Skip to main content

The Wallet Paradox A Roadblock in DAPP Development

ยท 5 min read
NEST Protocol

Since the emergence of BTC, more and more people are using "wallets". Blockchain wallet is essentially a private key management tool. After the developer has developed the wallet, it is shared on the internet and does not need to be updated. Users download it and have nothing to do with the developer. The private key and any wallet information are not available to the developer. But since the advent of ETH, the chain allows for complex logic, so DAPPs have come into view. This is a little more complex interaction than transferring money, the wallet is no longer developed and never updated, but gradually becomes a DAPP platform. As a result, the interaction between users and openers has suddenly increased.

However, there is a legal issue to explore here. This problem is a bit of a paradox, and of course we give a scenario later to deal with this ethical dilemma.


Let's describe the simplest case first: if a wallet, completely abandons interaction and is completely open source, then logically the developer can declare that it is not responsible for any risk to that wallet. In fact, the developer cannot be held responsible either. As an example: a bug in the wallet that transfers assets meant for address A to address B could be a disaster for many people. But there is also a situation where anyone can use the bug to create a false "loss" (i.e. address B is also their own address) and submit evidence of the bug to claim against the developer. This poses the problem of how to determine the authenticity of the "loss".

In a traditional centralized structure, this loss can be retrieved from the backend server. In blockchain, the mechanism of complete anonymity and the uncontrolled "server" (blockchain) cannot determine the authenticity of the loss at all! This gets into a dilemma of who should prove the case. Worse still, if left unchecked, a developer may intentionally develop a free "phishing" wallet, allowing users' funds to be transferred to an unknown address in some obscure way, and how can this be proven and accounted for?

The case above is the simplest. Back to reality, the problem is even more serious when there is frequent interaction between the wallet and the user, and when there is a server.


First of all, the existence of a server is to provide information services, which must exist a subject, otherwise how to pay for the cost of the server? When this subject exists, then is the association relationship determined as a legal relationship? Or what kind of legal relationship is determined? Second, similar to the simple example above, and more directly, someone reverse engineers the wallet and makes the "same" wallet, and then proves that it caused "damage" (e.g., by making a video of the use of the wallet that caused the damage, etc.). Can he claim compensation from the developer or the entity that provided the server? This is the first step. The question in this first step is whether this evidence is credible and who will prove it? Is it too much to ask for a non-technical person to prove that it is indeed a bug in the wallet (and not a reverse-engineered "wallet" bug) and that the loss is real (and not a right-handed one)? The second step is, if the problem is really with the wallet, is such a process fair to the user? Or will it lead to unscrupulousness of various "phishing" programs? If the whole process requires the developer and the server provider to prove their innocence, does this not already assume that the developer is responsible for this? Then the scale of loss is not defined by the developer, but is self-directed by the user, so who can afford such exposure?

The above is a paradox, the user needs security, and the developer cannot afford the "loss" caused by insecurity, there is a missing link.

In the traditional Internet world, this risk is borne by the company or the project owner because they can control the whole process of the product or service. But in blockchain, these so-called developers cannot fully control the whole process of providing interactions, the most important part is done on the chain, they actually only provide a "front-end tool".

How to end the wallet paradox?โ€‹

The future direction to solve this problem is expected to be two.

The first is to entrust all users to developers or project owners, such as centralized exchanges. I give you the coins and give up the private key management, then the responsibility is entirely on you, this direction is the logic of the closed loop.

The second is for developers to open source and define all their program code clearly (proving that the code and program are consistent), upload it to a third-party neutral platform, and leave it to the market to evaluate. Those who want to use it, use it, then accept the disclaimer, the developer has nothing to do with it. This second one also closes the logical loop, but the holes in the code are left to the users in the market to digest. The more difficult question is, how should a DAPP that provides information services, i.e., a product with a server, arrange liability for the information service part? This requires legal follow-up, because this piece is not as serious as the first problem, and not as completely unrelated as the second problem, which is the most complicated situation in the whole wallet problem. This is the most complicated situation in the whole wallet issue. It is a long infrastructure construction process that requires the determination of the responsibility boundary of the application on the public chain, which involves many legal packages.