"...well it is a closed source wallet with some source code on github which they don't even update unlike their wallet so for all you know they might do a lot of shady things without you knowing it. so it doesn't really matter whether it is only their desktop wallet or android wallet. you shouldn't be using it in first place." -- Bitcointalk, 2019.
"To make matters worse, many wallets (including Coinomi or Trezor) have integrated access to exchanges. So not all apps where you can change cryptocurrencies are automatically exchanged. In Coinomi or Trezor, you can exchange Litecoin for Bitcoin, for example, through [the cryptocurrency exchange] integration. However, the difference is that the currency sold on the exchange will go to the moment of the transaction and the selection of the purchased cryptocurrency will come to your wallet immediately. The exchange, therefore, has access to your money only for the duration of the transaction. This still doesn’t necessarily mean that the transfer will take place immediately (even such an exchange will wait for the transaction to be confirmed and may sometimes ask for additional documents." -- Cryptocurrency wallet vs exchange – what’s the difference?, 2020
It made me think about the system design there and what you were suggesting. I did not include this in the video for I was thinking the system design would work in the following way:
- Wallet interacts with third party app, such as changelly (for exchange reasons).
- Third party app returns with a response on the overall fees and exchange rates in accordance to your set amount.
- Once confirmed, the third party app requests permission from the wallet, i.e your private key to send the amount to the exchange. This can only occur with your approval and signature (via password or pin).
- Once the transaction is done, the amount that you have requested is sent back to your designated address.Am I wrong in assuming this is the case? Because if that is the case, I do not see any security issue there and I do not see it as you not be in a non-custodian situation, as the transaction would not be any different to scanning a QR code and sending funds with your permission. Is this something you can confirm for me? -- Amin Rafiee, Bittopia University, 2020
It works exactly like this, but there are security issues with this design. The main one being that the exchange has the custody of the funds for the duration of the transaction and can literally lock you out - for example by requiring proof of identity and source of funds. That happened to some people that either exchanged Monero or coinjoined btc, or simply did too high of a volume. You never know in advance if the exchange flags your transfer.Compare this with more decentralized designs, where the exchange either happens in one transaction or does not happen at all. For example incognito.org has something that approaches this (and one of the values of the creators is no KYC ever).The main reason for writing this in the article is that people can differentiate between wallet and an app with access to your account on the exchange. For example a Coinbase or Kraken app is not a wallet. It used to be easy to differentiate at least very superficially - does the app offer exchange services? No? => it's a wallet. Now it's not that clear, because wallets offer exchange services. There's nothing wrong with that, but you should know the risks if you choose to use them.Of course that does not make the use-case as a wallet less secure, Trezor is a great wallet, if you don't touch the exchange tab. -- Juraj Bednár, 2020
Trezor has since evolved and they are integrating Invity.io (which is part of SatoshiLabs). When they show you the partners to do exchange, they clearly state how they process the exchange: https://invity.io/exchange-crypto
Basically all exchanges require KYC on suspicious transactions, but some of them will refund you without KYC. Invity (integrated in Trezor wallet) tells you this exactly before you make a choice of an exchange. Which is nice and honest.Here I would pick ChangeNow, because they do refunds without KYC. So I would say that it is good that some wallets share this information with you in advance. Trezor is a positive example now. And I would say that integrating a crypto2crypto exchange is a feature, not a bug. If you know what you're getting into.Another good thing would be to have setting not to show you those services that require KYC for refunds. Like a checkbox.
We believe in trust through transparency. Our core wallet technology is, and will always be, open-source and free. We invite anyone to use our code according to the terms of the MIT open-source license. -- BRD.com, 2020