The Aledged Problem

One of our competitors (thanks Marko) identified a serious issue where some hardware wallets (including Trezor and Ledger) will sign a altcoin transaction and that transaction could be valid on Bitcoin, where we keep our valuable coins.

Although Coldcard does not support any altcoins, we do support Testnet, and it is a little like an altcoin for developers.

The concern raised is that you might be socially-engineered into manually switching your Coldcard over to Testnet, and then signing a transaction, which would need to be provided by the attacker. That transaction, if it referenced UTXO on mainnet, would be valid there and so your funds could be stolen.

Existing protections

  • Coldcard ships in mainnet mode, not Testnet
  • It would have to explicitly switched over to Testnet.
  • There is no remote (USB) way to switch to Testnet—explicit user action is required.
  • Attacker needs to know your XPUB and UTXO on blockchain.

To strengthen this, we’ve added a warning screen, and moved the setting into what we call the “Danger Zone” which already has a number of risky settings, and private data for developers only.

example warning

The new screen is present in version 3.2.1 and later. However, we don’t see the need to ask for upgrades, since now you understand the problem, you wouldn’t fall for it.

Testnet Is Useful

Testnet support is useful for developers! Even as a hardware wallet already with wide wallet support, on many diverse Bitcoin projects, we still want to remove all possible barriers to outside developers.

Summary

If anyone tells you some complex story about airdropped coins, or any other BS about why you should “just try” signing their PSBT with your real Coldcard … please tell them to get bent.

Download the latest firmware here