Wallet Logo

Nunchuk Bitcoin Wallet

Latest release: 1.9.20 ( 25th January 2023 ) 🔍 Last analysed 6th January 2023 . No source for current release found
4.9 ★★★★★
34 ratings
16th December 2021

Without public source of the reviewed release available, this product cannot be verified!

As part of our Methodology, we ask:

Is the source code publicly available?

If the answer is "no", we mark it as "No source for current release found".

A wallet that claims to not give the provider the means to steal the users’ funds might actually be lying. In the spirit of “Don’t trust - verify!” you don’t want to take the provider at his word, but trust that people hunting for fame and bug bounties could actually find flaws and back-doors in the wallet so the provider doesn’t dare to put these in.

Back-doors and flaws are frequently found in closed source products but some remain hidden for years. And even in open source security software there might be catastrophic flaws undiscovered for years.

An evil wallet provider would certainly prefer not to publish the code, as hiding it makes audits orders of magnitude harder.

For your security, you thus want the code to be available for review.

If the wallet provider doesn’t share up to date code, our analysis stops there as the wallet could steal your funds at any time, and there is no protection except the provider’s word.

“Up to date” strictly means that any instance of the product being updated without the source code being updated counts as closed source. This puts the burden on the provider to always first release the source code before releasing the product’s update. This paragraph is a clarification to our rules following a little poll.

We are not concerned about the license as long as it allows us to perform our analysis. For a security audit, it is not necessary that the provider allows others to use their code for a competing wallet. You should still prefer actual open source licenses as a competing wallet won’t use the code without giving it careful scrutiny.

The product cannot be independently verified. If the provider puts your funds at risk on purpose or by accident, you will probably not know about the issue before people start losing money. If the provider is more criminally inclined he might have collected all the backups of all the wallets, ready to be emptied at the press of a button. The product might have a formidable track record but out of distress or change in management turns out to be evil from some point on, with nobody outside ever knowing before it is too late.

Help spread awareness for build reproducibility

Please help us spread the word discussing transparency with Nunchuk Bitcoin Wallet  via their Twitter!

Do your own research!

Try out searching for "lost bitcoins", "stole my money" or "scammers" together with the wallet's name, even if you think the wallet is generally trustworthy. For all the bigger wallets you will find accusations. Make sure you understand why they were made and if you are comfortable with the provider's reaction.

If you find something we should include, you can create an issue or edit this analysis yourself and create a merge request for your changes.

The Analysis 

This product’s version for Android is now source-available and we are waiting for source for the iPhone version.

(Analysis from Android review)

The app’s version for Android was released as open source under the GPLv3 here.

It’s build instructions are:

  1. Follow the build instructions for Nunchuk Android Native SDK.
  2. Publish the SDK to the local maven. Note the SDK version number.
  3. Open dependencies.gradle and update nativeSdkVersion to the SDK version you just published.
  4. Build and run the app on your device.

So, what are the “build instructions for Nunchuk Android Native SDK”? First of all, Xcode is required. That’s a bit of an issue for us, as all contributors who do builds do not have a Mac and Xcode only works on Mac. It’s not immediately clear if it really is required, so lets look further …

git submodule add --force -b main https://gitlab.com/nunchuck/libnunchuk.git

but the user nunchuck doesn’t exist on gitlab.com.

As Nunchuk Android’s code is on GitHub, we can guess the right repo might be nunchuk-io/libnunchuk.

Which is weird is that the repo’s git submodule also still points to GitLab, so the error is not only in the documentation.

Let’s try:

$ git clone https://github.com/nunchuk-io/nunchuk-android-nativesdk.git
$ cd nunchuk-android-nativesdk/
$ cat .gitmodules 
[submodule "src/main/native/libnunchuk"]
	path = src/main/native/libnunchuk
	url = https://gitlab.com/nunchuck/libnunchuk.git
	branch = main
$ git submodule update --init --recursive
Submodule 'src/main/native/libnunchuk' (https://gitlab.com/nunchuck/libnunchuk.git) registered for path 'src/main/native/libnunchuk'
Cloning into '/home/leo/tmp/nunchuk-android-nativesdk/src/main/native/libnunchuk'...
Username for 'https://gitlab.com': 

This repo isn’t a public repo but as it might be private, git asks for a login. As discussed above, we’ll use libnunchuk from GitHub:

$ git submodule set-url src/main/native/libnunchuk https://github.com/nunchuk-io/libnunchuk.git
$ git submodule update --init --recursive
Cloning into '/home/leo/tmp/nunchuk-android-nativesdk/src/main/native/libnunchuk'...
Submodule path 'src/main/native/libnunchuk': checked out 'c168cf715cbe768b5cd5004609f2db6d0ebfe254'
...
error: object e35e28f52d20df27561b2780f6b9c86669a9de21: zeroPaddedFilemode: contains zero-padded file modes
fatal: fsck error in packed object
fatal: index-pack failed
fatal: clone of 'https://github.com/sqlcipher/sqlcipher' into submodule path '/home/leo/tmp/nunchuk-android-nativesdk/src/main/native/libnunchuk/contrib/sqlcipher' failed
Failed to clone 'contrib/sqlcipher'. Retry scheduled

So … we can’t clone that dependency. Seriously?

$ git clone https://github.com/sqlcipher/sqlcipher
Cloning into 'sqlcipher'...
remote: Enumerating objects: 15498, done.
remote: Counting objects: 100% (1910/1910), done.
remote: Compressing objects: 100% (816/816), done.
error: object e35e28f52d20df27561b2780f6b9c86669a9de21: zeroPaddedFilemode: contains zero-padded file modes
fatal: fsck error in packed object
fatal: index-pack failed

So for now we give up at this point and file this product as not verifiable.

Update 2023-01-06: As laid out in this issue, we managed to compile the app but with substantial differences:

Files ./GooglePlay/classes2.dex and ./LocalBuild/classes2.dex differ
Files ./GooglePlay/classes3.dex and ./LocalBuild/classes3.dex differ
Files ./GooglePlay/classes4.dex and ./LocalBuild/classes4.dex differ
Files ./GooglePlay/classes5.dex and ./LocalBuild/classes5.dex differ
Files ./GooglePlay/classes.dex and ./LocalBuild/classes.dex differ
Files ./GooglePlay/lib/arm64-v8a/libnunchuk-android.so and ./LocalBuild/lib/arm64-v8a/libnunchuk-android.so differ

Until these issues are resolved, the app is not verifiable.

(lw, em)