Topic: What do you think about trust wallet? - page 3. (Read 1648 times)

I never read any news open wallet apps can be hacked except user carelessness can't tell the difference between cloned apps and downloading unofficial wallet apps, phishing and others. All those faults are possible that the wallet can be hacked and all the assets will be stolen, the phishing statistics have increased drastically in the first half of 2022. So it is important that users should use the official wallet application and avoid all the mistakes that are vulnerable to hacking.

I would not call it a drawback of open source wallets, but it is more of carelessness from the people who download the fake wallets.

To be very straightforward, if a person cannot detect a fake wallet and does not know from where to download an open source wallet, or how to verify it then I am afraid he deserves to lose his funds.

The scammer can clone or do whatever he wants to do, the crypto investors should first learn on how to stay away from phishing attempts.

If that was the case, Electrum would be a bad piece of software where many users would lose their bitcoin due to their vulnerable open-source code. But despite being open-source from the beginning, that isn't happening. The cases of people losing their coins on Electrum are self-inflicted: phishing, clipboard malware, fake apps, etc.   

There will always be a battle between good and bad no matter if the software is open or closed-source. Software and hardware can be reverse-engineered even if it's closed-source. 

Those scams happened because the users downloaded and installed the wrong software from the wrong websites. If they didn't do that, they wouldn't have had their coins stolen. BRD wasn't hacked. Scammers didn't look at the open-source code and found vulnerabilities that allowed them to steal coins. They created a fake wallet and tricked people into using it.

This has always been a very weak excuse that closed source developers use to justify their shady behavior. Otherwise as Leo pointed out, it is very easy to create a fake wallet and fool newbies into downloading it. I'd argue that you don't even need to clone the UI because newbies who download these fake and malicious wallets only seek the "name". The scammer could clone the UI from an open source project (eg. Electrum) call it breadwallet 2.0 and then claim that they had reworked/improved the UI in the "new" version! The newbies would still fall for it.

I know this is the reasoning Trust wallet give for being closed source, but I don't buy this reasoning at all. The only part of a wallet which 99.9% of users pay attention is the GUI. It is trivial to clone a GUI even without access to the source code. Being closed source might keep all the back end, the wallet generation process, the signing transaction processes, etc., hidden from attackers, but attackers do not care about any of that in the slightest. All they need is a wallet which looks the same as Trust wallet, which sends any generated or entered seed phrases to their server online. So they can use any bare bones code which generates seed phrases, add in their malicious code to send those seed phrases to a server, copy the GUI just by looking at it, and release it to the app store as "Trust Wallet". Being closed source does nothing to protect against this.

Trust wallet is only keeping things balanced as it'll be bad to have all open source wallets in the market regarding the cloning or mimicking of wallets which led them to opt-in for closed source. The open source wallets is risky and could get hacked too though as @nonce said that it opens room for more security Unlike closed source. Everybody can check the codes for bugs which tightens the security of the wallet; but these people are unknown to users and it doesn't guarantee security since users depends on developers to check the code. I read on medium that someone downloaded the code of Bread wallet and worked a similar wallet and named it breadwallet and scammed people of their money. This is the faith of open source wallets despite being the best wallets as it's not centralized its open and easy for hackers to test their work. I'd say that Closed source shouldn't be considered completely bad, they're actually protecting their wallets from attackers.

Several closed source wallet apps launched programs to attract new users and airdrop feature not available in open source wallet apps, Safepal wallet launched Wallet Holder Offering (WHO) airdrop program for holders to have SFP tokens in wallet for certain time to get new potential tokens. But I just want to say that users can participate for WHO but they are not advised to use Safepal to store wallet assets after the airdrop program ends and have distributed tokens, all assets from Safepal wallet must be transferred to open source wallet, I only use Metamask for wallet altcoin assets and Electrum for Bitcoin wallets.

