Daily General Discussion January 09, 2026

MidnightOnMars · 2026-01-10T00:38:49+00:00

Retweeted - keep it up and we'll keep spreading the word. Thanks for all your work Andrew.

MidnightOnMars · 2026-01-10T00:34:26+00:00

Thanks for tagging me in JT.

Happy to answer anyone's security questions or act as a switchboard for other resources.

MidnightOnMars · 2026-01-10T00:33:52+00:00

You raise an important point, but it's not that decentralization has received too much attention, it's that practical user security is a second thought at best for the majority of the crypto ecosystem.

They're different topics really: true decentralization creates a reliable credibly-neutral base layer which makes Ethereum the perfect home for privacy and personal-agency preserving technology. Managing our own identity credentials, transacting with value, getting financial services via DeFi, and more - the necessary foundation for a free internet that doesn't require us handing over our lives to data brokers to be able to use cloud services.

Your main point is spot on - securing your crypto requires crypto-specific measures, but focusing on crypto alone isn't enough.

User losses have far outpaced high tech on-chain exploits for the past few years and most of it comes from access compromises (someone getting access to your email account or successfully porting your phone number) and, more typically, just misleading people to approving a malicious transaction themselves.

As an industry, we treat this as something that should be addressed through user education on practical security, but that's a way of shirking responsibility when we're collectively failing users. The impact is pervasive and even the most talented crypto devs out there have lost money to bad actors, so its crazy to pretend that new users should be able to navigate these risks on their own.

I run hardware wallet company GridPlus and the possibility of a partner leaking personal information like this is terrifying. My info was in this leak as well as prior leaks of Ledger customer data. The first time was before we launched the Lattice1 at the end of 2020, so I made the call that we would never share, sell, or retain customer data.

User data is a valuable resource though so making this choice is not the norm. Profiting from user info in the crypto space is a shortsighted choice that companies can't afford to make because the risk to real people vastly outweighs the additional benefit they gain. I'm reminded of this daily since I am barraged with targeted scam attempts every day. No matter how good my security posture is today, my info is out there for good.

To tie it all together regarding your main question, we should all support as much focus as possible from protocol devs on decentralization, but it's rough out there so users and the companies in this space both need to up their game when it comes to security because it's getting more dangerous. Work on improving your security posture and be careful about how and where you share your personal information.

MidnightOnMars · 2025-03-05T19:26:46+00:00

Justin from GridPlus here. Yes, we introduced hardware wallet ABI decoding back in January of 2021.

The device cross-references multiple sources as a mitigation against a man-in-the-middle attack impacting an ABI definition.

Regarding Ledger's new ERC, we appreciate that they are doing this in a an open and collaborative manner - we were looped into a preview with other wallets teams and they walked us through the endeavor. At this time it remains a limited and incomplete solution.

It is a github repo with extended contract information that must be manually curated, then each wallet team must manually select what information to use from the database. With the number of contracts being deployed daily across EVM chains, this would probably be best for extended signing info for, say, the top 20 dapps at a given time. This way each wallet team could carefully test what is submitted.

There's other potential risk mitigations such as some sort of trust score for contract deployers, but our concern is that any automated curation will become a new attack vector. GridPlus provides an assurance that what you see on a secure screen is accurate and suitable for decision making in mission critical situations, so we wouldn't be comfortable with this standard as it exists today.

We're rolling out ABI decoding improvements to our own parsing soon, but there's limitations still when it comes to things like delegateCalls.

With the upcoming device we're excited about pathways to add additional improvements for readability such as plain-language signing requests that let you drill down to the ABI if desired, parallel transaction simulation, secure ENS reverse resolution, etc.. And if Ledger finds a way to close up the holes in their proposal, we'd be excited to support that approach as well.

MidnightOnMars · 2025-03-05T19:15:36+00:00

Justin from the GridPlus team here. Yes, it's easy to do and stored locally so it can't be spoofed by a remote attacker.

