We have announced integration and strategic partnership with Harmony Protocol blockchain on October 14th and its native ecosystem token $ONE is now available on SafePal hardware wallet!
On October 18th, our CEO, Veronica(V) had an AMA session in Harmony Telegram Community and answered a series of questions about safety, hardware wallet and Binance.
Here are the essential points of the session:
Q: Are there any plans to enable the use of HW wallets on Binance DEX?
V: SafePal is already integrated with Binance DEX in late July, enabling all crypto users to hold and trade on DEX with a SafePal wallet. 🙂
Q: Is your code was audited (severally) and if the result(s) can be shared
V: Good question. We are now working with a prestigious security team from Europe to audit the codes, the project started a few weeks ago so I’m afraid there isn’t much thing to share right now. Before we launched the project, we’ve worked with 3 security companies in the hardware+software penetration on the hardware wallet and the App. For your reference.
Q: How safe is SafePal and if you describe how its security works?
V: Yes I appreciate all questions related to security. I think that is why SafePal is here and why it’s so special.
SafePal S1 adopts multi-security-schemes, including:
1) Communications: it adopts encrypted QR code communication. There is no USB cable, Bluetooth, NFC, WiFi or any other radiofrequencies inside.
2) Dual-chip architect: S1 is embedded with dual chips, one of which is an EAL5+ secure element, solely for the protection of private keys.
3) True random number generator: this is a mechanism to make sure the private key is indeed random and unique.
4) Multiple sensors: including but not limited to voltage sensor, light sensor, frequency sensor and etc. Once there are according attacks (such as a brutal attack) detected, the self-destroy mechanism will be initiated and the private key and asset details will be erased.
More security details can be found here.
Q: I’ve seen some services at the time of sign-up see ask questions to make the user aware of safety/scams. (Genre “if someone claiming to be from our project asks to send money, will you”.)
Only after 5 correct (& explained on mistake), sign-up is allowed. Is this something you will consider? Are there any other initiatives that you would take to raise general awareness on safety/scams?”
V: Thanks for the pin-pointed question. Yes, one of our long-term vision is to raise the awareness of common crypto users and guide them toward a more sophisticated future of keeping their own money safe.
We are now trying several directions(welcome to suggest more if you find any other thing useful):
1. #SAFE101 article series: sharing practical tips and suggestions when it comes to keeping your own money safe;
2. Strong guidelines in the product user interface. users hints like “Do not send A coin to a B address” can be seen in many places in the SafePal S1 and SafePal App, reminding all users to be aware when they are transacting or trading their crypto.
3. Some other campaigns such as “Security master awards”, awarding those novice users who can master the most knowledge out of crypto custody(still under designing)
Q: Could you give further clarification on the claim that “SafePal requires no internet no NFC” and wants to know how transactions are approved. He also wants to know if desktop support will be provided
V: Great question. This is the most frequent question being asked by new users coming to our community, about “what do you mean by no internet nor NFC or something like that”.
When we are talking about SafePal wallet, there are two parts in it: 1) The SafePal S1 hardware wallet(a credit-card shape device) and 2) the SafePal App.
The S1 device is for keeping your private key safe and signing each ‘going-out’ transaction, while the SafePal App will be responsible for creating a transaction/order, broadcasting onto blockchain and drawing data off the blockchain, etc.
When you need to send some money, you will need to create the transaction on the App, sign it with the S1 device, and then the App will broadcast the transaction onto blockchain. The App and the S1 device ‘talk’ via encrypted QR code.
Welcome to check our step-by-step guide video here.
To be honest desktop is not in recent dev plan because what we mean to provide is mobile crypto management service. Will surely consider if many users come to us asking for this feature.
Q: Could you give a clarification saying “I saw one line on your website “Self destroy & Key Erasing Mechanism” protecting your asset from any hacking, so how does it works and What is the concept of this mechanism in protecting funds and how this happens without any connectivity on SafePal S1 wallet?”
V: Since there is no internet, Bluetooth, NFC, WiFi antenna or other radio frequencies adopted on SafePal S1, then S1 is immune from online attack or long-distance attack. Other than these types of attacks, S1 will still face with short-distance attacks such as brutal attacks (cracking the device open and read data from it), Bootloader attack(attack from the firmware), and other similar attacks. These attacks will require the attacker to physically hold the device and initiate such hacking techniques.
Inside the S1 wallet, there are multiple sensors detecting all malicious attacks mentioned above. Once detected, these sensors initiate lock-down mechanisms and informing the secure element to initiate self-destroy mechanism. The secure element, which holds the private key, will erase all key data, preventing the hacker from getting hold of the seed.
Q: If this is an off-line wallet how can there be added new coins in the future, by firmware updates or will be needed to replace the actual wallet?
V: SafePal S1 supports firmware upgrade, so users will be able to upgrade and add new coins by upgrading the device with new firmware. We put a lot of security considerations onto this part, including but not limit to:
1. Security suffix: it’s a combination of 3 characters(letters and numbers) used to prevent attacking scenario where someone besides the user resets the hardware wallet without the owner noticing it.
2. Downgrade limitation: SafePal only supports firmware upgrade rather than downgrade, thus to protect any potential attacks from lower version.
3. Secure upgrade procedure: SafePal S1 is embedded with firmware verification program that examines the genuineness of every uploaded firmware. And the device only runs official firmware released through SafePal official website. If there is any malicious firmware loaded to the device, the device will show warnings.
For more details welcome to check here.
Q: I know the crypto chip is smart and top security but, is there any reason to worry when you download the free app for IOS or Android phone, I mean isn’t there a small possibility to get malware if the app is compromised and your device it will be destroyed
V: Interesting question.
1) SafePal App is only available on Google Play, App Store and official website. We strongly recommend our users to download from legitimate resources.
2) Even if the App is compromised, it won’t be able to create a valid transaction nor to decrypt the encrypted QR code from the S1 hardware wallet, thus putting no threat on the crypto assets. S1 and the App use our own-designed signing mechanism.
3) There is a 1.3′ IPS screen on the SafePal S1. Users will be able to double-check every transaction on his/her own wallet, preventing any faking transactions.
Q: As you are using EAL 5+ FINANCIAL GRADE CHIP IN S1 WALLET, so please explain the unique and important features of the ship in terms of security and funds?
V: There are many details to talk about regarding the secure element(SE). I’ll pick the following as the most important ones:
1. The qualification of EAL5+: EAL is widely adopted to evaluate whether an IT product or system can provide its security features more reliably (and the required third-party analysis and testing performed by security experts is reasonable evidence in this direction). It is also widely adopted in financial industry, where most of the debit cards and credit cards are using EAL4+ standard, one level lower than EAL5+.
2. Multiple sensors rooted inside the SE: a long list of such sensors can be found here.
3. Self-destroy mechanism: which was mentioned above.
4. Others: such as RAM protection, BUS encryption, algorithm authentications. Detailed descriptions can be found in the link attached.
Q: What cryptocurrcies SafePal can support as of now?
Q: If you plan to launch community voting for list coin on hardware wallet?
V: All currencies supported by SafePal can be found on our website.
For now we are supporting 3–6 blockchains each month. What’s more, we encourage the community to vote for their favorite cryptocurrencies. Each month we will pick the top 1–2 most popular currencies and add them in the coming version.
You can find how to vote here. The 1st round of September voting has been announced on the blog.
Q: Is there any plan/program to put a bounty for people to hack or find vulnerabilities in SafePalS1? Don’t you think that would help improve your product?” he also follows up with “It seems SafePal S1 can be the ideal secure interface for Defi, services, is there any plan to offers those services & products directly from the wallet (without the app)? Or that would comprise the security of the wallet?
V: For the first question: Yes a bounty program is under discussion and organization. We will surely keep everyone posted. We rely on feedback and power from community. Security is an endless war, and a bounty program is a must-have from where we can grow stronger.
For the second question: Since SafePal is a decentralized wallet, it is indeed a perfect match with DeFi. We have been considering this direction, and also we’ve been paying close attention to the progress of Harmony because DeFi and NFT are also their scoops of range. Right now, though, the focus will be more on security enhancement and multi-currency support. We will surely come up with new features when our users tell us to.
Q: Will the wallet support cold/smart contract staking and will it also supports cryptocurrency forks?
V: Yes we support forks. It simply takes some time to go with developmental work.
As for staking, yes it’s planned but not coming soon. Because per mentioned we will focus on secuirty and currency support first. Staking would come after that.
Don’t think there is a rush to publish every trendy feature because we prefer to build a solid foundation first.
Q: If there’s a self-destroy feature, are the funds recoverable in some way by the genuine user ? (Regardless if it was an attack or if the device simply got damaged Because if no recovery option, there’s an entirely different attack : purposely make someone lose their funds.
V: Great question. So long as you hold your correct mnemonic phrase, you can recover your assets from a new SafePal S1 wallet anytime.
If a S1 hardware wallet is lost, we usually suggest the user to recover the wallet with his/her mnemonic phrase on a new wallet , and then move all the money to a new place directly.
That’s why we sometimes suggest our users buy 2 S1 wallets, for cases like this.
Q: As Hardware wallets are Electronic Devices, So, How SafePal Hardware wallets prevent Scripting and auto-authorising Viruses or screen mirroring from Hardware device?
V: The S1 hardware wallet is 100% offline. Cyber attacks won’t be effective in it. Scripting, auto-authorising viruses will require internet access to the device at least. But on S1 there isn’t such a problem.
It’s the same difficulty of infecting a computer without internet cable with online viruses .
Q: Hi! Looking at the relatively low price of a SafePal, I can say that you’re somewhere breaking the stereotype that a quality thing should be expensive.
Not that I’m complaining about it, no))…but how reasonable is the SafePal price? How did you achieve it and what is your future pricing strategy? Thanks!
V: Thanks for the insightful question. We didn’t talk about pricing strategy much, but indeed the $39.99 retail price reveals our ambition to break the stereotype of ‘low price is equal to low quality’. We think a reasonable price is a guarantee that enables more crypto users to access a better and safer solution. We will be keeping the same strategy in the long run.
As for how we achieve it, it’s mostly related to our background. Our hardware team is led by experts with over 15 years of experience in hardware design, development and production. We know every detail of building great hardware with a reasonable price. In our last hardware project, we successfully sold our products to over 50 countries globally. That’s a strong foundation. We are not starting from 0.
For example, we brought at least 10 hardware wallets in our office. I have to say the BOM cost of many of these wallets is 1/10 of their retails price, sometimes even lower…
While the security level might not as be ideal as we expected.
Q: Is the wallet available worldwide and how much is the cost of the device?
V: SafePal S1 is available on Amazon and our homepage. We are opening up local sales channels in global countries so you will be seeing local retailers selling SafePal soon. The retail price is $39.99. And you can enjoy free shipment worldwide if you buy 2 or more.
Q: Will there be another wallet in the future like an “isafe2”
V: Sure thing. One of our business philosophies is that” there won’t be ONE perfect product fitting all types of users”. We will be developing various product lines fitting different types of users. Welcome to stay tuned!
Q: I have a question about biometric sensors like fingerprints and if the company is looking to integrate such features into sending transactions down the line?
V: We discussed this way back in 2017, and decided not to adopt it for several reasons:
1) The power consumption of adding this feature will be ridiculously high. The charging circle will be much shorter, which could be painful for daily use.
2) Fingerprint is not equal to security, to be honest. If you Google, you can easily find Samsung cellphone being hacked via fingerprint service. We are much more cautious about this part.
3) Cost of this feature is also another consideration, but not as important as the 2nd reason.
Building a secure and enjoyable hardware wallet means to balance among hardware, software, power control, cost and more factors like them.
Q: I want to know what the special features or advantage of SafePal from its competitor are?
V: Depends on whom you are comparing to.
For software wallet, the advantage of owning a hardware wallet is quite obvious. SafePal is decentralized, so we are not managing your money nor running away with your crypto. SafePal S1 is offline and adopts multi-layers of security architect, so no one is going to mess around your assets.
For other hardware wallets, SafePal S1 stands out with its unique communication mechanism(encrypted QR code), attractive user interface(sign with a simple scan, etc), reasonable price line($39.99), and most importantly advanced security level(per described in above messages).
Q: What you think, why Binance and Binance Labs invested in your platform and how you are seeing this partnership in long-term success and adoption for SafePal in the crypto community?
V: Binance and Binance Labs have invested in many blockchain segments, such as layer 1, layer 2, security team, Dapps and so on. I think the wallet is a market segment that a blockchain giant like Binance cannot miss, because it’s the direct entrance to blockchain ecosystem, with the great potential of connecting unlimited services built in the ecosystem. I think Binance invested us mostly because 1) Both parties share the same long-term values. We are user-oriented and want to build tangible solutions rather than giving a fancy presentation; 2) We are not starting with 0. We have a proven track record in hardware and software. 3) The segment of crypto custody faces a lot of pain points and challenges, and we are the best solution to solve them.
We are working closely with Binance team and bring the community with more surprises. Meanwhile, we are clear that user-orientation is our core spirit. We will strongly attach our value to the user feedback and community consensus.
Q: One question regarding the shipment of product — How they are maintaining the security of the product during the shipment …is there any service partnership with any courier facility for better transportation of SafePal wallet ?
V: No we didn’t consider such special carrier facility because regarding different customs policies in different countries, we have to choose according logistic partner for different destinations;
Actually the root of this question is that we should build the product strong enough against these supply-chain-attack scenarios, rather than relying on the protection of any external power.
For such attack scenarios, we have built a device authentication mechanism into the wallet. Once the user receives the wallet, he/she would have to take a few steps to authorize and activate the device first.
For more details, welcome to check here.
Q: What do you perceive as the greatest problem/threat to blockchain security? And how would you mitigate it?
V: I think there are 2 threats that we should pay attention to:
1) The problem of centralized services
In blockchain world, once you entrust your crypto to a centralized third party, that’s no different from mining a bomb for yourself. We have seen the way to many cases like this. The cumulative crypto losses due to centralized exchange hacks in 2017–2018 have reached $882 million.
2) Users’ awareness of security
It would be surprising if I tell you that most of the crypto losses are due to human factors. Even if blockchain technology puts the right of assets back to people’s hands, not everyone is educated or knowledgeable enough to manage their own crytpo assets.
For the 1st question, SafePal is a decentralized wallet. We don’t get hold of users’ assets.
For the 2nd question, I think that’s the common problem that each blockchain company should try to tackle. I personally would suggest establishing a “Blockchain Security League” between these companies, sharing all the security knowledge and know-how of teaching novice users to manage their crypto assets in the right manners.
Thanks, Harmony team having us for the AMA. We were glad to join it. Thanks to the team and all the members of the session!
Don’t forget there we will be giving away $150 worth of $ONEs and a branded wallet, which can be won just by tweeting your question and tagging our official account on twitter, @harmonyprotocol