Security

Wallets are high-stakes piece of software as they deal with sensitive user data and funds. To ensure that their code is secure, industry best practices involve regularly submitting the wallet's source code for audit by an independent security auditor. These companies specialize in reviewing source code with an eye for security vulnerabilities. They report their findings to the wallet's development team for consideration, pointing out both flaws and potential security improvements.

These security audits matter in order to ensure the wallet's source code is secure, and remains that way over time. Wallet development teams typically publish such audits so that wallet users can feel safer knowing that the wallet's source code was independently audited.

Transactions in Ethereum are very difficult to reverse, and there is no shortage of scams. Wallets have a role to play in helping users avoid known scams ahead of the user making the transaction.

"Trust but verify" is one of the foundational principles of blockchains. It refers to the ability for participants to verify that the chain data is valid when they interact with it.

Without such verification, users rely on trusted third-parties to tell them what the state of the blockchain is, similar to the web2 trust model. This allows such third-parties to trick wallet users into signing transactions that do not end up having the user's intended effect.

To avoid this, Ethereum was designed to be verifiable on commodity hardware. Using a light client , this verification is possible without having to download the entire blockchain.

Hardware wallets are physical devices that store a user's private keys offline, providing an additional layer of security against online threats. By keeping private keys isolated from internet-connected devices, hardware wallets protect users from malware, phishing attacks, and other security vulnerabilities that could compromise their funds.

When a software wallet supports hardware wallet integration, users can enjoy the convenience and features of the software wallet while maintaining the security benefits of keeping their private keys offline. This combination offers the best of both worlds: a user-friendly interface with enhanced security.

Supporting multiple hardware wallet options gives users flexibility to choose the hardware solution that best fits their needs and preferences.

Software wallets that integrate well with hardware wallets provide users with the best of both worlds: the convenience and feature-rich interface of software wallets, combined with the security of hardware key storage and transaction signing.

EIP-712 clear signing is particularly important for DeFi applications like Safe (formerly Gnosis Safe) and Aave, where complex transaction parameters need to be verified to prevent attacks like blind signing exploits or transaction parameter manipulation.

When a software wallet properly integrates with hardware wallets for clear signing on these platforms, users can confidently verify exactly what they're approving on their hardware device screen, even for complex smart contract interactions.

Without proper integration, users may be forced to blind sign transactions or use less secure methods, significantly increasing security risks when interacting with DeFi protocols.

Passkeys provide a secure and phishing-resistant way to authenticate users without relying on seed phrases. Using gas-efficient and well-audited libraries for verification is crucial for both security and cost-effectiveness.

P256 signature verification is computationally expensive on-chain, so using optimized libraries reduces transaction costs.

Some verification libraries have undergone multiple security audits while others may have fewer or no publicly available audits.