Wallets Are Not Secure Enough

GM,

Let me share a small community story. Recently, a user left a comment on Threads, saying that Blocktrend had introduced the Safe multisig wallet, and soon after, Bybit got hacked because it was using Safe. Should Blocktrend apologize? Well, of course. If I hadn’t written that article, Safe’s frontend wouldn’t have been compromised by North Korean hackers, and Bybit wouldn’t have lost $1.5 billion. No wonder every time I watch Team Taiwan compete, they always seem to lose. I must sincerely apologize 😂

Now, onto the main topic. The title of this article reflects my recent conclusion—wallets simply aren’t secure enough.

Even experts don’t trust them

There was a fascinating discussion recently about Web3 security. One of the guests was Taylor Monahan, co-founder of MyEtherWallet, the first-ever wallet on Ethereum. She is now a security expert at MetaMask.

Taylor made a shocking statement—if a non-technical friend asks her how to manage crypto, in most cases, she would recommend using Coinbase, unless that friend is willing to hand over their wallet’s private key for her to keep. This statement sounds so absurd that it feels like a joke. But I believe Taylor is serious because that’s exactly how I manage crypto for my parents. Being on the front lines and witnessing countless incidents firsthand, Taylor has a deep understanding of just how flawed wallet design still is.

As an FTX victim, I used to firmly believe in the principle of self-custody for crypto. But the Bybit hack led me to the opposite conclusion—are wallets really safer than exchanges? Bybit was using a top-tier multisig cold wallet, yet hackers still managed to breach it. Fortunately, the exchange covered the full loss, so no users were affected. If a personal wallet were hacked, the loss would be entirely on the individual. From this perspective, keeping assets on an exchange doesn’t seem like such a bad idea after all.

So, which is more likely—an exchange going under or an individual losing access to their wallet? There’s no perfect solution yet, which is why Taylor suggests “confiscating” her friends’ private keys, and why I encourage people to start small and “lose their wallets as early as possible.”

That said, losing a wallet may soon become much harder. Recently, the niche smart wallet Clave announced its integration with ZK Email, claiming that as long as your email remains accessible, your wallet will never be lost.

The "Forgot Password" for Wallets

Over the past few years, I’ve helped thousands of people create crypto wallets through various blockchain seminars. Every time, I would issue the same warning: "Creating a wallet is not like signing up for an email account. If you lose your private key, there’s no 'Forgot Password' option to recover it."

Well, it looks like I need to update my teaching materials! This week, Clave introduced a ZK Email wallet recovery mechanism. It works just like a “Forgot Password” feature—if you lose your phone and don’t have a backup of your private key, you can send an email from a pre-linked address, and your wallet will be restored after 48 hours. Pretty incredible! I encourage everyone to give it a try.

Clave’s wallet creation process is now simpler and more secure than ever. By default, it uses passkeys to manage wallets instead of plaintext private keys. This reduces the risk of private key leaks and phishing attacks since a passkey only works when the website URL is 100% correct. No matter if a phishing site uses GoogIe.com or Goog1e.com, it won’t be able to trick you into using the passkey created on Google.com.

The most groundbreaking feature is Clave’s email-based recovery mechanism—you can restore your wallet simply by sending an email. There’s no customer support team handling these emails; instead, the system uses cutting-edge zero-knowledge proof (ZK) technology to automatically convert a user’s email into a blockchain address. Every time an email is sent or received, it’s actually signing a transaction on-chain. Clave assigns special permissions to this address, allowing it to trigger emergency wallet recovery when needed.

This is yet another real-world application of zero-knowledge proofs (ZKPs), particularly well-suited for bridging heterogeneous systems. Blocktrend previously introduced ZKP2P, which uses zero-knowledge proofs to bridge on-chain and off-chain financial flows, enabling seamless fiat on- and off-ramps. Clave, on the other hand, applies the same concept to bridge emails and on-chain addresses, allowing users to perform blockchain transactions simply by sending emails. This makes losing a wallet increasingly difficult—after all, to lose access completely, you’d have to misplace your password manager and lose control of your email account at the same time, which likely means you’re dealing with a full-blown disaster.

However, this new mechanism comes with an obvious risk: What if your email gets hacked? A hacker could use email to replace the wallet’s management permissions, and if the rightful owner fails to respond within 48 hours to revoke the recovery request, the hacker could take full control of the wallet. Last year, I bought a YubiKey to add a physical security layer to my email account, making it much harder for hackers to break in. But for those who don’t simultaneously enhance their email security, using email-based wallet recovery could introduce a whole new attack vector.

After all this discussion, maybe handing private keys over to Taylor really is the safest option (?)—though I’m not that pessimistic.

What Does Security Look Like?

The very existence of cryptocurrency is counterintuitive—it is a digital asset that can be self-custodied. People are familiar with digital assets, but historically, they have always been held by third parties (financial institutions), where mistakes can often be corrected. By returning ownership to individuals, crypto has caused more chaos than benefits, which is why most people don’t have a great impression of it.

However, wallet development hasn’t completely stalled. Since I first guided people through wallet creation in 2018, the process has become significantly faster. Back then, users had to manually write down a seed phrase, which was already annoying enough just to find a pen and paper. After backing it up, they had to pass a quiz before completing the setup. Later, wallets allowed encrypted backups to cloud storage, speeding up the process, though some users still got stuck when they forgot their passwords. Now, with passkey integration, wallet creation is as simple as a single biometric scan—no more paper, no passwords, and both speed and security have improved dramatically.

Yet, while wallet creation has become easier, recovery mechanisms remain largely nonexistent. We can’t expect users to take full responsibility every time something goes wrong (Do Your Own Research, DYOR), nor is that a viable path for the industry.

Clave’s email-based recovery, powered by zero-knowledge proofs, is a new way to address wallet loss risks. Although it’s still in beta, only supports Gmail replies, and can currently store assets only on zkSync Era, it presents an exciting new possibility—self-custodied wallets can still have decentralized risk management solutions.

Exchanges are generally (though not always) safer, as they can reference traditional finance’s history and lessons—at least there’s precedent to follow. But decentralized risk management is an entirely new field that has only been explored after crypto’s emergence. I look forward to the day when storing assets in a wallet feels as safe as keeping money in a bank, where users don’t have to rely on luck to survive. Looking back at this article in the future, we might think that using self-custodied wallets in 2025 was a bold move.

Blocktrend is an independent media platform sustained by reader subscription fees. If you find Blocktrend's articles valuable, we welcome you to share this piece. You can also join discussions on our member-created Discord or collect the Writing NFT to include this article in your Web3 records.

Furthermore, please consider recommending Blocktrend to your friends and family. If you successfully refer a friend who subscribes, you'll receive a complimentary one-month extension of your membership. You can find past issues in the article list. As readers often inquire about referral codes, I have compiled them on a dedicated page for your convenience. Feel free to make use of them.