Protecting everyone through public auditability


Update: In February 2021 we announced a new open-source model for Muun. You can read about it here: https://blog.muun.com/muuns-new-open-source-model/.


Bitcoin wallets store the keys required to move money from one person to another, which is very sensitive data. Bitcoin holders don’t need to trust anyone with the custody of these keys and can choose how to manage their money. For each option, there’s always a trade off. We want to share some of the decisions we made at Muun, and the different trade-offs we considered in our open source model.

Anybody with sufficient technical skills can verify how Bitcoin works because its protocol is open source. The non-custody of funds and open source are related. Because we are used to custodian solutions, it is reasonable to assume that unless someone shows you the contrary, a given wallet has custody of your keys and thus your money.

Both technical and non technical people are asking for non-custodial wallets to be open source. Since there’s a huge difference between what a technical and non-technical person can do with a public repository, it is interesting to analyze what unserved need is underlying this request.

One reason in asking for the code to be public, could be to compile your own app. Compiling your own version of an app is the only true way to know what code is running your wallet. However, when it comes to a mobile app, few people have the technical knowledge to do it, even with a huge number of technical people within the Bitcoin community, and still we rarely see it happen.

Another reason to ask for an open source wallet is to make the app publicly auditable. Auditability is different from compilability in the sense that while the rest of the users don’t get any value from someone compiling their own application, the whole set of users can possibly benefit from someone auditing the app. Unlike compilability, auditability has network effects.

Finally, there’s also the matter of trust and values. Open sourcing a project can be seen as a proof of trust that developers give to the community. Though they could still do malicious things, it seems less probable. The community considers the project to be more trustworthy, and in the case of Bitcoin, more aligned to its values.

There’s another fact that strengthens this last aspect. Because only few people have a deep understanding of Bitcoin’s protocol, those with less understanding have to decide which experts they trust. It thus makes sense for non-technical people to ask for a wallet to be open source if their trusted developers are asking so.

An app cannot only be compilable to people with good intentions. Once your code is fully compilable to an app, scammers can easily publish a malicious copy. We have seen legitimate wallets get maliciously copied several times in the last year, with tons of people getting scammed. New wallets, with few downloads and reviews, are more severely exposed. So, while having a fully compilable app may only benefit few, it can potentially harm lots of people.

This works very differently with auditability, since what is most valuable for scammers is not what users consider most important to be auditable. For example, while scammers would benefit from a copied UI, users are interested in getting more sensitive parts of the app audited. This asymmetry opens a whole new spectrum of possibilities when it comes to open source.

We considered all this when deciding whether to make Muun open source or not, and each decision was taken to maximize the security of users.

From the very beginning we wanted to build a non-custodial product and we concluded that the auditability of key management is non-negotiable, since we want transparency in how this is achieved in the code. However, making the code fully compilable to an app would be reckless when wallets are getting maliciously copied.

We decided to upload Muun’s code in a public repository, without the UI.

So, is Muun open source? Technically not, but it really depends on what you expect an open source project to do. If you want to compile the code into your own app, then we are not. If you want the sensitive parts of your application to be open and auditable, then yes, Muun is for you. We do not intend to mislead or confuse people by calling ourselves an open source wallet, if they expect something different. Instead, we call Muun a publicly auditable wallet.


Visit Muun Website: https://muun.com/

Follow Muun on Twitter: https://twitter.com/MuunWallet