The Ledger Recover Fiasco Reveals the Gap Between Blockchain Ideals and Technical Reality

Leaders in the blockchain industry often say they idealize “decentralization,” “self-sovereignty,” and “trustlessness”—supporting a vision for a future Internet and financial ecosystem free of rent-seeking middlemen and untrustworthy intermediaries.

But time and time again, large blockchain companies and projects fall short—with users surprised and angry when they realize they unwittingly placed their trust in bad code, centralized devices, or security-challenged hardware.

This article is featured in the latest issue of The protocolour weekly newsletter that explores the technology behind crypto, one block at a time. sign up here to get it in your inbox every Wednesday.

The latest example comes from Ledger, the Paris-based crypto hardware wallet company, which, after a PR storm last week, announced on Tuesday that it would delay plans to launch a controversial new wallet recovery feature called Ledger Recover.

When it revealed the proposed feature last week, Ledger inadvertently drew attention to the fact that the company could theoretically move wallet seed sets outside the device via user-approved firmware upgrades. Previously, the company gave some users the impression that its devices were engineered to avoid this specific scenario.

When the potential “backdoor” was revealed, fury flooded Crypto Twitter, with posters pandering to Ledger for being out of touch with its own customer base – seemingly self-righteous types who want nothing more than to be in complete control of their own crypto. Ledger vehemently denied claims that its capabilities constituted a “backdoor”. But the company’s initial response to the outrage — pointing out (in a now-deleted tweet) that users always trusted Ledger not to extract user keys — only served to fuel the furor: A widely circulated video appeared to show a user smashing a Ledger device with a hammer and then blowing it into flames.

In a letter posted on Twitter on Tuesday, Ledger CEO Pascal Gauthier apologized to customers, promised to open source “as much of the Ledger operating system as possible” and said he would delay the release of Ledger Recover.

The story continues

Delay or not, Ledger’s theoretical ability to move user keys via future software upgrades remains intact – largely as a byproduct of technical limitations with how Ledger and similar wallets are constructed.

The fiasco served as a valuable crash course on the limitations of hardware wallets, generally considered the safest way to hold crypto. It was also a reminder that the current state of crypto technology doesn’t always match the industry’s ideals — and a lesson in the importance of carefully managing expectations.

Ledger’s PR Meltdown

Ledger’s primary flaw in the run-up to last week may have been in its marketing, which often leaned into crypto’s “trustless” ethos. The message was appealing to hardcore crypto users, but it left an impression of Ledger’s technical abilities that was out of step with reality.

Ledger’s co-founder and former CEO, Éric Larchevêque, claimed on Reddit that last week’s “meltdown” represented a “total PR failure, but certainly not a technical one.”

Larchevêque, who is a Ledger shareholder but no longer works at the company, wrote that as the company’s user base grew, so did a misconception — largely fueled by Ledger itself — that Ledger’s wallets require zero trust from users.

“People began to think that Ledger was a trustless solution, which is not the case,” he wrote. “A certain level of trust has to be placed in Ledger to use their product.”

Developers may have understood the nuance, but users did not. Larchevêque linked to an explanation of what happened from Reddit user cmplieger: “Basically, nothing has changed with the lLedger hardware or software,” cmplieger wrote. “What has changed is that the lLedger developers have decided to add a feature and take advantage of the flexibility their little computer provides, and people finally started to understand the product they were buying and the trust factor involved.”

The most enthusiastic comment on that post came from Reddit user Florian995: “What I learned is that I don’t know anything about the wallet I’m using.”

Hardware limitations

It’s reasonable to be angry when companies oversell their products, but goals like trustlessness and decentralization exist on a spectrum, and die-hard crypto acolytes who think they can abandon one company for a more ideologically pure alternative may be disappointed.

The case of Ledger highlights how the overall state of blockchain technology is simply not up to the task of some of the industry’s boldest promises.

Ledger boasts that the USB drives are among the most secure ways to hold crypto because they store user keys in a “secure element” — a mini-computer chip that’s supposed to be impenetrable. Ledger’s “lack of trust” claims mainly revolve around the secure element, and the company explicitly assured users that it is unable to reach into the element to obtain user keys.

According to Christopher Allen, chief architect at Blockchain Commons, a not-for-profit crypto infrastructure, chip technology is not yet at the point where Ledger can provide such a guarantee.

“Ledger was caught in a weakness that all wallets have to some degree today because of chip technology,” Allen told CoinDesk. Secure element chips cannot perform the type of cryptography needed to fully encrypt user keys on the device. (Allen says his team at Blockchain Commons is working to change this, though the technology isn’t ready.)

“There’s really nothing wrong, necessarily, with Ledger,” Allen claimed. “They inadvertently exposed an architectural weakness that is all over the place.”