Threat model
An honest threat model states what a design removes and what it does not. Ownbit's cold wallet removes several whole classes of attack by architecture; a few residual risks remain, which we name plainly below along with how they're bounded.
What the architecture removes
- Remote network attacks — the signing device has no network.
- Custodial risk — non-custodial; Ownbit can't touch your keys.
- Watch-side leakage — the watch-only wallet holds public keys only and cannot sign.
- Opaque-channel smuggling — the only thing crossing the air gap is plaintext QR you can inspect (at the plaintext level).
Residual trust that remains
- Signer implementation — a malicious or buggy signer could, in theory, manipulate the random nonce in a signature to encode and leak your private key inside a signature that looks perfectly normal. Plaintext review won't catch this. This risk exists in every signing product, hardware wallets included.
- Entropy / RNG quality — a seed's strength depends on the randomness at generation; many historical thefts came from weak randomness, not broken math.
- Build integrity — you must trust that the app you installed is the genuine, untampered Ownbit build; a single poisoned update could plant the backdoor above.
How these risks are bounded
- Deterministic signing (RFC 6979) — makes the signature's nonce a function of the key and the message rather than fresh randomness, shrinking the room for a nonce-based covert channel. On EVM chains you can smoke-test it: signing the same transaction twice returns an identical signature. On other chains the raw transaction changes between attempts — BTC may select different UTXOs, TRON stamps a new expiration time, Solana embeds a fresh recent blockhash — so there the check is that the signature is reproducible for an identical message, not that the whole transaction matches.
- Public on-chain contracts — the logic that actually governs your funds is open and independently verifiable at github.com/bitbill/ownbit-multisig-contracts.
- External seed import — puts the source of entropy back in your own hands.
We make a deliberate call: the on-chain contracts that govern your funds are public and verifiable, while the client application stays closed — obscurity raises the cost of attacking it, and your funds never depend on its secrecy. What we won't do is pretend the residual signer risk is zero. It isn't — we've named it, and you can weigh it against everything you can verify yourself.
Frequently asked questions
If Ownbit's developers wanted to act maliciously, could they steal my coins?
Not remotely — the air gap prevents it. The one theoretical path is a signer that cheats while producing a signature, slipping key material into a normal-looking signature. That path exists in every signing product. Ownbit bounds it with deterministic signing you can verify, external seed import you control, and an air gap that leaves only the signature channel.
What is the biggest residual risk?
The signer implementation and build integrity — trusting that the app you installed is genuine and signs honestly. Deterministic signing and installing only official builds bound this; verify-it-yourself shows how to check.
Last updated:
Download Ownbit
Install the app, then set up a cold wallet or MultiSig for the workflow you need.