Trust wallet is steadily growing in popularity based on users. Trust wallet is basically a non-custodial digital wallet that uses hot storage for cryptocurrencies. Trust Wallet essentially connects individual blockchain networks through a bridge. Each blockchain has a set of public addresses known as public keys. One thing to note here is that Trust Wallet does not store any cryptocurrency on the server. It only gives users access to its wallet. No earning can be generated using Trust wallet but the gas fees are distributed among the valid miners. Since Trust Wallet is a software wallet, it cannot offer the same security as a hardware wallet. They always try their best to provide security to its users but considering all the things we can not completely believe in it.

Well, no one is saying that we cannot use a trust wallet (or any closed source wallet) in case the coins we need to store are not available in open source software like Unstoppable wallet.
The best way to deal with this situation is to store your funds in open source wallets and for those few coins which can't be stored in the Unstoppable wallet, we can use a trust wallet only for those coins.

Good point. virasog asked why use Trust Wallet or a similar closed-source wallet when you can use the open-source Unstoppable Wallet? One reason is coin support. When I was looking at AtomicDEX and Unstoppable Wallet last month when there was some discussion about these two apps in a different thread, I noticed that these two pieces of software don't support a particular coin on one blockchain the OP of that thread was asking about. However, several closed-source wallets do. Add Bisq to that mix as well because they didn't support it either.

If I am someone that wants to use that particular token on that specific network on an open-source wallet, I simply can't. My choices are either not to use that token or accept the fact that I can only do it with a closed-source wallet. I doubt there are standalone light clients for that coin that are open-source, but that's a discussion for the altcoin section.

Exactly.
It may make some sense to use a closed source wallet like Coinomi for certain altcoins or claiming airdrops that don't have any decent open source wallets specially light weight wallets but there is simply no justification for choosing a closed source wallet when we already have good open source wallets for bitcoin.

When you have opted to put the funds in your personal non-custodial wallet, why not make a step further in selecting an open-source wallet such as an unstoppable wallet and save yourself from any possible issues?

A decentralized non-custodial wallet is nothing but an interface given to you on the blockchain where you can see and control your funds and you are given a 12 or 24 words key to access that wallet. Now, when you use a closed-source wallet, there is always a risk of malicious activity at the backend which no one knows. Suppose we're using trust wallet and someday binance become bankrupt and they exploit that code which they have hiddenly deployed in their wallet. So why take the risk of closed source wallet?




Not many people knew about unstoppable wallet, as they can't match the marketing which Binance owner CZ can do for trust wallets. You can see the number of trust wallet downloaded are way higher than the number of unstoppable wallet being downloaded and used. This also shows the ignorance of the bitcoin and crypto holders and investors. 

First of all: if / when an open-source product is successfully attacked, due to its nature, it becomes more secure and all other open-source projects can learn from that vulnerability, too and use the same countermeasures or fixes. Since fixes are pushed to public repositories, users are also informed of this automatically.
Meanwhile, if it happens to a closed-source product, not only may users never know about it, but fixes could get rolled out slowly and other wallets will never learn about this vulnerability; preventing the industry as a whole to become more secure, faster.

Regarding code verification: you should absolutely compile software yourself, and if you can't, at least inquire services like https://walletscrutiny.com/ to check that published builds match the source code.
Server software doesn't matter in a Bitcoin wallet. You should either connect to your own Bitcoin full node or use random nodes through Tor; whether this is actually happening, can absolutely be verified in an open-source application. Meanwhile a closed-source wallet may still continue using the manufacturer's (potentially rogue) server, even if you enter your own node's connection details.

What an ironic way to put things. .

Regardless, the open source core of Trust Wallet should be safe to use, because anybody can audit the code, and it certanly doesn't look like there are any back[trap]doors or anything risky coming from Binance's side.

It is not impossible to see any vulnerability in open source software. The difference is that such vulnerabilities are extremely rare and are almost never in security critical parts. For example the example you used about Electrum was not a vulnerability in Electrum that led to any funds being lost by Electrum itself, it was a mistake by users who installed another malicious software from elsewhere and lost their coins to that scam.

Your smart contract example is also a bad one because from day one we knew that Ethereum protocol is flawed and can be exploited. So there was no surprise there. And we knew that because it is open source! We also know that they never really fixed it either.

