A new era for crypto security
Unprecedented protection for your cryptocurrency wallet
May 2020: We have moved our blog (and the most recent version of this post) to https://www.argent.xyz/blog/a-new-era-for-crypto-security/
Argent is a new type of crypto wallet that offers ease of use AND security, unlike the previous generation of wallets.
Argent removes the headaches of seed phrases, gas prices and cryptic addresses. And it introduces the ability to lock & unlock your wallet, block fraudulent transactions and set a daily limit.
We hope it makes the decentralised web — the next era of the internet — accessible to everyone.
In this post I go into new details on our security model. I cover:
- How Argent helps you recover your wallet without a seed phrase
- How Argent protects your cryptocurrency
- How our security model plays out in practice
The post is much longer than usual because we take transparency seriously and hugely value your feedback and insights. So please get in touch on @argenthq or firstname.lastname@example.org.
How Argent helps you recover your wallet
When you acquire cryptocurrency the first question you face is: what’s an easy and safe way to hold it? Until now there hasn’t been an obvious answer.
The convenient option (at least at first glance) has been to leave your crypto with an exchange or custodian. But this has major problems. You’re not really the owner of your funds and you have to trust a company that might get hacked, steal from you or limit what you can do. Each of these happens all too often.
The alternative is to use a wallet that you control. But this has a major flaw: your access to it depends on writing down a seed phrase and keeping it safe. This is anachronistic, makes you worry (what if you lose it? what if someone else finds it?), and holds back adoption.
Argent offers a better way: the smart wallet.
Simple, seedless recovery
As we introduced in this post, we’ve got rid of seed phrases and made it much easier to recover your assets if you lose your phone, or get it stolen.
With Argent your assets are held in a smart contract on the blockchain. You control access to those assets via your phone, which holds your private key. If you lose your phone you can quickly recover your wallet on a new phone. This is possible because of Argent Guardians.
How Guardians help you recover your wallet
A Guardian is an account on the Ethereum blockchain that you give permission to help you recover your wallet and protect you from attacks. A Guardian never has access to your assets.
A Guardian account can be:
- A hardware wallet or other device (e.g. another phone) that you own yourself.
- A MetaMask account
- A person you’ve selected because you trust them (e.g. a friend or family member).
- A third party service. An example is our Argent Guard, which uses 2-factor authentication.
You can pick and choose any combination you like, including just sticking with one type (i.e. a few devices that you own).
Recovery with Guardians is this easy:
- Download the Argent app on your new phone.
- Tap ‘Recover wallet’.
- Enter your username (e.g. natasha.argent.xyz).
- Speak to your Guardians and share the four emojis on your screen. If a majority confirm they match, then a 36 hour window starts. (You count towards the majority). During this time you can cancel the recovery. If there’s no cancellation, you recover your wallet.
Approving or cancelling a recovery requires a majority out of you and your Guardians. This is because it makes the system even more secure. How this works is that you and your Guardians can each sign an instruction to the smart contract, e.g. ‘Yes, this recovery attempt is legitimate’.
- Therefore, the formula for approving or cancelling a recovery is:
- N = total number of Guardians
Now you’re protected from the risk of losing access to your funds. But that’s not all Argent protects you from.
How Argent protects you from theft
1) Phone-layer security
The aim of this layer is to prevent someone from logging in and draining your wallet. This layer alone puts us on par with world class banking apps.
We use all the available security features on iOS and Android, such as biometrics, keychain, and Secure Enclave, as well as a six-digit user pin code. The pin code helps to encrypt the private key (for those of you interested in cryptography: we use PBKDF2 and AES256 in Galois/Counter Mode).
But while these features should prevent the vast majority of attacks from happening, they’re not unique to Argent.
So what separates Argent from other wallets?
2) Smart contract-layer security
Argent uses smart contracts to provide the security features of the best modern banks — without the bank. The smart contracts are built on the Ethereum blockchain and cannot be tampered with, by us or anybody else.
You can ask a Guardian to lock your wallet. The wallet can’t then make transactions. This is useful in case your phone is lost or stolen and you want to protect it beyond the phone-layer security.
When a Guardian locks a wallet, a 5-day security period starts. This gives you time to get a new phone and recover your wallet. (Locking doesn’t prevent recovery, for precisely this reason).
Any Guardian can unlock a wallet, including the one that originally locked it.
Daily transaction limits
Each wallet has a daily transaction limit, which you can change to whatever you like. Limits prevent an attacker from siphoning off your funds.
Transactions are totalled across tokens, and transactions over the limit are delayed for 24 hours. When the limit is hit you’re instantly sent an alert to review the transaction. You can then use the 24 hour delay to block it, if you want to, by locking your wallet.
