Jaxx Wallet Vulnerability Puts Your Bitcoin At Risk -- and They Won't Fix It


If the Jaxx seed is stored unencrypted, as this seems to be saying, that is appalling. In my opinion there’s no excuse for this. It seems the excuse Jaxx are using is that it’s only supposed to be a hot wallet with small amounts. So what?! Why not encrypt the seed? If it’s true that they’re saying it’s up to users to keep their devices secure, this is crap too. Bad practice…


Im kinda surprised as well. Anthony is well connected and has the resources to know better. Bummer.


I’m sympathetic to the idea that there’s not a compelling reason to encrypt the seed.

After all, if an attacker has access to the device in question, couldn’t they just install a keylogger, so that any password protected seed could still have its password stolen the next time jaxx is opened?

A seed which is not encrypted creates a vastly greater number of attack vectors. Whats more, many of the attack vectors become a great deal more simple to carry out.
What if someone steals the device?

But is there a good reason to not encrypt the seed?

1 Like

Yes, but it’s only acceptable to the developers of the wallet. Who likely dont use the wallet.

There are always good reasons not to do things, namely that doing things takes time and effort.

Agree if Im raking the leaves on my property, and dont care if a few are left. But building a bitcoin wallet for millions of people to use, expecially noobs jumping on the ETH bandwagon. I can see your point and the CTO on the custody issue but the question of losing it… leaving it at the bar after a night out is real and needs consideration. As you are prolly aware Anthony was involved with Vitalik since the start and Im sure feels this is a problem. The noted reddit thread includes claims by Charlie Shrem its being “fixed”… https://twitter.com/CharlieShrem/status/873642245014114304 …But I see he is backing down from that .

Anyway. If it can be done, it should be done. Would you agree with that sentiment @sfultong ??

1 Like

eh, sure, why not?

I am confused that there seems to be a JAXX pin for securing your wallet, but it doesn’t seem to be used for encrypting the seed.

Now, do you think the seed should be encrypted by default? Because that is a usability issue. There’s always a tradeoff between keeping non-technical users safe, and turning them away because the software isn’t easy enough.