Home

Awesome

Brume Wallet ☁️

The private Ethereum wallet with built-in Tor

Usage

You can use Brume Wallet on a website, as a browser extension, and as a mobile application

Website (official)

Website (ipfs)

Chrome-like extension (official store)

Firefox-like extension (official store)

Safari extension on iOS and macOS (official store)

Android application (signed .apk)

Android application (alternative store)

Safari extension on macOS only (signed .app)

Safari extension on iOS only (alternative store)

https://raw.githubusercontent.com/brumewallet/wallet/main/altstore.json

Safari extension on iOS only (signed .ipa)

Website (reproducible cloud-hosting)

Website (reproducible self-hosting)

Chrome-like extension (reproducible self-installation)

Firefox-like extension (reproducible temporary self-installation)

All builds (ipfs)

Reproducible building

Installing and building

git clone https://github.com/brumewallet/wallet && cd wallet
npm install && npm run build && npm run zip

Comparing released files with built files

GitHub Actions automatically rebuilds each release and checks that the committed files are the same as the built ones

https://github.com/brumewallet/wallet/actions/workflows/release.yml

You can check the comparison yourself by running the following

# Create ./tmp
mkdir ./tmp

# Unzip committed zip files into ./tmp
unzip ./dist/chrome.zip -d ./tmp/chrome
unzip ./dist/firefox.zip -d ./tmp/firefox
unzip ./dist/website.zip -d ./tmp/website

# Rebuild
npm ci && npm run build

# Compare unzipped content
diff -r ./tmp/chrome ./dist/chrome
diff -r ./tmp/firefox ./dist/firefox
diff -r ./tmp/website ./dist/website

# Delete ./tmp
rm -rf ./tmp

# Restore build files
git restore ./dist/

# Recompute IPFS hashes
node ./scripts/verify.ipfs.mjs

# Display IPFS hashes
cat ./dist/.ipfs.md
cat ./dist/.website.ipfs.md

# Compare all files
[[ -z $(git status --porcelain) ]] && echo "OK" || echo "NOT OK"

Security design

Encrypted storage

Your storage is hashed and encrypted using strong cryptography algorithms and parameters

Authenticated storage

Some critical entities like private keys and seed phrases are stored in WebAuthn and require authentication (FaceID/TouchID)

Nobody can access your private keys or seed phrases without your password + authentication (FaceID/TouchID)

This mitigates supply-chain attacks and phishing attacks, and prevents phone-left-on-the-table attacks

Supply-chain hardened

We try our best to avoid supply-chain attacks from external packages

Safe Tor and TLS protocols

We use the Tor and the TLS protocols in a way that's mostly safe, even though they are not fully implemented nor audited

Keep in mind that the zero risk doesn't exist, and a highly motivated attacker could deanonymize you by doing the following steps (very unlikely to happen):

  1. Owning the entry node, and logging all IP addresses using Brume Wallet, something he could know by:
  1. Owning the JSON-RPC server, and logging all wallet addresses that used Tor

  2. Correlating IP addresses logs with wallet addresses logs, and if both sides are small enough, linking a particular IP address to a particular wallet address