Avoiding ColdCard Supply Chain Attacks

  1. Only buy ColdCard from the manufacturer, and verify the bag serial number with the device serial number.
  2. Do not trust ColdCard to derive the seed. I provide my own seed by picking 23 words at random and computing the checksum word with seedpicker.net
  3. Do not trust ColdCard to derive the xpub. I type the same seed words into an Electrum instance on a raspberry pi and confirm that the same addresses appear at the correct derivation path.
  4. Do not trust ColdCard to derive the addresses. I import the descriptor into Bitcoin Core on my online computer and confirm that the watch-only addresses generated there are the same as the addresses in the ColdCard address explorer file.
  5. After verifying that the addresses match from Bitcoin Core and from ColdCard, I like to write down the validated addresses in a text file and write down the hash of that file on a piece of paper to check prior to using the addresses in the future.
  1. What about bad nonce attacks in signatures. Can that leak private key?
  2. What about a concealed radio chip broadcasting key material to an open wifi network? (True tin-foil territory here.)
  3. What about a back door that allows someone with physical possession of the wallet to extract the key?




Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

mStable Governance Updates — 21 June 2022

{UPDATE} Offroad Mud Truck Spin Tires Hack Free Resources Generator

8 Tips for a Cybersecure NCSAM

ASUS Routers Overflow with Vulnerabilities

Implement Cloud Armor Security Policy/s using Terraform

VMware Workstation and Device/Credential Guard are not compatible Fix

In case the email is NOT flagged for phishing

Authentication is Broken, Here’s How Token Fixes It (In Simple Terms)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ethan Scruples

Ethan Scruples

More from Medium

Uncle Tom’s Cabin

Introducing ATTA’s new partner: Coinhub

NFUT Cards Continues Protocol Growth By Expanding Integration with Chainlink

Shushant Singh Rajput demise, the media ,masses and great mess. (Part 1)