Topic: Onekey Classic or Bitbox (Read 371 times)

According to the data I found, Trezor currently has 150 employees, while both onekey and keystone only have 30+ respectively. The open-source hardware wallet companies are too small.

You are replying to a post from July. I did check. Back then, Trezor was revamping their website and their store, adding new products, and I remember not seeing Trezor Model T on the list with their newest hardware wallets. It was part of their bundles packages, but somehow they forgot to add it to the list of shop items. They added it later, of course.

This is not true, plese don't share false information without checking first.
Everyone can clearly see Trezor Model T available in their store and it can be purchased for €77.2 with 40% Black Friday discount.
Just to make sure I went agead and adde Trezor T in my cart to test if I can actually purchase it, and I can.
If I had to choose I would rather buy Trezor 3 safe that is cheaper., but others can choose whatever they want.


https://trezor.io/store

OneKey on the other hand did discontinue some of their old devices, same as many other hardware wallet manufacturers.

Wallet Scrutiny last tested OneKey classic 2 months ago, and it passed all the tests except the last one. The binary they built from source doesn't match the published source code. Some other wallets fail on this step as well. For instance, Blue Wallet has done that several times. I don't have the competence to explain that, but I can see that there was some discussion about it between the Wallet Scrutiny team and OneKey on GitHub. I leave it to other people to comment on and interpret what the reasons are for failing the final test and if what OneKey said makes sense.

Besides Wallet Scrutiny, there are other researchers who test crypto wallet and perhaps it passed all their testing...

See https://walletscrutiny.com/hardware/onekey/   and  https://github.com/OneKeyHQ/firmware/releases (I have check the hash of classic.3.9.0-Stable-0805-f3b0717.signed.bin)
The latest version of classic/v3.9.0 (Aug 12, 2024) still not passed through WalletScrutiny's testing.   
Why can a hardware wallet that has never passed walletscrutiny testing be called an open-source wallet?

One problem with not having the latest (or one of the latest) models is the chance the company will drop support for it. We have already seen it with other hardware wallet brands and recently with Trezor as well. Once the Trezor Safe 5 came out, they abandoned the Trezor T. And it's not even their oldest device. You can't buy it from their shop anymore. They will surely still keep it updated with new firmware for some time, but will eventually stop doing that as well.

The next on the list to get retired is surely Trezor One. Trezor Safe 3 is its successor. I own a Trezor One and hope that won't happen soon. End of support doesn't make the device useless and unsafe, though. But it does mean that you won't be able to use new features, future bug fixes, speed updates, etc.

Most Chinese people distrust Chinese companies, too.

Trezor is without a doubt the best hardware wallet company. I currently use trezor safe 3 and bitbox02, and have plans to buy safe 5.

Trezor one, safe 3, and Bitbox02 have the same small screen resolution (128*64).  And the small screen is really inconvenient.

On my opinion,  
      (1) the main concern for bitbox is that there are too few users.
      (2) For onekey and keystone, the main concern is that the Chinese lack integrity and credit.
      (3) As for the trezor one, the anxiety is that the seed phrases and passphrase are typed directly on the computer.
                      

I strongly disagree.  Look how small that screen is.  How are you supposed to read everything you're signing on that tiny screen?  You have to scroll through the data, which makes it easier to miss something if it doesn't match.  I have the same complaint with Ledger Nano screens, and some of the OneKey screens.  They're awful.

If you're plugging a Bitbox directly into your computer, that small screen is even harder to read.  I honestly can't imagine who thought that design was a good idea.  I can't imagine how anyone thinks a small screen on a hardware wallet is a good idea.

You need to be able to read everything clearly in order to confirm what the device received is identical to what the wallet app sent it.  This is going to become even more important in the future as hackers try to figure out how to steal coins.

Also, tapping on two places on a Bitbox instead of having actual buttons is poor design.  I get the concept.  They were going for a minimalist look, but in actual use, it's kind of obnoxious.  Prioritizing form over function is bad design.

Lots of people get sucked into the mentality of buying a cool gadget.  Try hard to avoid being that guy.


If you're buying directly from the manufacturer (in this case, Trezor), you're fine.  In the entire history of hardware wallets, the only documented case of a supply chain attack that I've seen was where somebody bought a hardware wallet from a third party.  If hackers are disassembling hardware wallets to insert their own components, a secure element chip is irrelevant since they'd remove it and swap in their own chip.

It just seems to me like you're itching to buy a new gadget.  You said you already own a Trezor, so you've already got what you need.  Spend the money on sats instead.  Or, if you really want to buy a new hardware wallet, buy something DIY and fully open source, like a SeedSigner.