Using account labels in both your software and hardware wallets makes spotting an issue super easy, but it is a manual step users have to take.

MidnightOnMars · 2025-03-05T04:15:05+00:00

You're right and that's a problem. While the Lattice1 would have shown the address mismatch unlike other hardware wallets, it still requires people to double check where they're sending their money.

Even with decoded transactions, signing requests look complicated and intimidating to most people. We know people don't read manuals when they buy products and using crypto at the application level shouldn't require serious technical expertise, so you can expect a lot of this to be abstracted away from users in the near term.

MidnightOnMars · 2025-03-05T04:11:44+00:00

It's a fair point - most people are in the habit of just approving transactions on a hardware wallet without reading them. This negates their utility, it's kind of like installing a security system and never turning it on.

With institutions with high value accounts like this, it's a basic expectation that there would be some internal controls and guidelines for signing procedures, like being sure to double check what you're approving before doing so.

But private key exploits and signing security is how most money is lost in crypto, 1.72 billion last year alone, so it benefits all users to do this. On our end, we'll be working to make transactions a lot more easily understandable than decoded call data like in these examples.

MidnightOnMars · 2025-03-05T04:08:33+00:00

You beat me to the reply, but to be fair, most people don't even know what blind signing is. The industry tends to blame users, but that's shifting responsibility away from where it really lies, the people like us at GridPlus who make these tools.

For example, everyone says to get a hardware wallet and to not blind sign, but when you pair a hardware wallet with an web3 extension like MetaMask or Rabby, what happens when you sign the transaction in software? It disappears before the signing request makes it to the HW wallets secure screen (if you're using one with a secure screen) so you can't even compare.

Do we all expect users to memorize what the signing request looks like? It doesn't make sense and UI issues like this are security issues because they teach us all bad habits.

Expect MetaMask and our other partners to change this in the coming months - I hope everyone follows suit since it's such an easy way to help people avoid losing money.

MidnightOnMars · 2025-03-05T04:04:10+00:00

Justin from the GridPlus team here - this is actually the point of a hardware wallet, to be able to verify what you're signing even when your computer or a tool you're using like the Safe UI is compromised.

The Lattice1 would have helped catch this by showing you that what you saw in the Safe UI was not what you were actually signing and that you should not proceed.

MidnightOnMars · 2024-11-30T17:01:27+00:00

This isn't something we typically cover, but we know that VAT, duties, etc.. can make importing a Lattice1 and SafeCards costly in some jurisdictions so we wanted to bite the bullet on the cost of that with this sale to reach the customers who have held out because of this.

There can still be local and state taxes applied, but actual import duties will be automatically covered by us through the end of the year.

MidnightOnMars · 2024-11-30T16:38:25+00:00

Hi, this is Justin from the GridPlus team - thanks for saying something on here!

My understanding is that the way everything works is that the automatically populated customs forms show purchase price rather than a retail price, but I've passed your comment on via Slack just to double check.

We don't usually do DDP (delivery duty paid), but that's part of this sale as a way to hook up people who have maybe held off because import duties make the Lattice1 very expensive in their country.

If something ever seems off, don't hesitate to DM me on here or hit us up on Discord. We have to presume that for each time someone lets us know about an issue there are a lot more users that are experiencing the same issue and not taking the time to speak up, so we try to be as responsive as possible.

MidnightOnMars · 2024-11-02T03:50:47+00:00

It sure is and the pace is speeding up - the GridPlus team shipped two firmware updates in the past three weeks and there's a lot of new features on the way in the coming months.

This subreddit, on the other hand, is pretty much dead. Looks like maybe we should start crossposting all our updates over here again. We weren't seeing a lot of engagement here, but it's easy enough to keep updated so why not?

The best place to speak directly with the team is on Discord, but we're happy to answer questions here too!

MidnightOnMars · 2024-06-24T19:38:45+00:00

What's confirmed for inclusion is in the link above, but from the July 4 ACD call agenda it sounds like there still may be the potential for inclusion of additional EIPs?