If you’ve gone over your limit and don’t want to wait 24 hours for your transaction, you can use your Guardians to quickly approve it. A majority of Guardians is required. This is to prevent any risk from a compromised Guardian.
Changing a limit also has a 24 hour delay. This stops someone from gaining access to your phone, lifting the limit and stealing the funds before you have time to lock your wallet.
An attacker trying to steal your funds would send them to an address you don’t know — otherwise it would be obvious who the attacker is. Argent’s smart contracts therefore treat unknown addresses differently to known, trusted ones. Transactions to your trusted contacts don’t count towards your daily limit.
You can change your Guardians with just a couple of taps of the app. Changes take 24 hours to come into effect. The delay gives you time to prevent any unwanted changes by locking your wallet.
The only time there is no delay is when you first download Argent, then adding your first Guardian is immediate. This is to ensure you can benefit from the security they bring as soon as possible.
How does this security play out in practice?
I’ve lost my phone!
- As soon as you realise it’s missing, you can ask a Guardian to lock your wallet. This will stop any transactions or Guardian changes. It’s just a precaution as it’s extremely unlikely anyone can crack the phone-layer security (biometrics etc, which even law enforcement struggle with).
- Then, if you find your phone, you can just ask a Guardian to unlock it and you’re all good.
- If you’ve really lost it, you can recover your wallet on a new phone with the help of your Guardians.
I left my phone unlocked with Argent open and an attacker gained access to it!
- If the attacker tries to send your funds to themselves they’d hit the daily limit.
- You’d get a notification and would then have 24 hours to lock your wallet with the help of a Guardian.
- As a final step you’d recover your wallet on a new phone with the help of your Guardians.
- If the attacker tried to change your Guardians or add themselves to the list of trusted contacts, you’d have 24 hours to lock your wallet, stop them and recover it.
My Guardian has betrayed me or been hacked!
- If a Guardian does something you don’t want, you can easily remove them with a tap of the app.
- The change takes 24 hours to come into effect. In this time, as long as you have access to your phone, a single compromised Guardian cannot take control of your wallet. They would need a majority of Guardians and their path to the majority is made more difficult by the fact that you count towards it.
Someone has hacked my phone* and is trying to add Guardians until they control the majority!
- As soon as the attacker tries to change a Guardian, you’d be notified and have 24 hours to react before the change occurs.
- In this time you’d use a Guardian to lock your wallet — and this Guardian could be yourself with a device or Argent Guard. This would prevent the attacker from confirming the requested change at the end of the 24 hours.
- To resolve the situation you’d simply recover the wallet on a new phone.
*It is super, super difficult to crack an iPhone’s security — way beyond the capabilities of most criminals and even nation states.
I’m worried someone could try to fraudulently recover my wallet on their phone!
If an attacker downloaded Argent on their phone, entered your ENS (username) and tapped “Recover wallet” you would be safe. To succeed an attacker would have to:
- Know who your Guardians are
- Trick your Guardians that the recovery attempt is legitimate. This is extremely difficult as we’ve deliberately made it so the recoverer has to speak to the Guardians to check that the symbols displayed on their screen match the ones the Guardians see.
- Additionally, the attacker would need to trick more than one Guardian as recovery attempts require a majority of Guardians. Further preventing the attacker gaining a majority would be if any Guardians of yours are hardware wallets that you control.
- Even if they can do all this — perhaps they’re your identical, evil twin — you’d be notified of the attempt and have 36 hours to cancel it.
My Guardian might not remember they need to help me
We’ve all got friends and family who can occasionally be a bit lazy. We’ve therefore made it super easy to be a Guardian.
- We’ll send them periodic reminders that they need to keep the Argent app to protect you.
- If you want them to help recover your wallet you’ll call them.
- Last, if you’re worried about the reliability of those you’re close to, you could just use hardware devices that you control, or a Guardian service.
An attacker has tricked my phone network into swapping my phone number onto their SIM!
The attacker can’t do anything with just your phone number.
- But if you have weak email security, AND if the attacker uses your phone number to recover your email, AND if they know/guess your ENS, AND if your only Guardian is the automated Argent Guardian Service, then they could trigger a recovery of your wallet on their phone. But…
- You’d be notified of the recovery attempt and can cancel it as you’d still have access to Argent.
The decentralised web offers a rare — maybe unique — opportunity to fundamentally rethink our digital future. It gives us the potential to build a new, fairer internet that puts people first. We hope Argent represents a step change in its usability and security.
We couldn’t be more excited about the coming months and look forward to hearing from you as we work together on perfecting the experience.
You can find us on Twitter @argentHQ, and at email@example.com.