Topic: Onekey Classic or Bitbox (Read 300 times)

One problem with not having the latest (or one of the latest) models is the chance the company will drop support for it. We have already seen it with other hardware wallet brands and recently with Trezor as well. Once the Trezor Safe 5 came out, they abandoned the Trezor T. And it's not even their oldest device. You can't buy it from their shop anymore. They will surely still keep it updated with new firmware for some time, but will eventually stop doing that as well.

The next on the list to get retired is surely Trezor One. Trezor Safe 3 is its successor. I own a Trezor One and hope that won't happen soon. End of support doesn't make the device useless and unsafe, though. But it does mean that you won't be able to use new features, future bug fixes, speed updates, etc.

Most Chinese people distrust Chinese companies, too.

Trezor is without a doubt the best hardware wallet company. I currently use trezor safe 3 and bitbox02, and have plans to buy safe 5.

Trezor one, safe 3, and Bitbox02 have the same small screen resolution (128*64).  And the small screen is really inconvenient.

On my opinion,  
      (1) the main concern for bitbox is that there are too few users.
      (2) For onekey and keystone, the main concern is that the Chinese lack integrity and credit.
      (3) As for the trezor one, the anxiety is that the seed phrases and passphrase are typed directly on the computer.
                      

I strongly disagree.  Look how small that screen is.  How are you supposed to read everything you're signing on that tiny screen?  You have to scroll through the data, which makes it easier to miss something if it doesn't match.  I have the same complaint with Ledger Nano screens, and some of the OneKey screens.  They're awful.

If you're plugging a Bitbox directly into your computer, that small screen is even harder to read.  I honestly can't imagine who thought that design was a good idea.  I can't imagine how anyone thinks a small screen on a hardware wallet is a good idea.

You need to be able to read everything clearly in order to confirm what the device received is identical to what the wallet app sent it.  This is going to become even more important in the future as hackers try to figure out how to steal coins.

Also, tapping on two places on a Bitbox instead of having actual buttons is poor design.  I get the concept.  They were going for a minimalist look, but in actual use, it's kind of obnoxious.  Prioritizing form over function is bad design.

Lots of people get sucked into the mentality of buying a cool gadget.  Try hard to avoid being that guy.


If you're buying directly from the manufacturer (in this case, Trezor), you're fine.  In the entire history of hardware wallets, the only documented case of a supply chain attack that I've seen was where somebody bought a hardware wallet from a third party.  If hackers are disassembling hardware wallets to insert their own components, a secure element chip is irrelevant since they'd remove it and swap in their own chip.

It just seems to me like you're itching to buy a new gadget.  You said you already own a Trezor, so you've already got what you need.  Spend the money on sats instead.  Or, if you really want to buy a new hardware wallet, buy something DIY and fully open source, like a SeedSigner.

If I thought your Trezor wasn't a good choice, I'd definitely tell you so.  You've got an excellent hardware wallet.

Interesting, and I'd love to know more details....but in any case, if I had to go with a HW wallet whose manufacturer is based out of China/Hong Kong or one from Switzerland that has a decent reputation (AFAIK), I'd go with the latter.  That's some bias on my part obviously, but that's the way I see it.

But also, I've tried the Bitbox02 and basically like it except for a few minor things having to do with convenience, and I have no experience with OneKey.


Yep, that's part of what I hate about it.  That and where you have to touch the device to enter your password, etc.  And I know you don't have to use Bitbox's software, but I have and it needs some improvement.

Bitbox02 is easier to use than trezor safe 3.

Yes, I think so, too.

Can secure element chips be used to prevent supply chain attacks? The Trezor suite app provides authenticity verification for safe 3, but no such function for trezor one.

The ability to use a hardware wallet fully airgapped is only a benefit if the device has a large enough screen to clearly show you the entire contents of every QR code that you scan, and it's only a benefit if you have the discipline to always read it to make sure the text the device shows you (from the QR code) matches what you were expecting (from the transaction you're doing).  Otherwise, there's still potential for a hacker to hack the app you're using for the transaction - or worse, trick you into using a lookalike app.

