The IOTA ecosystem is one of the most vibrant I’ve ever been part of. Lots of brilliant developers are working on exciting projects to explore the opportunities of the Tangle and the level of innovation is astonishing at times.

If you manage to ignore the FUD — which unfortunately seems to go along with all-things-crypto these days — actively engaging with this community is a technology enthusiast’s dream come true.

There’s one aspect, however, that causes sort of a dilemma: How to deal with third party wallets?

Wallets are an essential part of every cryptocurrency as they provide access to your funds. To deliver that functionality, at some point, they have to prompt for your key. In IOTA, this key is called seed.

Consequently, you have to trust your wallet software.

Recently, users lost IOTA funds because they got trapped to create their seeds online. While using online password generators is not a good idea in the first place, third party wallets potentially carry a similar risk. In simplified terms, they could forward any seed entered to a malicious party which subsequently could steal your funds.

For the above reason, most third party wallet developers decide to publish their code openly. Unfortunately, this might not help as expected:

Making the code available doesn’t mean it has been audited by an independent, trustworthy entity. The phishing attempts we’ve seen so far were very sophisticated and difficult to spot even for seasoned developers.

If the wallet is a mobile app, there is almost no way to ensure that the binaries distributed via the app stores haven’t been build from an altered code base.

Over on the official IOTA community, third party developers have openly asked the IOTA Foundation to audit third party products and provide sort of an official certification.

So far, the IOTA Foundation has rejected these requests and rightly so.

First, executing a comprehensive audit of a complex code base consumes significant resources. IOTA Foundation is well advised to focus on further developing the core technology. The Foundation has tasked and sponsors the development of an awesome official wallet („Trinity“) and should consider this part as a problem solved.

Second, a one-time audit wouldn’t be enough. Theoretically, a re-audit would have to take place prior to any new release. Essentially, taking on this responsibility would mean a long-term commitment you probably cannot keep.

Lastly, all sorts of liability issues might arise without the party being potentially liable having all aspects under control. Nobody wants to be in that situation.

What does this mean?

Well, nothing has changed:

Never generate your seed online and never submit it to any third party (website or app). If you use a non-official wallet, you use it at your own risk. IOTA is a cryptocurrency („You are your own bank!“) and nobody can reverse malicious transactions. Even IOTA Foundation does not „own“ the Tangle. Should any third party wallet advertise an official IOTA Foundation endorsement, there is no such thing at the time of this writing. (At least not to my knowledge.)

In the grand scheme of things and based on a conversation I’ve had with an IOTA Foundation member, the goal of decentralization is not having to trust anyone, including the IOTA Foundation. People should be very cautious any time they use a new wallet, regardless of who built it or endorsed it.

Another goal we as a community should have is to foster a collaborative and supportive ecosystem. I have no issue with people who are building competing wallets and I wish them luck. It would be great for the entire IOTA ecosystem if someone builds a wallet that blows the official ones out of the water.

I still hope people exercise caution if they choose to use them, but let’s not foster an ecosystem that makes it difficult for anyone other than the IOTA Foundation to establish a trusted reputation of their own.

Stay safe and help spreading the word!