Wallets are the single most important tool when operating on-chain, yet they’re usually not well understood which leads to participants compromising on security and putting their assets (cryptocurrency, NFTs, deployed IP, etc) at great risk. My goal for Part 1 of this note is to clarify what a “wallet” really is. Part 2 will communicate why it is important to focus on “wallet” security. For simplicity purposes all the concepts described here refer to Ethereum and EVM chains.
Personally I think using the term “wallet” to describe what is technically a variety of tools has been one of the biggest misses in the space. Great confusion arises due to a lack of understanding of the underlying technology plus not enough easy-to-digest education for new entrants.
Let’s start with the basics. MetaMask, the largest player in the retail space, has become synonymous with the concept of a wallet. Most folks think of browser extensions, like MetaMask, and/or USB sticks, like the Ledger and Trezor products, when they hear the term “wallet”. However, it is important to break down what really composes these tools. For that, let’s start by looking at how Ethereum works.
According to the Ethereum White Paper, there are two types of accounts on this blockchain:
1. Externally owned accounts (EOAs), which are controlled by private keys.
2. Contract accounts (smart contracts), controlled by their code.
Let’s focus on the first, EOAs, which are the “wallets” that we all use on a daily basis. EOAs can hold, send, and receive assets on-chain. These accounts are composed of two elements, 1) a public key and 2) a private key.
Public keys are the alphanumeric addresses which start with “0x” and represent your Ethereum account. Think of public keys as the number of your safety deposit box on the blockchain, where all your Ether and NFTs are kept. Private keys, on the other hand, are the secret numbers that allow you to prove ownership and access the assets within an account. Private keys are used when signing transactions to access your assets on-chain, so they’re really similar to the actual keys to a real-life safety deposit box. Whoever has access to an account’s private keys also has full access to any assets within that account!
In summary, your on-chain account is represented by its public key (address). The assets within your account never leave the blockchain. Whereas your private key is only used on-chain when you need to sign a transaction and this is what can be safeguarded and managed by a browser extension or hardware device.
So, which one is the actual wallet?!?
Now you can hopefully see where a lot of the confusion regarding wallets stems from. Currently folks think of key-management solutions like browser extension and USB drives as “wallets” given these also provide an interface for seeing balances and instructing transactions. However, these are more like keychains, and the actual wallets are the on-chain accounts where assets reside. While the nomenclature is confusing, at the end of the day it is important to highlight that protecting one’s private keys should be the main priority when interacting on-chain given that they control ownership of a wallet and its assets.
Hopefully this note helps folks better understand the concepts of wallets, public keys, and private keys. Part 2 will focus on what “wallets” are used for beyond receiving, sending, and holding assets, and how to best protect your wallets when interacting on-chain.