I'm concerned about storing my funds on this website. How can I know they are safe?
Asked
Active
Viewed 3,681 times
1 Answers
15
The fact that it never gets access to the your private spend key. The workings of the site are explained here.
Your monero are "kept" on the blockchain and not on the site itself. The site is just an interface to tell the network you want to move your monero, where all the cryptography to spend the coins (using your private spend key to sign the transaction) is performed by your computer. By logging-in, you're giving the program (javascript code running locally on your browser) your secret spend key so it can do its magic.
However, it's important to note that the site does store one piece of information: your private view key. Because of this, the site can see all your incoming transaction and provide you with the convenience of having your balance visible immediately.
Possible attack vectors include:
- A hacker spoofing the site somehow, so you would load a different "program" (code running in your browser) which would steal your keys after you type in the mnemonic.
- You could protect against this by always checking the correct site address and https certificate.
- A hacker hacking the site server, changing the program delivered to the users and being able to steal the keys of whomever logs in after that point
- You could protect against this by inspecting the code of the site. Let's say you make a snapshot of the site, and copare the newly downloaded one vs the old one. Not very practical to do, though.
- Site owner going rogue and doing the same
- Key logger on your PC
- Browser extension malware
- You could protect against this by disabling all addons/extensions ...
The important takeaways are:
- If you have used the site in the past, and someone hacks it afterwards or the owner goes rogue, they won't be able to steal your funds.
- Due to how it works, even if someone hacks the site, he would be able to steal only the funds of those who log in during the time the site is hacked
- If the owner would go rogue, the word would soon go out. Highly unlikely considering the massive credibility of the current owner (one of core team).
- Considering all above, it's recommended to keep larger amouts using simplewallet or cold storage. The site should be used for pocket money, like what you would normally keep in your physical wallet.
