The infallibility of official, open-source and audited software | Dafacto
Dafacto

The personal website of Matt Henderson.

The infallibility of official, open-source and audited software

14 August 2024

The purpose of this article is twofold:

  1. Present a fascinating crypto web wallet use-case that, in the absence of technical knowledge or support, can result in total loss of user funds.
  2. Challenge commonly held beliefs about official, open-source and audited software, versus closed-source third-party software.

Spacemesh & SmeshWallet

After the public launch of the Spacemesh protocol, I became interested in the blockchain project, joined the community and had fun building up my own home mining setup. I was attracted to the project due to the quality and values of the team, the technology they were building, and the unusually high breadth and depth of experience of the community members.

At the time, the project’s only wallet option was “Smapp”, a combination of a wallet and full node, requiring a large amount of disk space and being online 24/7 in order to access any held funds. Observing so many people in the community, who just wanted a simple way to hold the SMH token, struggle with running and maintaining Smapp, it occurred to me there was a clear need for something simpler.

I enjoy designing and building products, and decided to create a web wallet for Spacemesh, the focus of which would be user-experience—i.e. something that would squarely address both the needs and non-technical profile of the target demographic. The result was SmeshWallet—a simple, self-custody web-based wallet for Spacemesh, designed to be highly usable on both desktop and mobile devices.

Since a wallet holds user funds, security is naturally very important, and measures we took include such things as:

  • Password-encryption of the private keys, located in the user’s local browser storage. (No user data is exposed to us, other than—optionally—their email and public wallet addresses, should they choose to provide those during on-boarding.)
  • Hardened access to the redundant server nodes through which SmeshWallet broadcasts user transactions.
  • Continual remote monitoring to confirm that the checksum of the go-spacemesh binary running on the node matched that of the team’s official release—i.e. to confirm that the nodes have not been compromised.

You can read more about our security measures here.

But it’s not official, open-source or audited!

SmeshWallet turned out to be a success. As of this writing, over 4,300 wallets have been created, almost 60% of which have been “imports”—which would almost exclusively be people migrating from Smapp, by importing their Smapp seed words in the on-boarding process.

However, we still experienced a degree of public resistance, given that SmeshWallet was third-party software—i.e. not an “official” product from the project—and that it wasn’t open-source or audited.

In fact, some went so far as to publicly accuse us of being “scammers”!

My response to these concerns was the following:

  1. Having funded the project myself, engaging high-level product designers, I didn’t want to open-source the software, allowing it to freely be copied by others.
  2. I had requested the Spacemesh project to audit the software; however, they are a small, resource-constrained team, and simply didn’t have time.
  3. In lieu of a team audit, I gave access to the software repository to two of the community’s most respected and technical members, which would at least provide independent visibility into any changes made to the software.
  4. Finally, official, open-source and audited has, over time, become less of an assurance of security.

That fourth point deserves additional commentary.

When open-source software first appeared, many years ago, one of the great benefits was that the code could be, and was, inspected by large numbers of independent developers, who could identify and even patch bugs and security issues.

As you can imagine, that’s much more effective in a world of ten open-source projects, than a world of ten million, and naturally that’s proven to be the case.

For example, Ledger, makers of the world’s most popular crypto hardware wallets, open-sourced their “wallet connect” software, which allows decentralized applications to connect to their hardware devices. Despite being open-source, the wallet connect software was exploited and resulted in the loss of about $500,000 of user funds.

As regards audits, nearly every exploit in the history of decentralized blockchain applications happened against software that was professionally audited. We can speculate on the reasons.

  • There’s far more demand than supply. All major audit firms have backlogs of commitments, which likely affects the effort given to any particular audit.
  • An audit is a point-in-time snapshot, immediately obsolete as soon as the software continues its natural evolution. In a well-known case, soon after the Pickle Finance dApp was audited, a seemingly benign feature was added that was exploited for $30 million.
  • Hackers are far more motivated, and have much more time to find exploits, than audit firms.

For many in the community, however, these responses were not convincing; they simply would only entrust their funds to “official”, open-source, audited products.

A fascinating “bug”

During the operation of SmeshWallet, we discovered an issue, described below, which initially seemed catastrophic, in the sense that an affected user could permanently lose access to their funds. We immediately patched SmeshWallet to prevent this use-case, and one of the two community members with access to our software identified a solution that, while very tedious, would at least allow an affected user to restore access to their wallet.

Some time later, the Spacemesh team announced plans to create their own web wallet, called Smapp-Lite, that would address more advanced use cases than those covered in the scope of SmeshWallet—e.g. interaction with vesting vaults. This would be an official product, open-source, and professionally audited. I was curious whether Smapp-Lite would be subject to the same dangerous issue we discovered—and if so, whether it would be identified either through public inspection of the open-source software, or in its audit.

(Since there is a solution path for anyone affected, I decided to wait until the audit was finished before disclosing the issue; otherwise I would have disclosed it immediately.)

It was recently announced that the Smapp-Lite audit has been completed, and while I’ve been unable to get a confirmation that the running version of the wallet at wallet.spacemesh.network addresses all of the issues, it was confirmed that all major issues have been addressed, and as of this writing (2024-08-14), the issue has not been addressed in their software repository. Given that the fix is trivial, I will presume the issue wasn’t discovered in the audit, such that I can proceed to demonstrate here that the audited version of Smapp-Lite remains affected.

