trezor crypto wallet

A few days ago, the provider of cryptocurrency custody solutions Ledger, suffered an attack on the connect kit library that put the funds of millions of users at risk, thwarted thanks to a timely intervention by the company’s team that installed a fixing patch.

After this event, many users in the crypto world, dissatisfied with the lack of precautionary measures at Ledger that could have prevented the exploit, have started to show more interest in the competitor Trezor, which is also a producer of non-custodial wallets.

In this article we explore Trezor, all its features and its security standards.

Ledger Storm: exploit in the connect kit library puts millions of users’ crypto wallets at risk

On Thursday, December 14th, a shitstorm broke out on X against the crypto wallet provider Ledger, which has prompted many users to consider switching to the competitor Trezor.

It all started when at 11 am Italian time it was discovered that the account Github of a former Ledger employee had been compromised (presumably through a phishing attack) allowing malicious individuals to install a malicious version of the connect kit directly on the repository.

The connect kit is a connection that allows users of decentralized platforms to connect their Ledger with various dapps, and usually opens as soon as you visit a website that features the web3 connection.

The problem in this case is that the malicious code was spread on the CDNs and was delivered to everyone who interacted with the Ledger wallet connect library, which is 99% of all existing dapps. Even Revoke.Cash was affected.

Anyone who connected with their ledger via the connect kit on December 14th from 11 am to 5 pm was immediately hacked, which in a few words caused a pop-up (as shown in the following picture) that, if clicked, would lead to the emptying of the crypto wallet.

At the moment the situation seems to be under control, with the Ledger team having installed a new version of the connector kit with a patch that resolves the issue.

However, there are still many doubts about the potential implications that this exploit may have brought within the cryptographic community.

First of all, because from now on dapp developers are at risk if they still implement an outdated version of the Ledger library, and if they have not taken action after the serious incident, they could harm all users who use the application.

In addition, we do not know if the bug may have spread malware within the devices of the individuals who visited dapp on December 14th, even if they did not fall into the trap of the malicious pop-up.

The white hat community and Ledger itself quickly resolved the stormy exploit, managing to contain the damage to the maximum, but the risks are still lurking and many users are deciding to abandon the wallet production house and switch to the competitor Trezor.

Small suggestion after the incident: as suggested by the account X “Mudit Gupta” and subsequently also by “Blackie” (who played a fundamental role in quickly spreading the news within the Italian community), check if the version of the connect kit on the cdn network is “1.1.8”, and in any case delete all browsing data on chrome such as cookies and cache.

The ledger issue is now fixed.

To make sure you don't have the malicious library cached, go to https://t.co/MSVgii7Ufk and ensure the version is 1.1.8.

If it's not, clear your cache. chrome- F12> Chrome Developer Tools > Application tab > Storage in left tree> Clear site data. pic.twitter.com/BtNUiO4vXF

— Mudit Gupta (@Mudit__Gupta) December 14, 2023

Trezor Alternative: what is it and how does this wallet work? Is it safer than Ledger?

As mentioned, after the serious incident that happened at Ledger’s house, many users have started to move to the crypto wallet Trezor with the idea that the latter is safer than the competitor.

Let’s see what are the main features of the Trezor and how it differs from the main competitor.

However, we remind you that the exploit we talked about does not concern the physical device itself, but rather an ambiguous practice where a former Ledger employee can publish malicious code on Github through CDN.

First of all, let’s clarify that Trezor is a non-custodial hardware wallet, which is used to hold crypto without entrusting the private keys to any third-party entity.

It works in the same way as other non-custodial solutions, where once the device is started, you can choose whether to recover a wallet from an existing seed phrase or initialize an account from scratch.

The seed phrase, along with the device’s PIN, represents the two main securities of the hardware wallet that protect the user from loss, theft, or certain cyber attacks.

There are 3 different Trezor models (model one, safe 3, and model T) each of which supports over 800 coins or tokens and allows you to send, transfer, or store assets.

The model one works via USB cable while the other two work via USB-C.

the model T, which is the most expensive and the most recent, features a 1.54-inch touchscreen while the others have the “two-button pad”.

All three have a code that is open source and represents one of the distinctive features of Trezor, which focuses heavily on security, transparency, and privacy.

On the 3 crypto wallets it is also possible to connect the anonymous browsing software Tor, which allows you to protect yourself from some dangers of the web.

Now let’s move on to the differences with the Ledger:

Compared to the Ledger, the Trezor wallet has open source code which represents a much more inviting introduction compared to the closed code of the former, which everyone “must trust”.

The context of open source allows for better control over bugs and faster resolution of issues than any privately confined system.

Another difference concerns the well-known “secure element”, which is a real chip present on ALL Ledger devices (while it is only present on Trezor’s safe 3) and consists of a measure of security that prevents malicious individuals from obtaining the wallet’s private keys in case of device theft.

Private keys never leave the secure element, and this is a great  strength of the Ledger.

On the subject of materials, here too Ledger prevails over Trezor: the metal of the former is much more resistant than the plastic involved in the production of the latter..
The installable applications are the same and are available in both cases on iOS and Android.

Finally, on the brand reputation front, we can say that Ledger, after the latest slip-up, has worsened an already critical situation when it comes to trust in the crypto world.

The company had already received negative attention for controversial issues (such as the “Recover” function proposed a few months ago), but after the latest serious incident that could have been avoided with more professional precautions, it is obvious that there are no longer grounds for trust.

Trezor has always demonstrated to be focused on the security of its devices and the transparency of its operations.