FAQ: Ledger Apps - A Safe Generic App Design

With the widespread misinformation about generic app support and the inherent risks, it’s vital to have an informed discussion about the challenges of forking our Zondax app in developer mode to allow blind signing of Substrate messages.

We would like to start the discussion with a FAQ that aims to clarify these concerns and instigate an objective conversation on the topic.

In the following days, we will move over to discuss a design for our next generation app.

Please, find the FAQ here and feel free to ask as many questions as you want:



I agree blind signing is unsafe. However, do you have a better alternative with a reasonable amount of work?

Also best to move FAQ into this post directly.

Agree with @xlc. From a parachain’s perspective, Substrate pallets are similar to smart contracts on EVM. Is there any viable solution to mitigate blind signing for arbitrary Dapps on the much well established Ethereum world?

While I agree that it would be much better to not bling sign, the alternatives are not feasible for projects due to (1) cost and (2) time to market. Paracahins are hindered severely by the lengthy process and the high cost.

This post from Ledger’s Head of the Developer Ecosystem on Polkassembly seems relevant. Here’s a selection:

The critical takeaways include:

  • Ledger does not endorse or approve the proposed solution.
  • Blind signing (also known as hash display) is not recommended by Ledger as it undermines the core function of a hardware wallet.
  • Ledger is restrictive about permitting different derivation paths within an application due to potential isolation breach - such alterations are generally prohibited.
  • While the application may qualify for developer mode (subject to confirmation), its consideration for public release is unlikely.

I have stated this elsewhere before but I think the unfortunate reality until protocol changes have been implemented that allow for a metadata hash to be signed along with the tx payload. In theory this will solve all of the metadata update issues as there is no need to store any metadata in the wallet.

However in the meantime I want to point out that the proposed solution by Zondax is simply not feasible and not a good idea:

  1. It took the Centrifuge app update (and other parachains) more than 6mo to get relaeased in experimental mode. A wallet that doesn’t work for 6mo is simply unusable.
  2. The cost is prohibitive. 20k for upgrades and 20k for an audit across 80 parachains (Kusama and Polkadot) means that the ecosystem will pay $3.2M annually for simply maintaining apps.
  3. Blind signing is discouraged but the defacto standard that every Ledger user on Ethereum is very comfortable using. I know this is a risk but if users make these choices so let them do it. Why make it practically impossible to have a ledger app just because we don’t want to let people make a compromise many already make on Ethereum.

For Centrifuge the solution to this issue is simple. We’ve decided to integrate Frontier and allow EVM transactions to be used to interact with our parachain. In theory this is even worse (adding a lot of code to our runtime that could be buggy and the overhead of adding the EVM). But in the short term this is much better than what the Zondax approach can offer us and comes with the benefit that other EVM wallets obviously can also be used.

Added: While I don’t think Zondax’ proposed solution is feasible for most parachains, I do think it’s worthwhile for the relay chain to take this route. As such I recommend DOT holders vote yes on both the Equilibrium proposal which tries to allow broader support with blind signing and Zondax’s treasury proposal:


Please welcome to the debate, we’ve put up a long read in response and wish to hear your thoughts: https://forum.polkadot.network/t/the-ledger-app-debate-united-we-stand-divided-we-fall