The Way Forward with Ledger in Polkadot

About Ledger on Substrate chains

Ledger is one of the most popular brands of hardware wallet, and many people rely on Ledger devices to securely sign transactions without the risk of exposing their private keys to the wider world. People are used to how Ledger works for blockchains like Bitcoin and Ethereum, where a single Ledger application gives access to everything that can be done on the chain. For Substrate-based blockchains in the Polkadot ecosystem, Ledger has not been so simple, but a major new development is on the way to help.

At Talisman, problems related to Ledger in Substrate are one of the most common topics raised in support requests, and it’s nearly always due to misunderstanding about how Ledger works (or doesn’t) in the Polkadot ecosystem. These issues very often lead to users’ funds being locked in accounts they can’t access, which results in them having to take drastic measures to recover them. While we have done as much as possible in the Talisman application to prevent these misunderstandings, they still occur, because people expect Ledger in Substrate to work how it does in Ethereum, or because they assume that Polkadot chains are all interoperable.

In this article we cover a rundown of the issues, and how you can recover your funds if you’ve gotten them stuck on an address you can’t access with Ledger, and the good news about the upcoming generic Ledger app for Substrate.

The problems with Ledger on Substrate

Substrate Ledger apps require chain metadata

Firstly, due to the way that Ledger apps have so far been developed for Substrate, signing transactions requires metadata. Metadata in Substrate refers to data stored onchain which encodes chain configuration and cryptographic operations. Storing this metadata onchain allows chains to be upgradeable without forking, but it has the downside of requiring signers (wallets and devices like Ledger) to have access to the latest metadata in order to sign a transaction, fetch balances, or do anything else which directly accesses information stored on the chain. This metadata can be large (~3mb), which adds up, once you include relay chains and all of the parachains. Ledger devices only have kilobytes or up to a few megabytes of storage, which means that storing all the metadata for even a single Substrate blockchain could fill a Ledger. For this reason, Ledger applications for the Polkadot ecosystem only support one chain each, so you don’t have to store metadata for chains you don’t use, and they only support a limited set of transaction types. For example, in the repo for the Polkadot relay chain Ledger application, you can see which extrinsics are supported by the different Ledger devices, and the ‘Polkadot’ and ‘Polkadot XL’ Ledger apps for these devices (Polkadot XL being an ‘extra large’ version of the application, containing a more complete set of metadata, but at the cost of taking much more space on the Ledger).

This means that Ledger applications for Substrate chains will only work on the chain they have the metadata for, and even then, you can only sign a limited set of transactions.

On top of this, the metadata needs to be continually updated when the chain runtime is upgraded — that’s why you need to update your Ledger app to the latest version in Substrate often, while in Ethereum you can get away with running old versions for a long time.

Substrate Ledger apps are chain-specific

Due to this metadata dependency, each Ledger app only works for the chain it has the metadata for. But not every chain has a Ledger application at all. Developing a custom Ledger application is a costly undertaking, and some parachain teams never prioritised doing so, while others initially had Ledger applications developed, but stopped supporting them over time, leaving users effectively locked out of their funds due to runtime updates making the available app versions unusable.

Substrate Ledger accounts are chain-specific

The final part of all of this is that Ledger applications in Substrate have, by convention, used account derivation paths specific to the network they’re intended for. Most regular Polkadot users have the expectation that a Substrate account can be used across all chains in the Substrate ecosystem, merely by formatting the address in the particular format of the target chain, for example using Subscan’s SS58 format convertor tool, or by using the ‘copy address’ functionality inside Talisman. So, an account derived in a wallet like Talisman can be used in Substrate without having to worry about whether it will work on any particular chain.

Unfortunately, converted Substrate addresses cannot be used for accounts derived in Ledger applications for Substrate. The reason for this is that Substrate Ledger apps each generate their accounts using a derivation path specific to the chain the app is built for.

This means that if you manually convert the address of a Ledger account from say, Polkadot, to one for Acala, you will not get the equivalent address to one generated by the Acala Ledger app itself. If you were to do this, you would never be able to sign transactions for the address on Acala using your Ledger, because there doesn’t exist a Ledger app that can sign on Acala (has the metadata for Acala) which will derive an account with that address. While this is preferred by some advanced users for privacy reasons, it undermines users’ assumptions about how accounts should operate in the Polkadot ecosystem, where interoperability and liquid transfer of assets across chains is the primary selling point. People who have made this mistake are one of the most common sources of support requests we get in the Talisman help desk channel.

The TLDR of the situation

Some parachains are unsupported by Ledger. For those that are supported, Ledger apps are specific to the chain due to reliance on metadata, and are not able to perform all actions on chain. Accounts generated by these apps are also chain specific due to account derivation conventions.

It’s easy to get caught on one or all of these limitations and end up with assets somewhere inaccessible, or at least being unable to do the thing you want to do.

