Our View On The Ledger Debacle And The Implications For Multisig

Ledger’s Bold Move: Introducing The Ledger Recovery Feature

The Bitcoin Community Reacts

Unsurprisingly, the Bitcoin community had a strong reaction to this news, and for good reason. The core value proposition of hardware wallets is their ability to generate and securely sign keys within the device itself. The assurance that the seed will never leave the secure environment of the hardware wallet has been a key selling point. Additionally, KYC is generally viewed as an unfavourable practice in the Bitcoin space, particularly when it comes to self-custody. Although Ledger has announced a delay in the rollout of this new feature and plans to open-source the code, the damage has already been done. So, should we all discard our Ledger devices, or is there more to consider?

Understanding the Impact on Ledger Devices

Our initial reaction to Ledger Recovery was somewhat conflicted. On one hand this feature seemed to violate the fundamental principles of self-custody, instantly disqualifying Ledger as a true hardware wallet and potentially paving the way for mass confiscation. On the other hand: It held tremendous potential for multisignature setups, where the risks introduced by this feature could be effectively mitigated. Given the complexity of the situation, we decided to give it some time and gather additional information before passing judgment.

Examining the Risks

To make an informed decision, it’s crucial to understand the risks involved for Ledger users. By utilising this feature users are required to trust the custodians to avoid collusion. If two custodians were to collude, they could reconstruct the seed and gain access to the user’s bitcoins. While we consider this risk relatively small, it cannot be entirely discounted.

A more significant risk arises from the possibility of governments forcing or compelling at least two custodians to surrender their shares. Whether for individual investigations or large-scale confiscations. The cooperation of custodians based in different but friendly jurisdictions could make this feasible. History has shown that gold confiscation occurred in the past, leaving us to question why governments wouldn’t attempt a similar approach with Bitcoin if circumstances become dire enough.

Given the current economic uncertainty and the mounting hostility towards Bitcoin, this scenario seems increasingly likely. Furthermore, Ledger’s closed-source nature coupled with its status as the most widely used hardware wallet, makes it an attractive target for such attacks. Governments have a track record of pressuring technology companies to install backdoors and leak sensitive information. It’s not a question of if, but rather when such attempts will be made.

Our Main Concern About Ledger Recovery

All the risks mentioned above should only be relevant if you choose to use the Ledger Recovery service. If you prefer to avoid these risks, you can simply opt out of using the feature, right? Herein lies our primary concern: Ledger is a closed-source system, which means we have to trust the company to refrain from enabling seed extraction for all devices or enabling it in the future under pressure from authorities.

Ledger made a promise that the seed would never leave the device without the user’s consent. If the device were open source (like most other hardware wallets), we could verify whether this promise is upheld, and it wouldn’t be a significant issue. However, in this case the lack of available code prevents us from guaranteeing the security of users who do not utilise the recovery feature.

Building features that offer voluntary use with certain trade-offs is not inherently bad, but introducing something that undermines the core premise of a device without the ability to prove that it can only occur with the user’s explicit command is questionable, in our opinion. This new feature downgrades the Ledger from a self-custody solution to a hybrid between custody and self-custody.

Our Recommendations

Considering the Ledger’s departure from being a pure self-custody tool, as it violated the fundamental principle that the seed should never leave the device: We no longer recommend it for singlesig setups. However, we believe that the Ledger Nano S is comparatively safer in this regard since it does not support the recovery feature. Nevertheless, we cannot provide an absolute guarantee due to the closed-source nature of the device.

On the other hand: For multisig setups, the Ledger Recovery feature can be beneficial if it aligns with your priorities. You can sign with your Ledger for the multisig, opt for the recovery service, pay the monthly fee, wipe the device, and destroy the seed. This way, you have a signer in your setup that doesn’t require secure storage and can be recovered with your ID, making it highly accessible. The risks discussed earlier can be mitigated by using Ledger for fewer signers than your chosen threshold in your quorum.

Furthermore, if you choose not to utilise the recovery feature: We still recommend the Ledger for multisignature setups. Multiple vendor multisig solutions aim to mitigate vulnerabilities from various vendors. Including Ledger as a unique hardware wallet could still potentially be a net positive. Of course, it is crucial to ensure that the number of Ledgers used as signer is below your chosen threshold. We consider the Ledger Nano S to be safer than the newer Nano X, and an older Nano S even more so. In the early days there was less incentive to attack Bitcoin, which reduces the likelihood of backdoors.