Home

About Smeshwallet security

This document intends to answer some common questions about the security of SmeshWallet.

Why did you create SmeshWallet?

Smapp—the project wallet—is a full node, requiring 50GB of disk space (and growing!) and online 24/7, just to have access to your funds. I created SmeshWallet as a solution to this problem. Since SmeshWallet is always in sync, you always have immediate access to your funds. Over 4100 people are using the product, and it has received great reviews!

Is it secure?

As a SmeshWallet user, you are exposed to three risks:

  1. Compromised private keys
  2. Compromised node
  3. Me deciding to become a criminal, and stealing your funds

First—As can be verified through traffic inspection (and many have), your wallet private keys are only stored on your device in the browser’s local storage, and encrypted with a strong password of your choice. Same as Smapp. Once the Spacemesh team releases its Ledger app, we’ll add support for that, eliminating this risk altogether.

Second—Access to the nodes has been hardened, such that only SSH key access is possible. Additionally, we have 5-minute monitor to confirm that the SHA checksum of the go-spacemesh software running on the node matches that of the official release of the Spacemesh project.

Third—You can learn more about me and my career in crypto at my blog or LinkedIn profile. I was a co-founder, Head of Product and Chief Strategy Officer at Aurora, the EVM blockchain built on the NEAR Protocol. I’ve had a successful career creating and selling businesses, as an investor, and as a builder and public figure in the crypto space. I have a comfortable life, and it simply wouldn’t be in my interest to put a target on my back by stealing anyone’s funds.

Is it open source?

The wallet is not open source. I invested a considerable amount hiring top designers and developers (with whom I’ve worked in the past) to create SmeshWallet, and do not plan to open source it, where it can simply be copied by someone else.

Also note that two of the most respected technical community members, (@schinzelh) and Earl (@xearl4), have been granted access to the code. While their responsibility is not security related, they would have immediate visibility to any suspicious modifications.

Finally, being open-source or audited is by no means a guarantee of security.

  • The reality is that in a world of millions of open-source projects, few people deeply inspect code, as seen in the recent case of the open-source Ledger wallet-connect component, which was compromised without notice, leading to the loss of user funds.
  • An audit is only a moment-in-time snapshot. Shortly after the Pickle project was audited during DeFi Summer of 2020, they added a seemingly innocent feature, which turned out to be exploitable. Since then, many audited projects in crypto have been exploited.

Does the Spacemesh team support it?

SmeshWallet is included in the team’s official wallet list in Discord, and in co-founder Lane Rettig’s “Awesome Spacemesh” list.

I still have some questions

If you have any questions, I’m more than happy to answer them on Discord or Telegram @dafacto, or on Twitter @SmeshWallet!