Ledger Recover Fiasco Exposes Gap Between Blockchain Ideals and Technical Reality

Blockchain industry executives often say they idealize “decentralization,” “self-sovereignty” and “trustlessness” – espousing a vision for a future internet and financial ecosystem free of rent-seeking intermediaries and unreliable middlemen.

But time and time again, major blockchain companies and projects come up short – with users surprised and angry to realize that they unknowingly placed their trust in shoddy code, centralized entities or security-challenged hardware.

This article is featured in the latest issue of The Protocol, our weekly newsletter exploring the tech behind crypto, one block at a time. Sign up here to get it in your inbox every Wednesday.

The latest example comes from Ledger, the Paris-based crypto hardware wallet company, which, following a public-relations firestorm last week, announced Tuesday that it would delay plans to release a controversial new wallet-recovery feature called Ledger Recover.

When it revealed the proposed feature last week, Ledger inadvertently drew attention to the fact that the company could theoretically move wallet seed phrases off-device via user-approved firmware upgrades. Previously, the company left some users with the impression that its devices were engineered to avoid this specific scenario.

Once the potential “backdoor” was revealed, outrage flooded Crypto Twitter, with posters panning Ledger for being out of touch with its own customer base – ostensibly self-sovereign types who want nothing but to be entirely in control of their own crypto. Ledger vehemently denied allegations that its capabilities amounted to a “backdoor.” But the company’s initial response to the outrage – pointing out (in a now-deleted tweet) that users were always trusting Ledger not to extract user keys – only served to fuel the furor: One widely-circulated video appeared to show a user smashing a Ledger device with a hammer and then blow-torching it into flames.

In a letter posted to Twitter on Tuesday, Ledger CEO Pascal Gauthier apologized to customers, promised to open-source “as much of the Ledger operating system as possible,” and said he’d delay the release of Ledger Recover.

Delay or no, Ledger’s theoretical ability to move user keys via future software upgrades remains intact – mainly as a by-product of technical constraints with how Ledger and similar wallets are engineered.

The fiasco served as a valuable crash course on the limitations of hardware wallets, generally considered the most secure way to hold crypto. It was also a reminder that the current state of crypto technology doesn’t always match up with the industry’s ideals – and a lesson on the importance of carefully managing expectations.

Ledger’s primary error in the leadup to last week may have been in its marketing, which frequently leaned into crypto’s “trustless” ethos. The messaging was appealing to hard-core crypto users, but it left an impression of Ledger’s technical capabilities which was out of pace with reality.

Ledger’s co-founder and former CEO, Éric Larchevêque, argued on Reddit that last week’s “meltdown” represented a “total PR failure, but absolutely not a technical one.”

Larchevêque, who is a Ledger shareholder but no longer works at the company, wrote that as the company’s user base grew, so did a misperception – fueled largely by Ledger itself – that Ledger’s wallets require zero trust on the part of their users.

“People started to think Ledger was a trustless solution, which is not the case,” he wrote. “Some amount of trust must be placed into Ledger to use their product.”

Developers might have understood the nuance, but users didn’t. Larchevêque linked to an explanation of what happened from Reddit user cmplieger: “Fundamentally nothing has changed with the lLedger hardware or software,” cmplieger wrote. “What has changed is that the lLedger developers have decided to add a feature and take advantage of the flexibility their little computer provides, and people finally started to understand the product they purchased and trust factor involved.”

The most-upvoted comment on that post came from Reddit user Florian995: “What I learned is that I know nothing about the wallet I am using.”

It’s reasonable to be angry when companies oversell their products, but goals like trustlessness and decentralization exist on a spectrum, and hard-core crypto acolytes who think they can abandon one company for a more ideologically pure alternative might be disappointed.

The case of Ledger highlights how the overall state of blockchain technology simply isn’t up to the task of some of the industry’s boldest promises.

Ledger boasts that its USB thumb drives are among the most secure ways to hold crypto because they store user keys in a “secure element” – a mini computer chip that is supposed to be impenetrable. Ledger’s “trustlessness” claims mainly center around the secure element, and the company explicitly reassured users that it’s unable to reach into the element to obtain user keys.

According to Christopher Allen, chief architect at Blockchain Commons, a crypto infrastructure not-for-profit, chip technology is not yet at the point where Ledger could make such a guarantee.

“Ledger got caught in a weakness that all wallets to a certain extent have today because of chip technology,” Allen told CoinDesk. Secure element chips can’t perform the kind of cryptography needed to completely encrypt user keys on-device. (Allen says his team at Blockchain Commons is working to change this, though the tech isn’t ready.)

“There’s really nothing wrong, necessarily, with Ledger,” argued Allen. “They inadvertently exposed an architectural weakness that is all over the place.”