Skip to content

Security: orbinum/wallet-cli

Security

SECURITY.md

Security Policy

Reporting a Vulnerability

DO NOT open public issues for security vulnerabilities.

Report security issues to: dev@orbinum.net

Expected response time: 48 hours

Wallet Security Model

Key Protection

The Orbinum wallet implements a hierarchical key derivation scheme:

Mnemonic Phrase (BIP39)
        ↓
Master Keypair (Sr25519/secp256k1)
        ↓
Spending Key (32 bytes)
        ↓
    ├── Viewing Key (read-only access)
    ├── Nullifier Key (for spending proofs)
    └── EdDSA Key (for circuit signatures)

Trust Model

What you must trust:

  • ✅ The wallet binary you execute (verify before running)
  • ✅ The device running the wallet (malware-free)
  • ✅ Your RPC endpoint (use your own node when possible)

What you DON'T need to trust:

  • ❌ The blockchain node (privacy guaranteed by ZK proofs)
  • ❌ Other network participants (transactions are private)
  • ❌ GitHub Actions (reproducible builds verify integrity)

Threat Model

HIGH RISK: Compromised Wallet Binary

Attack: Modified wallet that exfiltrates spending keys

Impact:

  • ❌ Attacker can steal ALL funds
  • ❌ Attacker can view transaction history
  • ❌ Complete loss of privacy and funds

Mitigation:

  1. Always verify GPG signature before running
  2. Use reproducible builds (see below)
  3. Build from source on trusted machine
  4. Consider hardware wallet integration (roadmap)
# Verify official release
./scripts/verify-wallet.sh orbinum-wallet

# Or build from source
git clone https://github.com/orbinum/wallet-cli.git
cd wallet-cli
git verify-tag v1.0.0  # Verify signed tag
cargo build --release

MEDIUM RISK: Viewing Key Leak

Attack: Wallet shares viewing key with third party

Impact:

  • ❌ Attacker can see transaction history
  • ❌ Loss of privacy
  • ✅ Funds remain safe (cannot spend)

Mitigation:

  1. Viewing keys should only be shared intentionally (auditors)
  2. Monitor unexpected network connections
  3. Use firewall rules to restrict wallet connections
# Run wallet with restricted network access (Linux)
sudo -u wallet-user firejail --net=none ./orbinum-wallet

LOW RISK: Metadata Leakage

Attack: Correlating RPC requests with user identity

Impact:

  • ⚠️ IP address correlation
  • ⚠️ Timing analysis possible
  • ✅ Transaction content remains private

Mitigation:

  1. Run your own node locally
  2. Use Tor/VPN for RPC connections
  3. Don't reuse the same node for all transactions
# Connect to local node (best privacy)
./orbinum-wallet --rpc ws://127.0.0.1:9944

# Or use Tor (requires tor service running)
./orbinum-wallet --rpc ws://yournode.onion:9944 --proxy socks5://127.0.0.1:9050

Binary Verification

GPG Signature Verification

Our official GPG key fingerprint:

Primary key: 174E 9AD2 5455 9716 42B9  332D FFF7 BF02 87E3 B152
Key ID: FFF7BF0287E3B152
User ID: orbinum (orbinum-wallet-cli) <dev@orbinum.net>

Download and verify:

# Import public key from repository
gpg --import RELEASE_KEY.asc

# Or from key server
gpg --recv-keys FFF7BF0287E3B152

# Verify binary
gpg --verify orbinum-wallet.asc orbinum-wallet

# Expected output:
# Good signature from "orbinum (orbinum-wallet-cli) <dev@orbinum.net>"

Checksum Verification

# SHA256
sha256sum -c orbinum-wallet.sha256

# SHA512 (recommended)
sha512sum -c orbinum-wallet.sha512

Reproducible Builds

To verify the binary matches the source code:

# 1. Clone at exact release tag
git clone --branch v1.0.0 https://github.com/orbinum/wallet-cli.git
cd wallet-cli

# 2. Build in deterministic environment (Docker)
docker run --rm -v $(pwd):/workspace \
  rust:1.75 bash -c "cd /workspace && cargo build --release"

# 3. Compare checksums
sha256sum target/release/orbinum-wallet
# Should match official release checksum

Best Practices for Users

Do ✅

  • Verify wallet binary before first use
  • Store mnemonic phrase offline in secure location
  • Use hardware wallet when available (future)
  • Run your own Orbinum node for RPC
  • Keep wallet software updated
  • Use full disk encryption on your device
  • Create separate accounts for different purposes

Don't ❌

  • Share your mnemonic phrase with anyone
  • Store mnemonic in cloud services or email
  • Run wallet on untrusted or public computers
  • Connect to unknown/untrusted RPC endpoints
  • Install unofficial wallet versions
  • Take screenshots of your mnemonic
  • Store spending key in plaintext files

Security Features

Implemented

  • ✅ BIP39 mnemonic generation
  • ✅ Hierarchical key derivation
  • ✅ Viewing key isolation (read-only access)
  • ✅ Encrypted keystore (AES-256-GCM)
  • ✅ Memory zeroization for secrets
  • ✅ Rate limiting on RPC calls
  • ✅ Input validation and sanitization

Planned (Roadmap)

  • 🔄 Hardware wallet support (Ledger/Trezor)
  • 🔄 Multi-signature accounts
  • 🔄 Time-locked transactions
  • 🔄 Social recovery mechanisms
  • 🔄 Secure enclave integration (iOS/Android)
  • 🔄 Reproducible builds automation

Responsible Disclosure

If you discover a security vulnerability:

  1. Email: dev@orbinum.net (GPG key available)
  2. Include detailed steps to reproduce
  3. Wait for acknowledgment (48h)
  4. Allow 90 days for fix before public disclosure
  5. Coordinated disclosure with release notes

Audit History

No security audits have been conducted yet. Audits are planned for upcoming releases to ensure the highest level of security for our users.

Date Auditor Scope Report
Planned TBD Full codebase TBD

Security Contacts

  • Security Team: dev@orbinum.net
  • GPG Key: 174E 9AD2 5455 9716 42B9 332D FFF7 BF02 87E3 B152 (see RELEASE_KEY.asc)

Remember: Your security is your responsibility. Always verify, never trust blindly.

There aren’t any published security advisories