For simple use cases, like storing your DOT on the Polkadot chain, sending to other Polkadot relay chain accounts, and perhaps performing supported transactions such as bonding to a nomination pool, Ledger is perfectly capable and is a good solution. However, up until now, users who wanted to take advantage of the full range of defi and gaming options available in the Polkadot ecosystem, or some inbuilt features like crowdloans, would quickly find that they were unable to, and commonly get themselves into situations where funds were inaccessible.

The long term solution: A generic Polkadot app for Ledger

Earlier this year, the Polkadot community engaged in eager discussion on the idea of a universal Ledger application with broad agreement that the current status quo is untenable. The conclusion of this was the passing of a referendum to fund development of a protocol for compact and secure storage of offline metadata, and an associated universal Polkadot ecosystem Ledger app.

This project is now making good progress, and Talisman recently received a test version of the new application and begun development of our integration. The generic application will enable a single app to be used on all Polkadot ecosystem chains, and will deliver a far superior user experience than the current arrangement with less chance to make serious mistakes. Talisman aims to be one of the first wallets to support it.

The only caveat of this change is that for chains other than the Polkadot Relay Chain, the derivation path for accounts in the generic application will be different to the current, chain-specific applications, which means users will no longer be able to use the same accounts. To make this easier and ensure ongoing support, the team behind the new Ledger application are also releasing a special recovery application which can derive accounts on both paths. For example, if you currently have an Acala account on the Acala Ledger application, you won’t be able to access that account using the new Polkadot application. You’ll need to use the ‘recovery’ Ledger application to access the old account, and drain it by sending all funds from it to an account created using the new derivation path. For the Polkadot Relay Chain, the derivation path will be the same in the new app as in the old one, so you can continue to use the same account in the new application as you were in the current one.

In order to support the new offline metadata protocol and thus be available for use with the new generic application, a runtime upgrade will be needed on each chain. This means that not all parachains will necessarily be supported when the new application is first released. As this upgrade rolls out across the ecosystem, Talisman will continuously update our wallet integration to enable use on any parachains which have performed the runtime upgrade.

What should you do if you have funds locked in a Ledger account you can’t access?

If you’ve sent funds to an address that you can’t access, because no Ledger application exists for the chain, or because it’s a different address than the ones derived by the Ledger app for that chain, you have effectively two options.

1. Wait for the universal Ledger app mentioned above to be available. There is currently no ETA for this, but great progress has been made and we expect to see a final solution in the near future.
2. Use Talisman’s Substrate Ledger account recovery tool. This tool is available from Github at https://github.com/TalismanSociety/ledger-substrate-recover and can be run as a simple offline webpage downloadable from the repo, or built from scratch for the more technical. Use this tool at your own risk, and see the notes below for more details.

Notes regarding Talisman’s account recovery tool:

We recommend this tool for users that need access to their funds and can’t wait for the universal Ledger app to arrive. This tool enables the user to select a network, and enter their Ledger recovery phrase and generates the public and private keypairs of the accounts derived by the Ledger application for that network. These keypairs can then be exported in an encrypted JSON file and imported to the Talisman wallet to be used like any other internally-stored accounts. Because the Talisman wallet has access to the metadata for all the chains it supports, any assets held on those accounts on other chains apart from the one supported by the Ledger application then become available. So, for example if you had contributed to a crowdloan for the Centrifuge parachain using your Polkadot Ledger account, and now want to receive your rewards on the equivalent Centrifuge account, you would select ‘Polkadot’ as the network in the recovery tool, and import the resulting JSON file into Talisman. You could then see your balances on the Centrifuge chain with the account created, and you could sign transactions on that chain. The recovery tool requires you to input an ‘address index’ and ‘account index’. In most cases, if you used the first account available from your Ledger, this will be 0 and 0. If you used one of the subsequent accounts, you’ll need to increment these numbers and try different combinations to discover the account you’re looking for.

It is important to note that using this tool does come with some downsides. Because you’ll be entering the recovery phrase for your Ledger straight into a web browser, you’re exposing that recovery phrase to greater risk than if it was only ever written on paper or directly input into the Ledger device. We encourage you to run this tool on an airgapped computer, or at least a clean browser on a temporarily offline computer. Even so, after doing this, you should treat this recovery phrase and any accounts derived from it more like one for a hot wallet than one for a hardware device. You should then reset the Ledger with a fresh recovery phrase, and transfer any assets from the old Ledger accounts (from all chains, including Ethereum and Bitcoin) over to accounts from the now-reset Ledger. Obviously, you may need to retain the recovery phrase so you can enter it into other wallets, for blockchains not supported by Talisman. For people storing large values, or who use their Ledger to receive staking rewards or other expected income, this could be a major inconvenience and potentially lead to loss of funds. For this reason, we encourage people to consider whether recovering their accounts using this tool is a good choice for them depending on their unique situation.

Conclusion

With all this in mind, for now Talisman recommends users in the Polkadot ecosystem only use Ledger when they understand the limitations and are sure that their use case falls within them. We look forward to the release of a universal Ledger app for Polkadot in the near future.