If I thought your Trezor wasn't a good choice, I'd definitely tell you so.  You've got an excellent hardware wallet.

Interesting, and I'd love to know more details....but in any case, if I had to go with a HW wallet whose manufacturer is based out of China/Hong Kong or one from Switzerland that has a decent reputation (AFAIK), I'd go with the latter.  That's some bias on my part obviously, but that's the way I see it.

But also, I've tried the Bitbox02 and basically like it except for a few minor things having to do with convenience, and I have no experience with OneKey.


Yep, that's part of what I hate about it.  That and where you have to touch the device to enter your password, etc.  And I know you don't have to use Bitbox's software, but I have and it needs some improvement.

Bitbox02 is easier to use than trezor safe 3.

Yes, I think so, too.

Can secure element chips be used to prevent supply chain attacks? The Trezor suite app provides authenticity verification for safe 3, but no such function for trezor one.

The ability to use a hardware wallet fully airgapped is only a benefit if the device has a large enough screen to clearly show you the entire contents of every QR code that you scan, and it's only a benefit if you have the discipline to always read it to make sure the text the device shows you (from the QR code) matches what you were expecting (from the transaction you're doing).  Otherwise, there's still potential for a hacker to hack the app you're using for the transaction - or worse, trick you into using a lookalike app.

I'm not badmouthing airgapped hardware wallets though.  I'm a huge fan of a project called Krux, which is fully airgapped, stateless, uses encrypted seed QR codes, and has very active development (they've also won grants from OpenSats.  They're legit).

In my experience, most of the people who jump from hardware wallet to hardware wallet care more about cool gadgets than they care about actual security (I'm not talking about people who test hardware wallets).  I wouldn't even consider a Bitbox.  Look how tiny that screen is.  The smaller the screen, the easier it is for you to make a mistake.

For your needs, I would recommend a Trezor.  Their hardware wallets are fully open source and probably have the most eyes on the code, which means it's safe.  You don't even need the latest model.  Yeah, I know, the new model has a secure element chip, but as Ledger taught us all, keys can be extracted from a secure element chip (P.S. Don't buy a Ledger).  The use of secure element chips is mostly just marketing, because people who don't understand this stuff see that term and think it's what they want, because it uses the word secure.

keystone has attracted my attention because of air-gapped. Hopefully trezor will also release an air-gapped HW product.

This would be my advice too.

Maybe because OneKey code was not tested for a long time by them, and they are not always up to date.
I see OneKey Touch was check last time 1 year ago, and OneKey also discontinued some old devices and released new models.
Now they have OneKeyPro and OneKey Classic 1S that was never tested by Walletscrutiny website.

Yes, the Keystone 3 Pro now bears the "Reproducible" tag by Wallet Scrutiny. Since the company is no longer selling their older models (Keystone Essential and Keystone Ultimate), it doesn't matter what their status currently is on the Wallet Scrutiny website.

Regarding OneKey Touch, Wallet Scrutiny last tested this device about one year ago. At the time, they weren't able to match the binary with the public source code. Perhaps it's time for another test to see if something changed in the meantime.

Now keystone passed the open source testing of WalletScrutiny, but onekey still not.  (see https://walletscrutiny.com/hardware/keystone3.pro/ )

I would always go for the wired connection instead of Bluetooth. Bluetooth connection can in theory be intercepted, but that's really not something the average person should worry about, unless someone targets you personally. The attacker would have to be close to you. 5, 10, 50 meters... It all depends on the type of Bluetooth device and connection. You are out of luck if the wallet has other vulnerabilities besides the faulty secure element implementation.   

Me too i have the Onekey classic, ordered it but found out of the vulnerability after (it was for onekey mini, the classic version was not affected as i know and you should of had the actual physical wallet to do some nasty things with it, not remote)

It is fixed, but what i do hope is that the wallet wont send any private key to their app. Is using the usb or bluetooth the same thing in terms of security? Or if the app/wallet has a bug it wont matter anyway?

Thank your suggestions.
I placed an order for OneKey, now own three different brands of hardware wallets: Trezor One, Bitbox02, and OneKey Classic. I will pay attention to the OneKey's open source nature and reputation, and will immediately don't use it if anything bad happens.

Firstly, forget about trustpilot and review sites like that in general. Don't believe what it says as it can very easily be fake. Secondly, what do you mean with 'stolen customers'? I feel like you are using google translate or something like that. Perhaps you are referring to complaints by 12 customers who lost funds/had them stolen. Again, that doesn't mean much. Most problems that lead to loss of funds are a result of user mistakes so I wouldn't worry about it.  

That's true for any hardware wallet. So, think twice before you do something you might later regret. If in doubt, ask questions before, not after making a mistake.