I'm not badmouthing airgapped hardware wallets though.  I'm a huge fan of a project called Krux, which is fully airgapped, stateless, uses encrypted seed QR codes, and has very active development (they've also won grants from OpenSats.  They're legit).

In my experience, most of the people who jump from hardware wallet to hardware wallet care more about cool gadgets than they care about actual security (I'm not talking about people who test hardware wallets).  I wouldn't even consider a Bitbox.  Look how tiny that screen is.  The smaller the screen, the easier it is for you to make a mistake.

For your needs, I would recommend a Trezor.  Their hardware wallets are fully open source and probably have the most eyes on the code, which means it's safe.  You don't even need the latest model.  Yeah, I know, the new model has a secure element chip, but as Ledger taught us all, keys can be extracted from a secure element chip (P.S. Don't buy a Ledger).  The use of secure element chips is mostly just marketing, because people who don't understand this stuff see that term and think it's what they want, because it uses the word secure.

keystone has attracted my attention because of air-gapped. Hopefully trezor will also release an air-gapped HW product.

This would be my advice too.

Maybe because OneKey code was not tested for a long time by them, and they are not always up to date.
I see OneKey Touch was check last time 1 year ago, and OneKey also discontinued some old devices and released new models.
Now they have OneKeyPro and OneKey Classic 1S that was never tested by Walletscrutiny website.

Yes, the Keystone 3 Pro now bears the "Reproducible" tag by Wallet Scrutiny. Since the company is no longer selling their older models (Keystone Essential and Keystone Ultimate), it doesn't matter what their status currently is on the Wallet Scrutiny website.

Regarding OneKey Touch, Wallet Scrutiny last tested this device about one year ago. At the time, they weren't able to match the binary with the public source code. Perhaps it's time for another test to see if something changed in the meantime.

Now keystone passed the open source testing of WalletScrutiny, but onekey still not.  (see https://walletscrutiny.com/hardware/keystone3.pro/ )

I would always go for the wired connection instead of Bluetooth. Bluetooth connection can in theory be intercepted, but that's really not something the average person should worry about, unless someone targets you personally. The attacker would have to be close to you. 5, 10, 50 meters... It all depends on the type of Bluetooth device and connection. You are out of luck if the wallet has other vulnerabilities besides the faulty secure element implementation.   

Me too i have the Onekey classic, ordered it but found out of the vulnerability after (it was for onekey mini, the classic version was not affected as i know and you should of had the actual physical wallet to do some nasty things with it, not remote)

It is fixed, but what i do hope is that the wallet wont send any private key to their app. Is using the usb or bluetooth the same thing in terms of security? Or if the app/wallet has a bug it wont matter anyway?

Thank your suggestions.
I placed an order for OneKey, now own three different brands of hardware wallets: Trezor One, Bitbox02, and OneKey Classic. I will pay attention to the OneKey's open source nature and reputation, and will immediately don't use it if anything bad happens.

Firstly, forget about trustpilot and review sites like that in general. Don't believe what it says as it can very easily be fake. Secondly, what do you mean with 'stolen customers'? I feel like you are using google translate or something like that. Perhaps you are referring to complaints by 12 customers who lost funds/had them stolen. Again, that doesn't mean much. Most problems that lead to loss of funds are a result of user mistakes so I wouldn't worry about it.  

That's true for any hardware wallet. So, think twice before you do something you might later regret. If in doubt, ask questions before, not after making a mistake.

Originally, I only intended to use Trezor as it has the most users and the most open-source nature. I came across various user reviews of hardware wallets on the website https://www.trustpilot.com/review/ , and found that Trezor had the most stolen customers (= 12). Although it is widely believed that users' responsibility led to these thefts, but a single mistake could wipe me out. So I chose diversifying my altcoins in 3 different brand hardware wallets.


Compared to OneKey, DKBit98 may prefer Keystone, perhaps because Keystone is air-gapped.
However, in terms of user base, OneKey (with 50k downloads on Google Play) is significantly larger than Keystone (with 5k downloads).

