For those who haven’t seen it, the recently released Arbor wallet from DFI (intentionally not linking to it) is known to have serious security flaws, namely:
- For signing transactions, the wallet sends your private key to their servers.
- For recovering an account, the wallet sends your seed phrase to their servers.
Sources:
While the communication with their servers is HTTPS-encrypted, you’d still need to trust the developers that their backend is not storing/logging/leaking the private keys, and that their servers are absolutely secure and won’t get hacked. Note that with this issue being known, they have now painted a giant target on their back for blackhats, so we’ll see.
The developers seem to acknowledge this problem and promise it will get fixed in the future (e.g. transactions will be signed locally on the client) but in its current state I would strongly advise not to use their wallet.