Good projects like Electrum and bitcoin core are using deterministic builds which means whoever compiles the source code will get the same exact binaries. So we can be sure that the binary that they publish is the same as the source code.

You should also consider that Coinomi is far less popular with a lot less number of users.

That's true but based on popularity of the project you can be more sure that enough number of people have looked at the code to not have any backdoors. Regardless of how popular a closed source software is, you can never reach the same level of certainty.

I don't think you can sue any of them. There is always some sort of Terms of Services that protects them from being liable. For example Trust wallet that is closed source is released under GPL! See Liability part of TrustWallet or Limitations of Coinomi.

To be fair, I think that was only the case with the desktop version of the application and not the mobile one. The problem is, there is no way to verify it for ordinary people because the software is closed-source and we can only trust/distrust the developers who obviously have an incentive to defend their product and show it off to be as good as possible. They seem to have disappeared from Bitcointalk. I can't remember the last time I saw a post by them.

Besides that one user who says he lost a significant sum of money because they sent seed words to Google for spellchecking, were their other exact cases with the same types of claims?

That was very unfortunate and you are right, it shouldn't have happened. But that happened in combination with several mistakes made by the victims.

- They downloaded fake software from fake Electrum websites.
- They installed these fake apps without realizing they were fake.
- They never verified the signatures of the applications they downloaded before installing them on their computers. Had they done that, they would have noticed that the binaries weren't signed by an Electrum developer and aren't official Electrum releases.   

Oh, yeah, right that's why most open source wallets are the most targeted apps of any hacks, scams and phishing, e.g. Electrum. I remember millions was lost and got phished not once^[1] but twice^[2]. Well, there are lot of hack cases happened in an open source apps too  including the smart contracts^[3].
Also, i bet there is no way you can verify that the code published publicly as open source are the same actual codes that were deployed on their live servers. Unless it was compiled by you to build the application from being open source, or from github it self.

And talking about the coinomi, the lost amount of money
were too little compared to electrum.
Well, it is still hacked, and i don't justify any kind of hacked, scam or anything to money theft.

See, either its open source or closed source, hacks and scams happen. While being open source has huge advantage, but the fact that people still need to trust the developers who make the code and conduct the code audit because not everyone can read source codes, so you still need to "trust" someone/developer for your safety and fund security while most people who conduct this scams, hacks, phishing are developers as well.
Same on a closed source apps, you need to trust the people/business behind of those codes.
So who should people trust? Unknown or/and known developers from open source community, or those developer paid by these businesses running those apps or just the business.
Where later on you can sue the business for what incident happen, while you can't to open source developers because they are excluded if people read open source license particularly the MIT, ISC and other no liability open source licenses.

[1] https://www.zdnet.com/article/users-report-losing-bitcoin-in-clever-hack-of-electrum-wallets/
[2] https://www.zdnet.com/article/bitcoin-wallet-trick-has-netted-criminals-more-than-22-million/
[3] https://4irelabs.com/articles/top-17-smart-contract-hacks/

You have a very high (and unrealistic) opinion of these centralized services that doesn't seem true based on the history. All the hacks and weaknesses in their platforms in the past aside, we have also seen them be too incompetent in implementing new features like accepting SegWit addresses that most CEXes took years to do something very simple!

Besides when it comes to backdoors the best case scenario is to have them unintentionally. These companies are not bigger than Microsoft and we know their product (Windows) is the mother of all backdoors and it is closed source!

It's not as if professional businesses running financial services have ever done the morally wrong thing, acted negligently, purposefully stole people's money or exit scammed users... riiiight..... ? 

I don't think I have to remind anyone of the track record of such companies, especially after the recent events (since people seem to forget that this happens on a yearly basis).

It's simply a fact that we can't spot such vulnerabilities if the code is closed. It is more work for companies, but open-source applications end up better and more secure in the long run.

Since there is no way to know whether a close source wallet has been coded properly or not, I would always consider the worst case scenario and avoid any close source wallet. Everything is possible.
A good example is coinomi. Coinomi has been always a popular wallet and considered safe by many people, but it had a vulnerability sending users seed phrase to google servers.