing desktop wallets but it's really tricky as there is just so many binaries floating around for what claims to be the same product. Even Bitcoin Core is showing 8 download options depending on your operating system or distribution channel preference:
https://image.nostr.build/092675397042174186e3e764292629b3adb749ec409656972a229800b81f35ca.png
With snapcraft obviously being tricky:
https://image.nostr.build/772aa649432c3d57171f65eecabc4c87f0d031fa8edbf359c7a68c8df7e5ddb8.png
Either way, for desktop wallets, most of the time people have download links and want to verify those downloads, so Chris is working on a binary checker. It's still only a draft merge request and clearly needs a design but what it will enable is actually pretty cool:
https://a.nostr.build/DMmxAOaKtPYpb3M7.webm
WalletScrutiny calculates the hash of the file dropped onto it and if it's an apk, it also determines the appId which allows finding the right product. If the hash is known, the verdict is immediately displayed. If not, the page invites the user to upload the file for analysis.
The attestations for artifacts will live on nostr as signed events and nostr will also be used to advertise the existance of new binaries for reviewers.

2024-07-10 01:28:24

- reply

The designs look repetitive but the chosen materials appear to not always be clearly advertised. Maybe educated guesses are good enough if people ask about any particular new device.

2024-07-09 19:38:30

Not all metal backups are made equally. If you use metal to not have to also worry about your bitcoins when your house is on fire, don't use this product:
https://jlopp.github.io/metal-bitcoin-storage-reviews/img/devices/ellipal_metal_hot.jpeg
But running these tests must have been great fun, right @npub17u5…t4tp?
If we add these backup solutions to our website, we would certainly heavily lean on Jameson Lopp's work as a hydrolic press and acids isn't what we had planned to play around with ourselves for now.
Jameson are you planning to test more products any soon? Adding "backup tools" to WalletScrutiny might get excessive if we don't draw lines like you did. If it's not at least claiming to be heat resistant, we won't bother to list it or else we end up listing a million different ways to print on paper.

2024-07-08 20:02:13

- reply

Stay safe! Hope it all turns out well.

2024-07-03 02:25:31

Some fan art ✨ 🎶 🎶
Which one do you like best?
https://audio.nostr.build/79aad81cea8141b3fe4ec5d08319735be46420e04f45910453cf3a035ea706e4.mp3
https://audio.nostr.build/1392672adb8cb2f5752cc3241c2d38811ace25b8f5e498801a54918db243a235.mp3
https://audio.nostr.build/569718137b9d20b8c91cbc086179e7b7aab39d6c5e824294fe7324aa092584c2.mp3
https://audio.nostr.build/ec043e98cc163270ca4a66c3b3c46fe5da0695e7cb3a814e76678724a4d49e51.mp3
https://audio.nostr.build/d76cf4c1a3f59f5645a92c1a5126220468939f6ec3001ea9704718d056981541.mp3
https://audio.nostr.build/c09400bb09c8f4b894b88ff078ce28a0c15578c30b508a552f5b3c08dc4a9d41.mp3
https://audio.nostr.build/640d0512152b5edea6458e9196c108ebf32a864694ece156a1c85d36042dfb49.mp3
https://audio.nostr.build/42ddfde0e3ba5bd055d98f79fce2c7de757a4c774cddde5da1d91caf6c72e945.mp3

2024-04-29 15:38:39

If you still have funds trapped in Samourai, @npub1r70…sf7d wrote some tips on what to do next to recover them here:
https://walletscrutiny.com/android/com.samourai.wallet/

2024-04-19 15:03:19

https://image.nostr.build/a9f29836a1d10f7a9830add2c3256066c0e6aa21db09e2b881d848c009e3f3e7.png
Most people don't dig that deeply but when they do, they have this question. Computers are 1s and 0s. They are digital. How can they be non-deterministic??
Software development mostly revolves around performance both in the end product and the development process. Only very few developers even spend a thought on reproducibility. So if they compile something and it compiles 5 seconds faster, they can test the feature they were working on 5 seconds quicker. These two reasons result in stuff being non-reproducible as:
Files are processed in the order they come and that order depends on many factors. For example some file systems sort by date and others by file name.
Compilers can optimize the result, so compiling something with one version of the compiler will often give a different result than when compiled with another version.
The compiler might process multiple files in parallel and pack them into the result as they finish compiling.
Other sources of problems are timestamps or file paths that end up in the result.
Some tools on purpose use randomnes to generate IDs that are unique to every build.
Of the above issues, all result in non-reproducibility by our standards. While some lead us to comment on the build looking benign as the diff is only some random number appearing twice, others might also be benign but result in differences far too big to quickly judge with the tools we are using.
The more developers care about reproducibility over only performance, the better it will get but there are some widely used tools that consistently cause issues and maybe should just be avoided in wallets.

