Do Not Trust Lumi Wallet [tl;dr: their web wallet sends your mnemonic phrase to their servers]

Do Not Trust Lumi Wallet tl;dr: their web wallet sends your mnemonic phrase to their servers A new day, a new wallet enters the scene. Being a developer on a wallet project myself (I work on BRD), I am intensely curious how other teams go about building their apps. Being an architecture nut, I absolutely love poking at software and figuring out how it works. Software is hard, software that secures users’ funds is doubly hard. Programming with consequences! Spicy! On superficial inspection, I know something is off — “truly private” and “web wallet” and “extremely secure” are impossible to have for the same product. If something is a web wallet, it’s definitely not extremely secure (see recent DNS attacks for MyEtherWallet), and it’s highly unlikely to be “truly private” due to technical limitations of the web. So, the question becomes — what gives? Are they any of the things they claim to be, because even two out of three would be a big technological step forward, and there would be a lot to learn. Before the big reveal, let’s take a small detour through “security-land”. Many modern cryptocurrency apps use a “mnemonic phrase” as the master key. Through a series of BIPs (32, 39 and 47) and a lot of hard work from wallet developers, a bunch of great ideas are now commonplace. In essence, one mnemonic phrase, a list of words, can be turned into an unlimited number of public/private key pairs, which is how you get a new “receive address” for every bitcoin transaction. This is massively better than the old system of generating a new one randomly, and keeping track of them in a giant wallet file. This way all you need is a 12-word phrase to secure all your funds in any conceivable cryptocurrency. If you’re curious, a tool like the BIP39 Tool may help make the process a bit more concrete. Important takeaway: your 12-word seed needs to be protected in every conceivable way — in crypto-land, it literally is your money. You shouldn’t type it into insecure computers (basically most of them), you shouldn’t leave it on a post-it note stuck to your monitor, and never ever, ever, type it into a random webpage you stumbled on. Lumi Wallet is a great example as to why this is. So, what exactly is Lumi Wallet doing? Check this out: Blurred out mnemonic, such security!Then you enter an email/password (privacy?), and hit “sign up”. Then: PWNd!Not only do they send the mnemonic to the server, they store the mnemonic (or a hash of it, but I’m guessing not) on their servers. This is either stratospherically irresponsible or Lumi is a scam wallet aiming to steal everyone’s funds at some point in the future. I haven’t been able to look into how their mobile wallets work, as I don’t have the time to do it the right way (root a phone, blah blah blah) — though I did verify they are at least using strong SSL to send your money to their servers, so at least the guy sitting next to you in Starbucks can’t steal your money… but that’s a small consolation when you’ve just sent your crown jewels to be stored by some faceless web service with zero transparency (though they have lots of blog posts with nebulous claims of security!) It’s only a matter of time before the CEO, a rogue employee, or a hacker sweeps through the database and collects every penny of every Lumi wallet user.