About Smeshwallet security

This document intends to answer some common questions about the security of SmeshWallet.

Why did you create SmeshWallet?

The project wallet is Smapp, which is a full node, and frequently experiences issues with syncing. Unless the wallet is fully in sync, you can not access your funds.

I created SmeshWallet as a solution to this problem. I have four nodes all sending rewards there, and since SmeshWallet is always in sync, my SMH funds are always available.

Over 2400 people are using the product, and it has received great reviews.

Is it secure?

As a SmeshWallet user, you are exposed to three risks:

  1. Compromised private keys
  2. Compromised node
  3. Me stealing your funds

First—As can be verified through traffic inspection (and many have), your wallet private keys are only stored on your device in the browser’s local storage, and encrypted with a strong password of your choice. Same as Smapp. Once the Spacemesh team releases a Ledger app, I’ll add support for that, providing the ultimate in private key protection.

Second—Password access to the node is disabled, such that only SSH key access is possible. Additionally, I have 5-minute monitor to confirm that the SHA checksum of the go-spacemesh software running on the node matches that of the official release of the Spacemesh project.

Third—You can learn more about me and my career in crypto at my blog or LinkedIn profile. I was a co-founder, Head of Product and Chief Strategy Officer at Aurora, the EVM blockchain built on the NEAR Protocol. I’ve had a successful career creating and selling businesses, as an investor, and as a builder and public figure in the crypto space. I have a comfortable life, and it simply wouldn’t be in my interest to put a target on my back by stealing anyone’s funds.

Is it open source?

The wallet is not open source. I invested a considerable amount of money hiring top designers and developers (with whom I’ve worked in the past) to create SmeshWallet, and do not plan to open source it, where it can simply be copied by someone else.

Furthermore, being open-source or audited is not a panacea.

  • The reality is that few people deeply inspect open-source software, as seen in the recent case of the open-source Ledger wallet-connect component, which was compromised without notice, leading to the loss of funds of many people.
  • An audit is only a moment-in-time snapshot. Shortly after the Pickle project was audited during DeFi Summer of 2020, they added a seemingly innocent piece of code, which turned out to be exploitable. Since then, many audited projects in crypto have been exploited.

Having said all that, the Spacemesh team has indicated an intent to audit the wallet; however, they simply don’t have the resources at the moment. Furthermore, mutual interest has been expressed in Spacemesh adopting the wallet through some means, as an official product of the project.

Does the Spacemesh team support it?

SmeshWallet is included in the team’s official wallet list in Discord, and in co-founder Lane Rettig’s “Awesome Spacemesh” list.

I still have some questions

If you have any questions, I’m more than happy to answer them on Discord or Telegram @dafacto, or on Twitter @SmeshWallet!