Now that Nucle, Chia’s first SPV wallet, is in open beta and anyone can sign up lets talk about Chia wallet security a little bit. I have spoken before about how I don’t think security is very well understood in the cryptocurrency world, with lots of claims being made about one thing being more secure than another devoid of context and without a threat model. This is bad, and reminds me a little bit of general internet security 15 or 20 years ago.
There are two main threats to a cryptocurrency wallet, regardless of where it is hosted, and those are
- someone will gain access to your wallet without permission
- someone will spend coin from your wallet without having access
So all security decisions should be made those two scenarios in mind. Lets deal with the second threat first here, the idea that someone will be able to execute a spend without access to your wallet. On a centralized banking system the main way that would occur is a back end compromise where database level changes are made that move money from your account to another. Your primary protection from this is a series of laws, regulators and mandatory deposit insurance on banks. Basically if someone that isn’t you spends your money you should get it back.
In cryptocurrency the main defense to this threat is cryptographic. It would generally take longer than the lifetime of the earth to forge a proper transaction on a properly secured blockchain, so its not usually considered a major risk. The main risk here would be a software flaw that allows a malicious actor to make the wallet software with proper keys to create a transaction and spend coin without the wallet owner’s permission. This has happened before, even with hardware wallets like Ledger, and is a real threat.
That brings us to Nucle, and other online wallets. Right now there are two ways you can use a wallet online. The first, is Nucle where you control the keys and it works like a browser application where all encryption is handled by the browser and the Nucle servers don’t see your keys and cannot create a transaction on your behalf. That’s the theory, and the goal anyway. We will be able to confirm this once they open their source code, so for now we will assume they are telling the truth. The second is the wallets held on cryptocurrency exchanges. These are not really wallets in the sense that Nucle is, but they are functionally similar at a glance. An exchange wallet has none of the protection of Nucle. It is merely a database that stores values that correspond to your account, and any back-end compromise can lead to their coin being taken and leaving you with nothing. Because they also have none of the safety mechanisms that traditional banking systems offer. If anything does happen and they just don’t pay you out you are left with the civil court system, and that can be less than effective against shadowy organizations in sparsely regulated foreign countries.
So from that perspective Nucle offers significant security improvements over any Exchange hosted wallet. Minus a software bug and they actually do hold keys then it shouldn’t be possible for someone to spend without the key. So how safe is the key? Nucle supports 12 word mnemonics instead of the standard 24 word Chia Network wallet. So is it secure?
In a nutshell, yes. There is a really good writeup on BIP39 (the standard we are discussing here, thanks Speedmann) and if you read through it you will see that the difference between a 128bit (12 word) or 256bit (24 word) mnemonic are almost academic. In both cases they are hashed 2048 times with a salt to produce a SHA512 512bit seed value. Because of the salt 2 people using the same set of words will derive different seeds. This 512bit seed is then used to produce the key protecting your wallet. Is a 24 word key more secure? Technically yes. Will it matter in the near or intermediate future? Probably not. This is not a situation where the cipher strength is changed by the length of the pass phrase because the key is the same strength at the end. And because it takes so long to run a Password Based Key Derivation Function they are incredibly hard to brute force. They take some time to create, and with the standard 2048 word list the brute force requirements are below:
- 12 words: 5.4445178707350154154139937189083e+39 (divided by half for probability of getting the key)
- 24 words: 2.9642774844752946028434172162224e+79 (divided by half for probability of getting the key)
As you can see HUGE difference. But in either example it will take billions of years to brute force a key even using all the computing power in the world. So if you notice the heat death of the universe approaching it might be time to transfer your balance to a 24 word wallet. So in either case a user is highly unlikely to get access to your wallet through brute force, so your main exposure to the first threat is going to be losing or having your keys stolen. This comes down to personal and operational security, and that is a much longer post. In a nutshell, protect your keys as well as you can lest you end up like this person.
Because the actual wallets are cryptographically secure to the point of being more than good enough, it all comes down to the code. This is true with all wallet types, software hardware and cloud. Hardware wallets can have their firmware flashed to execute spends, online wallets like the Chia windows client can conceivably be exploited to initiate a spend from a logged in wallet using RPC and Nucle can possibly have your session hijacked and a spend executed on your behalf without the keys. These are possibilities for any system, and the likelihood will depend on the specifics of the code. But its a good idea to consider every system susceptible to compromise eventually. No code is perfect. So from a security perspective Nucle is perfectly fine for a hot wallet, but not for a cold wallet. And neither is the official Chia client nor any wallet I am aware of yet.