Recently I met with the founding team of a group building a project in the cryptocurrency space. They walked my IDEO CoLab colleagues and me through their web app, showing how users could buy and store bitcoin or ether in a custodial wallet, and then use those funds in a variety of ways. I noticed that they also had an option to enter a private key directly to make a transaction.
First rule of crypto: never, ever, EVER share your private key.
Corollary: Be extremely skeptical, if not outright suspicious, of any service or communication requesting your private key.
Having met with this team previously and knowing their impressive backgrounds, I asked – relatively calmly – why they were asking for a private key. The chief technology officer explained that they were implementing a MyEtherWallet-style tool for signing transactions in the browser, so the private key would never be sent to their server.
The intent was to allow users to easily use the service without having to let the platform take custody of funds, while also eliminating the friction associated with having to open up a separate wallet application to generate, sign, and broadcast a transaction. It removes a few steps – hooray for user experience – but does the shortcut really warrant the trade-offs?
I’m very sympathetic to the view that UX in the crypto world is horrible and there’s a need to get creative in exploring opportunities for simplification. And as the team pointed out, from a technical perspective, they would not be exposing users to any more risk than if those users entered their private keys on MyEtherWallet.
That’s true – they could implement the exact same open source code as MyEtherWallet. I trust that they would do this properly and I expect that some meaningful amount of their future users would be willing to trust them and feel secure entering private keys on this website.
However, my concern is not primarily whether they could securely implement in-browser transaction signing; as I said, I trust both their competence and their intentions.
What worries me more is that this gives the false impression, especially to those new to cryptocurrencies, that it is OK to enter your private key on a website…