Last updated: June 17, 2023
Leather’s Commitment to Building Bitcoin Wallet Security
At Leather, we recognize that security isn’t just about protecting your assets; it’s about empowering individuals to take ownership of their funds with confidence. We believe in a decentralized ecosystem that puts users first, driving us to prioritize transparency and user empowerment in everything we do.
Leather: A Self-Custodial Wallet
Most crypto users are familiar with an important phrase and principle: “Not Your Keys, Not Your Coins.” It implies that ownership and control of one’s private keys are essential for managing and safeguarding their assets.
As a self-custodial wallet, Leather ensures that users retain complete control over their private keys and, as a result, their own digital assets. By entrusting private keys solely to the user, Leather mitigates the vulnerabilities inherent in custodial services that can lead to potential security breaches. Security begins and ends with ownership, which is why our users’ Secret Keys and passwords are known only to them.
It is important to note that given our emphasis on providing users with a self-custodial wallet, Leather does not store Secret Keys. Users are responsible for securing their own Secret Keys and can refer to this guide for suggestions on how to do so.
In-App Security Features for Users
Given that Leather is a self-custodial wallet, we also give users a number of features that help them secure their own Leather accounts. This includes but is not limited to:
Locking and unlocking their wallets: Users can effortlessly lock and unlock their wallets, granting them control over when their funds can be accessed on a specific device.
Asset migration: Leather facilitates secure asset migration, allowing users to seamlessly transfer their funds from one wallet to another should they need to do so.
Multiple account creation: Users can create multiple accounts associated with a single wallet. This allows them to compartmentalize their funds for organizational purposes, or utilize burner wallets for temporary and test transactions.
Exclusive access to their Secret Key: Leather users can view their Secret Key in-app via a tab that is only accessible to them.
These are some of the features that Leather offers users, empowering them to safeguard their own assets.
Audited By Security Professionals
Leather has been audited by Least Authority, a leading security consultancy that specializes in conducting security audits for crypto companies, and is part of the Hacker One bug bounty program. These partnerships are a testament to Leather’s proactive approach in preempting security risks that could compromise users’ assets.
Least Authority’s full audit of Leather (formerly Hiro Wallet) from 2021 is still publicly available and can be viewed via the wallet’s Github repo. The audit was conducted as Leather, which was initially a desktop wallet application primarily dedicated to STX holdings, was looking to publish the first version of its browser extension in the Chrome and Firefox stores.
Leather’s collaboration with Least Authority and HackerOne underscores its unwavering commitment to security and user protection.
Timeline of Addressed Wallet Vulnerabilities
Our ongoing commitment to transparency and security means that it’s important for our team to work around the clock to identify and address any possible vulnerabilities that may exist with Leather.
Some of the security vulnerabilities we’ve addressed in the past include:
August 2023: Cached Secret Key
Reported: August 8, 2023
Resolved: August 10, 2023
We received a report highlighting a potential vulnerability related to the “import wallet through Secret Key” feature. The use of the “textarea” tag to store private keys/mnemonics meant that it was possible for browsers to cache users’ private keys in local storage, leaving them vulnerable if another party obtained unauthorized access to their computer. To mitigate this risk, a fix was promptly implemented with version 6.3.1 of the wallet extension, ensuring that users’ private keys remain secure.
July 2022: appPrivateKey Vulnerability
Reported: July 7, 2022
Resolved: July 7, 2022
In July 2022, a vulnerability affecting the wallet’s authentication feature was reported. This vulnerability, which was found in versions prior to v3.11.2, could potentially allow attackers to obtain the appPrivateKey of any domain if a malicious authentication request were approved. While there were no known cases where an attacker exploited this vulnerability, the potential risk to user data was significant enough for the team to deploy a patch that validated the redirect_uri value. This ensured that only the requesting origin’s domain is passed to the @stacks/wallet-sdk library.
December 2022: Browser Locking Issues
Reported: December 4, 2022
Resolved: December 5, 2022 for Chrome; January 25, 2023 for Firefox
A vulnerability identified in December 2022 highlighted a potential risk where a user’s wallet account could remain unlocked and accessible if multiple tabs or windows with the browser extension were open. Although users’ Secret Keys were not compromised in any novel way, an unauthorized party could access a user’s wallet extension if they gained physical access to their computer. To mitigate this risk, a fix was implemented that allowed the extension to be locked in all tabs and windows if a user opted to lock their wallet in just one open browser tab.
April 2021: Plain text passwords stored in memory
Reported: April 9, 2021
Resolved: May 5, 2021
This vulnerability would appear when the desktop wallet was launched and a user checked their tacks address. The user’s wallet password and address would both be seen in the memory as part of a memory dump.
These security vulnerabilities were identified and promptly addressed, underscoring our commitment to prioritizing the safety and security of our users’ assets. As Leather is an open-source wallet, a number of community contributors also played their part in helping us identify and resolve these existing issues.
Keeping Your Assets Safe with Leather
Leather’s commitment to user security is one of the cornerstones of our mission to build the most reliable and secure Bitcoin wallet. We want to give users full control over their digital assets and play our part in ensuring that they have access to a wallet free of security vulnerabilities.
Our dedication to transparency and accountability is evident through past audits and our swift approach to addressing possible issues in-app. By quickly resolving security concerns and implementing user-friendly safeguards, we’re protecting our users while also empowering them to secure their own wallets.
This is especially important as more use cases and decentralized applications are built on Bitcoin. The Bitcoin ecosystem is rapidly changing, and it’s up to our team to continue innovating and evolving with it.