2024-04-10 01:09:37

- reply

@npub1r70…sf7d found something ... https://github.com/Coldcard/firmware/pull/332
So we list the product as unreleased for the time being.

2024-04-09 20:59:56

- reply

Well, not on nostr. At least that's Fiatjaf's marketing. Did he merge the shadowban nips?

2024-04-09 20:05:17

- reply

Apparently the Coinkite account is not so talkative ...
Pinging @npub1az9…m8y8

2024-04-09 19:23:06

Hi @npub1wu4…3vw0
We were asked to attest to the reproducibility of your Q1 wallet and while the shop looks like it's maybe not released, we think it's just out of stock? May we ask for a release date?
https://github.com/Coldcard/firmware/blob/master/stm32/repro-build.sh appears to not support compiling the firmware for the Q1, right? We found for example 2024-04-02T1416-v1.1.0Q-q1-coldcard.dfu at https://coldcard.com/downloads/ yet the script appears to assume the download always to contain "mk".
Where can we find the documentation to reproducibly build the Q1 firmware?

2024-03-26 17:43:44

- reply

In the end, reproducibility is something, people can attest to in order to extend trust or you have to reproduce it yourself which means you could as well just compile it from source always.
As we care about extending trust, we care about attestation and see jumping pixels more as a gimmick than anything else but if people like it, it's easy enough to record a screen session.

2024-03-25 19:04:23

https://walletscrutiny.com/android/com.samourai.wallet/
Samourai Wallet did not share source code for their latest version on Google Play.

2024-03-25 18:05:56

Has anybody noticed that we now have "screen recordings" in our reproducibility tests? As another project is sharing "video proof" of reproducibility, we were asked to also do so but it felt kind of pointless to produce GBs of data for every reproducibility test. We did however start playing around with console recordings that are somewhat more optimized as they record the ASCII on the screen and not every pixel. Resulting files are much more manageable but for example, running the compile script for the Electrum for Android app resulted in 72MB of output. As we test a lot, this is a lot to add in a single day.
Does anybody care about screen recordings? Can we throw them at some nostr relay instead of our git repo, with some expiry date in three months, so that interested users can grab it while it's hot? Any other ideas?
Currently the tiniest ascii cast is the one for the Schildbach "Bitcoin Wallet": https://walletscrutiny.com/android/de.schildbach.wallet/

2024-02-08 17:01:06

- reply

For all I know they might escalate this internally but certainly their staff should have protocols for this. After all, people that do lose their money to these apps also do contact them.

2024-02-08 16:52:17

It can be really frustrating to hunt after fake apps when not even the provider of the original seams to care ...
Here is our attempt at reporting a fraud at https://capital.com
https://image.nostr.build/a7daca6bd8eb4d4135b8a7b448ea0e941f788bec36951bece1262e2bc6c5c5bc.png
https://image.nostr.build/8412f75108b34a0214ebdc4d82d26e1f1668418e0ed77efff6e2a15a86bbc1ab.png
https://image.nostr.build/1509713b5cfd8c1372cded8c8461792d0752a24433f9cd15feaea89eb92beca9.png
https://image.nostr.build/3e4d4c4ccc09aeb79133534258617ea5acc77f0150e3d4287a839c9516e42d06.png
#nevent1q…xg72

2024-02-07 18:08:45

Does anybody know how
https://walletscrutiny.com/android/com.kapital.trade.crypto
relates to
https://walletscrutiny.com/android/com.capital.trading
The former has 500k users but looks like a fake app given the "typo" in the app ID and given that capitalCom links to the latter, only.

2023-12-31 18:08:04

Sadly Mycelium hasn't published any source code updates since June, yet their latest release on Google Play was days ago. As of now, Mycelium for Android has to be considered closed source.
We poked Alexander Pavlenko - the author of the last commit and probably maintainer - on Telegram yesterday but did not get a reply yet.
https://walletscrutiny.com/android/com.mycelium.wallet/

2023-11-22 18:12:40

https://image.nostr.build/b68eb33d5edf4142482e89f154714bb5c8b79ed04042161a92b3ca3bb7ada202.jpg
https://twitter.com/WalletScrutiny/status/1727388864216531429