Many people are curious to know if Ledger wallets are open source. And if they’re not, why aren’t they? Isn’t open source a good thing?
After reading through countless discussions about this very topic posted by Ledger’s co-founder, I discovered the truth.
Ledger’s firmware is not open source but the apps and Ledger Live are. This means you can check each device application and the communication exchanged between the client and the apps. Also, since Ledger’s code is open source third-party developers can submit coin apps to Ledger for review.
Below you’ll learn how open source Ledger wallets are, why the firmware remains close source, and which hardware wallet alternatives are completely open source.
Are Ledger Wallets Open Source?
After reading through Reddit threads in addition to an article posted by Ledger’s co-founder, Nicolas Bacca, I was able to gather significant data to put together this in-depth resource.
According to Bacca, the only thing that remains open source on Ledger wallets are the apps and Ledger Live (the client).
The client is responsible for requesting activity from the device’s operating system (in Ledger’s case, the os is called BOLOS).
Since the code remains open source, both internal and external developers are invited to contribute to Ledger’s application inventory.
Of course, all apps submitted must be reviewed and approved by Ledger before going live.
And just in case a malicious app slips by the team, the BOLOS operating system is there to save the day.
BOLOS is Ledger’s own proprietary operating system that was designed with security in mind. It allows for applications to be installed onto the device while keeping them isolated from each other, and from your 24-word recovery phrase.
That means if a malicious code affected an app that’s installed on your wallet, it wouldn’t affect anything else.
However, the firmware (the main software used to run programs on the device) remains completely closed source.
Nonetheless, there are reasons why Ledger’s firmware remains closed source.
Why Is Ledger Not Open Source?
Ledger is closed source so that the brand can guarantee parts on the supply chain remain secure and are resilient against physical attacks. The hardware is designed specifically to avoid such risks, and only code approved by Ledger can be loaded onto the device.
Ledger’s co-founder stated that the only benefit of a fully open source wallet would be to grant users the ability to build it themselves.
Hence, there is little reason for the company to put their products or users at risk by creating a complete open source solution.
Of course, there’s a bit more as to why Ledger wallets aren’t open source. After reading through a Reddit thread where Nicolas provided input, I uncovered a much deeper conversation.
In response to a Reddit user who said, “If it was open source, then the codebase could be compiled by the user and uploaded to the device as a new firmware upgrade,” meaning that a user could re-create their own version of the firmware and even check for bugs.
Bacca stated, “Having a fully open source code wouldn’t help with that since you don’t really have a way to check what’s running inside the device,” he went on to say, “This won’t help you verifying what’s running on the device after uploading it, since this relies on another piece of code that you haven’t checked, according to all the instructions I’ve seen so far”.
After the user asked which piece of the software remains unchecked, Bacca replied, “The bootloader loading the firmware is unchecked. Unfortunately too many people buy into the open source mantra without understanding what they’re doing.”
Basically, even if the firmware were open source it would practically be pointless because there are no instructions to check the bootloader (the program responsible for booting the device), and the average person is unlikely to figure it out.
The Reddit user went on to say that other hardware wallets, such as Trezor, are completely open source, and if Ledger doesn’t have anything to hide then why aren’t they?
And from what I gathered, Bacca believes that an open source solution, like Trezor, is not suitable to hold private keys and other secrets as it comes with various levels of risk.
However, he does believe that the smartcard chips used in Ledger wallets (and also found in bank cards and passports), is the best way to handle such secrets and deal with supply chain attacks.
Hence, certain parts of the code must remain closed.
Will Ledger Ever Be Open Source?
Ledger’s firmware will likely never be open source. However, their apps and client will remain open source to encourage developers to continue creating different applications to bring diversity to Ledger’s hardware wallets.
That said, it’s not so much a question of if Ledger will be open source, as much as it’s a question of why?
The main concern is that since the firmware remains closed source, users and other third-parties can’t verify whether Ledger is safe to use or not.
This also leaves many wondering, can a Ledger wallet be hacked?
As one Reddit user put it, “The developers may have a back door. One day when the crypto market is worth trillions decide to use that door steal everyone’s coins.”
News flash, the crypto industry has already been valued at roughly $3 trillion during the bull run, and Ledger didn’t even bat an eye.
Nevertheless, anything is possible, but I don’t see this happening no matter what the industry is valued at.
It wouldn’t be in the company’s best interest to scam everyone out of their money and ruin their brand-name when they already have a completely legal, multi-million dollar business.
To be fair, the same could be said for FTX or any other company for that matter. But, I won’t get into that here.
As long as Ledger remains in control of the firmware, we can assume that our wallets and our assets are in good hands.
Which Hardware Wallets Are Open Source?
If you’re still concerned about Ledger being a mainly closed-source hardware wallet, there are other wallet providers you could look into.
Trezor is currently Ledger’s main competitor. Alongside Ledger, Trezor is the most trusted hardware wallet in the industry considering it’s completely open source and is capable of storing numerous coins and NFTs, while also being compatible with several popular blockchains like Bitcoin, Ethereum (and all ERC-20 tokens), and Cardano to name a few.
If you’re looking for a good alternative to Ledger, Trezor is your best option.
Coldcard is another popular, open source hardware wallet that’s trusted by the Bitcoin community. By no means is it fancy, but it remains an affordable and secure option to store Bitcoin.
That said, it can’t do anything else. It’s only good for storing BTC and is not compatible with other cryptocurrencies, NFTs, or blockchain networks. It’s literally only good for Bitcoin users.
So, if your main goal is to securely store your BTC, I recommend looking into Coldcard.
There are a lot of questions surrounding Ledger hardware wallets. Don’t skip these other important topics: