Lattice1 Security Features

Lattice 1 Secure Architecture

When we designed the Lattice1, the highest priority and our biggest focus was - of course - the security of your funds. The Lattice1 has a smaller attack surface than legacy hardware wallets because it's got two totally separate hardware environments inside the box.

The General Compute Environment (GCE) has internet connectivity and runs Linux. Our security model operates under the assumption that it's always compromised (even though that is unlikely.) Then there's the HSM (Secure Compute Environment - SCE) which is cut off completely from the outside world. They pass through signing requests and signatures through a size-limited FRAM "mailbox" and only one side can connect at a time. Signing requests are put into the mailbox by the GCE and the SCE passes back signatures. There's no remote contact with the HSM, no accessible factory or engineering debug features, and the limited mailbox size prevents overflow attacks.The two environments cannot directly communicate as they are segregated at the component level. This means you have a flexible always-online device, but your private keys are completely inaccessible from the internet.

The components we use for the Lattice1 are sourced from multiple hardware manufacturers in different locations - this means that a supply chain attack would have to span three continents and involve multiple governments.

Tamper mesh

All these secure elements above are enclosed in an anti-tamper mesh which is like a tripwire that will erase your secrets if a physical intrusion attempt is detected.

The anti-tamper mesh is a Laser Directed Structure (LDS) mesh - you could say a 3D maze of tiny electrical traces with a waveform running through it constantly. If it's shorted out or the waveform is altered - the device bricks. This essentialy prevents 100% of physical attack attempts.

Large Touchscreen with EIP-712 Support

The large touchscreen is important for both UX and security, the screen itself is drawn by the SCE so you see precisely what you're actually signing even if your phone, computer, or even the Lattice1 GCE are somehow compromised. This diminishes the likelihood of man in the middle attacks like we see with USB legacy hardware wallets.

If you have a hardware wallet and you don't verify what you're signing on a secure screen, you're not getting a security benefit at all.