Paris-based crypto hardware wallet provider Ledger found itself in hot water this week after that revealing plans to introduce Ledger Recover, an optional, paid subscription service for Ledger Nano X wallet holders that provides a seed phrase recovery system involving third-party administrators. Ledger touted the new feature as an innovation that allows crypto and NFT holders to recover their assets in the event of a lost or forgotten seed phrase.
But the announcement has been heavily criticized by part of the Web3 community, who argue that the firmware update enabling the service goes against Ledger’s long-standing policy (and main selling point) that guarantees that a user’s private key will unlock the device. will never leave. Such concerns have raised questions about Ledger’s professed commitment to privacy and security, allegations the company denies.
So, who’s right? If you use a Ledger hardware wallet, is your seed phrase safe?
The Ledger Controversy
With a value of over $1 billion and estimated annual sales of over $53 million, Ledger is one of the world’s most well-known and popular hardware wallet providers. The company’s hardware wallets, often referred to as “cold storage” devices, are USB stick-like tools that provide a highly secure way to store cryptocurrency. They are considered superior to their “hot wallet” counterparts such as MetaMask and WalletConnect, which are generally easier to use, but have the disadvantage of storing private keys online, exposing them to much greater risk.
Setting up a Ledger wallet involves creating a unique seed phrase, which is a collection of randomly generated words that make up the private keys associated with crypto wallets. This system, while secure, has drawbacks in terms of usability. Losing the seed phrase means you lose access to the money, and if it falls into the wrong hands, it could lead to a compromised wallet.
For years, Ledger has marketed its wallets on the idea that users’ assets are safe because their private keys never leave their devices. So it came as a surprise to many in the Web3 community when the company confirmed plans for an optional paid subscription service via a Twitter video with Ledger CTO Charles Guillemet on Tuesday, May 16.
Essentially, Ledger Recover encrypts a user’s seed phrase and divides it into three parts, each shared with a different custodian. Ledger is one of those custodians, with Coincover and EscrowTech (a crypto custodian and code escrow company, respectively) being the others.
If you choose to subscribe, Ledger Recover encrypts a version of your private key and splits it into three fragments (using Shamir Secret Sharing) – all of this happens on the Secure Element chip, so your Secret Recovery Phrase won’t run risk,” the company wrote in the Twitter thread accompanying the video. If a user loses or forgets their private key, they go through an identification confirmation service to recover and restore it.
The municipality responds
A security advocate advertises a device that contains a completely inviolable and immovable private key, then suddenly announces that the key is actually could be are not opened and shared with third parties fit well with much of the Web3 community.
Equally troubling was the fact that in order to participate in the service, users had to provide government-issued ID if they wanted to subscribe to Ledger Recover.
In the midst of the backlash on Tuesday, Ledger organized a Twitter space (which was attended by over 48,000 people) to address the controversy. Guillemet, company co-founder Nicolas Bacca, Chief Experience Officer Ian Rogers and CEO Pascal Gauthier took turns answering questions from an agitated and curious community.
“Every shard [is stored with] any partner,” Guillemet clarified into space. “When you want to recover, you go through your account, including through those partners, and an ID identification process to make sure it’s you. The two partners verify that it is you, if there is any doubt, the process is stopped. There are plenty of different measures and measures to ensure that you are the one to restore your seed.
The team also made it clear that they plan to open-source the code for the service in the future so that users can see how it works and even use it to create their own version if they wish.
“This is what our future customers want. I’m sorry, but the paper is a thing of the past.”
Ledger CEO Pascal Gauthier
Gauthier leaned into the company’s new development in no uncertain terms. Responding to criticism that Ledger has proven to be unreliable in the past and that Ledger Recover goes against the wishes of the crypto community, Gauthier said: “People who get angry with these products don’t realize that there are hundreds of millions of people out there who have many ways to get their seed. support in many ways that are very uncertain.
“This is what our future customers want. I’m sorry, but the paper is a thing of the past. There is no compromise in our safety. I see people on Twitter saying they are sure this will be hacked in the next six months. Okay, let’s see. When you have an excellent track record, you know you can be confident that the next step will be very similar.”
The real risks of Ledger Recover
The main issue surrounding the controversy is whether users who choose not to sign up for the service will get a backdoor opened via a firmware update to their private keys that hackers could potentially use. And while Bacca admitted during the Twitter space that those who sign up for the service are technically opening themselves up to a new attack vector, some in the Web3 community believe those who don’t subscribe to the service really have nothing to worry about. .
Those who believe skeptics are overreacting have pointed out that Ledger wallets are inherently upgradeable to allay fears about their accessibility and security, and to provide clarity on the basics of how wallets work in the beginning. Without the ability to be upgraded, hardware wallets would lose functionality as blockchains themselves upgrade over time and any device that interacts with the blockchain must be able to adapt accordingly.
If a Ledger were a non-upgradable box with a private key inside, then every algorithm that any blockchain will ever use should already be in the box. And if they didn’t think to include a newer algorithm, you should throw it away and buy a newer model.
— Haseeb >|< (@hosseeb) May 17, 2023
As innocent as the subscription service may or may not be, there’s no denying that Ledger bears responsibility for miscommunicating the nature of its devices and services over the years. The Ledger Recover controversy, like many before it, also brings to light the ongoing struggle that blockchain-centric organizations face; striking a balance between user experience and upholding the core principles of the crypto community is a challenging task.
Ultimately, Gauthier believes that the community will decide for itself whether or not to continue to trust the company.
“If you feel like Ledger is going in the wrong direction, there are a number of players who are also our friends in the industry, and we’re trying to build a safe space with them,” Gauthier said at the end of the Twitter space. “I have no problem with you disagreeing, and you can certainly use another service. It is very easy to switch from us to someone else. Of course I’m not encouraging you to do it; I think Ledger is the safest product in the industry today.”