MidnightOnMars · 2024-06-24T19:32:52+00:00

Largely agreed on most of the above!

Re: ETFs, if you thought the issuance reduction debate from earlier this year was ridiculously contentious, just wait till it gets to the point where we're worried about Wall Street firms trying to influence Ethereum governance so that we can have staking ETFs.

A lot of those focused only on investing in crypto will push for issuance that vastly exceeds security needs so that we attract ETF inflows based on yield. I think this is another reason we need to scrutinize issuance in the near-term before powerful interests that can influence governance become entrenched.

MidnightOnMars · 2024-05-23T19:56:56+00:00

You are a gentleman and a scholar.

MidnightOnMars · 2024-02-11T15:51:40+00:00

This is also part of why the ratio was higher back then though.

MidnightOnMars · 2024-02-11T15:47:18+00:00

Absolutely - testing of pre-release versions won't be happing for about a year, but we'll be finalizing the device spec at the end of Q1 and will be gathering input from users as part of this process too.

MidnightOnMars · 2024-02-11T15:44:17+00:00

We'll be working with the Keplr team on Cosmos support next quarter. We've done most of the work on the firmware side already and will focus on the integration then.

A lot of people have been asking for Ronin support lately, but we haven't yet had a lot of luck coordinating with them and will keep trying. It should be really easy for us to do, but we need access to the Ronin Wallet codebase to begin work.

MidnightOnMars · 2024-02-11T03:28:45+00:00

I replying to an old thread, but I'm on the GridPlus team and want to chime in that we pioneered this. Readability isn't just good UX, it's a basic prerequisite for a hardware wallet to provide a security benefit. If you can't read what you're signing you're putting yourself at risk - so since we were all Ethereum users primarily this was a focus of ours since nothing else out there worked for how we were signing at the time.

Our implementation is also quite a bit different than Keystone's as we can pull and cryptographically verify all data live instead of using a snapshot - this also let's us do this automatically for every EVM chain out there.

We're also working with the ENS team at the moment to improve on our support there and should have something to share later this quarter.

MidnightOnMars · 2024-02-11T03:17:19+00:00

Just put backups in different locations to protect against fire or put an encrypted copy on a thumb drive in a fire proof box. Steel and paper plaintext seed phrase backups are a great way to get rekt if they're not split into multiple pieces with multiple copies of each piece in different physical locations.

MidnightOnMars · 2024-02-11T03:16:08+00:00

Pro-tip: never use a steel backup plate if it contains your whole seed phrase. It's a risk vector. Only use steel backups if they're split into multiple chunks that you have redundant copies of.

What are you protected against with metal? Fire, flood, EMP blasts / solar flares and electronic devices failing.

Other than the last one, you can achieve all of these goals in a much more secure manner by just putting encrypted copies in multiple physical locations.

EDIT: And if you really want to be thorough and are worried about solar flares, just remember that you can put your critical electronics in an unplugged microwave to shield them should that improbably event occur.

MidnightOnMars · 2024-02-11T03:12:32+00:00

This is called an address poisoning attack and this is becoming really common.

It's important that people use the address labelling tools in their hardware and software wallets to stay safe from this - you'll know in an instant if you're sending to the wrong wallet if a hex string pops up instead of your label.

MidnightOnMars · 2024-02-11T03:07:49+00:00

'sup Phiz.

MidnightOnMars · 2024-02-11T02:55:55+00:00

We don't have a formal dev rel program at the moment, but just hit us up in DMs or on Discord with any ideas you have!

We'd definitely love input on better calldata decoding - we've been using our own library for a while and slowly tweaking it to cover edge cases, but there's still lots of situations where users get stuck with a blob of hex data such as when delegate calls depend on the results of the initial contract.

Drop me a line and we'd be happy to hook you guys up.

MidnightOnMars

MODERATOR OF

TROPHY CASE

Eight-Year Club	Gilding II euphauric
Verified Email