Thank you all for the replies.

I will use Onekey with Sparrow for now, i dont think there is something that might go wrong, i use it on a mac i only use for basic stuff and i am quite obsessed with some security on it.

Anyway the vulnerability was on Onekey Mini and you actually needed to had the physical device and put some tool between the security chip and cpu?? I think. Anyway acording to them it was fixed but anyway…guess no company is 100% safe.

Btw i also have a Safepal S1 but i wont use that closed source and everything. I guess its worst than Onekey 🤣

Since you are working with altcoins, I don't see the point in adding a 3rd hardware wallet to the mix. I don't have a a lot of positive things to say about most altcoins anyway. The Trezor One is a decent unit. I have never used a BitBox, so I don't feel like saying anything about it.

I haven't done any research or read their explanations (if they gave any) why WalletScrutiny wasn't able to verify the binaries. Looking at if from far away, it's not a good sign if you call yourself open-source but those claims can't be verified.

The Trezor Safe 3 is a younger, stronger, and more modern version of the Trezor One. It's probably going to replace Model One completely one day. But dkbit98 mentioned something interesting. OneKey had a serious vulnerability a few months ago where it was proven that the keys from its secure element weren't encrypted and thus could be intercepted. That's exactly what a security company did and made OneKey aware of that. Despite the existence of a SE chip, it didn't make the wallet safer because it was coded wrongly. Who knows what else they did wrong that is yet to be discovered.

I want to buy three different brands of hardware wallets to diversify my altcoin storage. Currently I have TREZOR ONE and BITBOX02, both were purchased directly from the official website. It's hard to choose the third one, as both onekey and keystone do not passed the open source testing of WalletScrutiny. Is there any problem with the open source nature of OneKey at present? Can I trust that it is completely open source?
Is it better that buying a new Trezor safe 3 (only using trezor safe 3 and bitbox02), instead of onekey or keystone (using trezor one, bitbox02, onekey/keystone)? Thank you!

Using a passphrase, I am not very worried about being stolen after physical acquisition. Two worried things: 1. It cannot be hacked remotely. 2. It must be sufficiently open source to allow the community to fully review it.

OneKey is biggest hardware wallet manufacturer from China and they are very popular there, but they mostly cloned code from Trezor.
From my own experience after talking with them about working together on one project, I can say they are semi-amateurs and liars.
I can't seak much about quality of Onekey wallets, but I know they had serious bug connected with secure element, and I wouldn't really use any Onekey device as a main hardware wallet.
Bitbox is Swiss made and they are more professional but small team so don't expect miracles from them, and I think they also started with Trezor code.

I would rather choose Trezor 3 Safe original wallet, instead of both options you mentioned.

It would have been better if you asked these questions before ordering your OneKey, but it doesn't matter now.

The positive thing is that both wallets are open-source. I also remember that the OneKey is one of those wallets that is based on Trezor's codebase with an added secure element. However, WalletScrutiny couldn't match the binary with the published source code. Compared to that, they managed to do it with the BitBox02.

You are now not comparing hardware wallets, but rather between decentralized cross-chain swap aka bridge, and these bridges have a bad reputation, as most of the hackers in recent years were from these bridges, so I do not advise you to use them if you intend to exchange thousands of dollars for the high fees, limited liquidity, and the possibility of hacking the bridge and lose your money.

Onekey use swftbridge If you download the application from https://www.swft.pro/#Download and use it with any wallet, you will get the same results, but Onekey provides a built-in interface as shown here https://help.onekey.so/hc/en-us/articles/4910514476303-Use-App-to-swap-and-DeFi.

you can compare Onekey and Bitbox in other things related to hardware wallets.

You can compare them on our website: https://thebitcoinhole.com/hardware-wallets/bitbox02-multi-vs-onekey-classic

Hello mates,

I wanted to check upon your experiences with these two devices. I already ordered the Onekey Classic so i guess will use that for a while. But was more interested on your thoughts about these, will use them for BTC and to crosschain swap between BTC and USDT on different times, instead on dealing with CEX's.