And with that, let’s explore the “bug”!

Seed phrase creation & automatic language translation

During the onboarding process of a web wallet, the user is generally presented with two options:

  1. Creating a new wallet
  2. Importing an existing wallet, by entering its 12 or 24 “seed words”.

Wallet seed words are from the English language. The fascinating use-case arises from the fact that, nowadays, many users have their browsers configured to automatically translate all websites into their local language.

Creating a new Smapp-Lite wallet, I configured Chrome to auto-translate into Spanish.

I clicked on “Crear nueva billetera”, which would be the English equivalent of “Create new wallet”. The following screen presented me with the wallet’s 12-word seed phrase, but translated into Spanish!

As you can see, there’s a button (“Copiar al portapapeles”) to copy the seed words to the clipboard (presumably to paste into something like 1Password.) If you use this feature, whether in SmeshWallet or Smapp-Light, the English seed words are copied to the clipboard:

desert sausage lawsuit hedgehog benefit timber clump record produce escape august where announce gentle sense stomach document hospital timber forget approve zero acid shallow

However, the commonly recommended “best security practice” is that a user never use the copy function, in case malware is running that can read the clipboard contents. Users aware of this recommendation manually record the wallet’s seed phrase, in which case here would be 12 Spanish words.

desierto salchicha demanda erizo beneficio madera grupo registro producir escapar agosto donde anunciar gentil sentido estomago documento hospital madera olvidar aprobar cero acido poco-profundo

(To give you an idea how common this practice is, the number one SmeshWallet support request is a user who manually recorded their seed words, but can’t recover their wallet. In all reported cases, the user had made a single, small spelling mistake in one of the words when manually writing them down.)

The following screen requires the user confirm their seed, by correctly ordering four random words, again translated into Spanish.

Clicking “Proximo paso” (“Next step”) concludes the on-boarding workflow, and the user is given access to their newly created wallet, ready to begin receiving incoming funds!

So what’s the problem?

Lost ability to restore the wallet

The problem is that the wallet’s private keys are stored in the browser’s local storage, and under many circumstances can be erased. Some browsers are configured to delete local storage automatically, and especially on Windows systems, anti-malware software is often configured to periodically clear browser local storage.

When this happens—i.e. when the browser’s local storage is erased—the web wallet, upon access, will not find any existing private keys, and will display the original onboarding workflow!

But when the user clicks “Recuperar tu Billetera” (“Recover your wallet”) and enters their Spanish translated seed words, the wallet naturally reports an error!

At this point, if a user has no idea why this has happened, they will have permanently lost access to their wallet, and any funds contained within!

Imagine, however, that by some means they understand why this is happening, and hope to reverse translate the Spanish words back to the original English words.

This, unfortunately, isn’t always reliable, as in this particular case, where we see that the reverse translation resulted in different English words than the original:

Original:

desert sausage lawsuit hedgehog benefit timber clump record produce escape august where announce gentle sense stomach document hospital timber forget approve zero acid shallow

Reverse translated:

desert sausage **demand** hedgehog benefit **wood** **group** record produce escape august where announce gentle sense stomach document hospital **wood** forget approve zero acid shallow

And naturally, trying to restore the wallet using these reverse-translated words fails.

(“Palabras mnemotécnicas no validas” means “Seed words invalid”.)

Whereas the original words are properly recognized as valid:

Moral of the story

It would seem at first glance that this use-case is unresolvable. But as mentioned at the beginning of this article, one of the two community members which has access to the SmeshWallet code discovered a solution path. The solution is not rocket science, so I’ll leave that as a fun exercize for the curious reader, who could be the first to post it to @SmeshWallet on Twitter! (If you are affected by this use-case, though, feel free to contact me, for the solution.)

Preventing the use-case in the web wallet software is trivial, by simply adding the translate="no" property to the seed phrase display.

So the moral of the story, from my perspective, is that software being official, open-source and professionally audited is no assurance that it’s free from potentially dangerous issues. It’s also a specific instance in which a particular issue had been discovered and fixed in a close-source, non-audited, third-party product.

It also highlights an interesting class of issues that would be unlikely caught by code inspection, and rather only caught by thinking, as best possible, through all the possible usage scenarios. (Which is often simply impossible, and why this story in no way reflects negatively on the Spacemesh team. Indeed, the same issue was originally present in our own software.)

Other Spacemesh products

Having read this article, in case you become interested in the Spacemesh project, here’s a complete list of the products I’ve created for it:

  • Spacemesh.fyi — Since the project didn’t have one, I created a card-based web app to serve as one’s ideal first contact with the Spacemesh project.
  • SmeshWallet — The popular non-custodial web wallet discussed in this article.
  • Spacemesh Tokenomics — An interactive web app allowing the visitor to visually and interactively explore Spacemesh tokenomics and circulating supply over time.

Enjoy this article? — You can find similar content via the category and tag links below.

Questions or comments? — Feel free to email me using the contact form below, or reach out on Twitter.