Table of contents
“When you bring the world’s best entrepreneurs, innovators, scientists, and business experts together to solve a crucial problem in the digital assets space, you create the most secure product for millions of users and thousands of enterprises. That is what NGRAVE is all about.” After almost a year-long interaction with some of the smartest founders in the digital assets and security space, we are proud to back the NGRAVE team and lead the seed round.
WHAT IS NGRAVE?
NGRAVE is a Belgium-based security-focused hardware cryptocurrency wallet developer that is building an end-to-end solution for safely holding and using digital assets. The company was founded in 2018 by Ruben Merre (CEO), Xavier Hendrickx (CTO), and Edouard Vanham (COO).
WHY WE INVESTED
The digital assets market is worth over US$ 2tn, with more than 220mn users (as of July 2021) holding cryptocurrencies in software, hardware, and exchange wallets. Jan ‘21 alone saw an increase of 15.7% in the total number of cryptocurrency holders, with the total number increasing 100%+ in just a span of 6 months since. Given the rising popularity of digital assets, these numbers will continue to grow and so will the demand for secure cryptocurrency wallets. At Woodstock, we believe that this rising demand will be met by NGRAVE’s products, and below are the reasons why we are backing the team:
Market Demand: Millions of users keep their cryptocurrencies in unsecure browser/exchange wallets, unknown of the security threats from the internet. The number of security issues reported has grown with the rise in the number of cryptocurrency holders, as the attackers target the funds held in unsecured wallets. Thus, the need for a better than bank-grade security solution exists, and NGRAVE is offering just that to millions of current and future digital asset owners.
End-to-End Solution: NGRAVE is building a secure hardware wallet (ZERO), which promises better than bank-grade security. Over the course of 3 years, the NGRAVE team has massively innovated, in collaboration with IMEC and COSIC, to develop an EAL7 certified hardware wallet, which ensures security right from device setup. Moreover, NGRAVE provides a novel backup solution (GRAPHENE) in case the hardware wallet is lost, ensuring funds are recoverable by the owner or the nominee and not anyone else. The user experience (UX) offered by ZERO is simple and smooth, which differentiates NGRAVE from market competitors like Ledger and Trezor.
Dedicated Team: The team at NGRAVE is meticulous in its approach and understands the industry well due to its established connections in the blockchain space. The partners, advisors, and researchers at NGRAVE are highly reputed experts in the domain of cybersecurity and distributed ledgers. Furthermore, the detailed documentation by NGRAVE around their product, technology, finances, future projections, business handling, and marketing is a testament to the team’s focus and vision for a decentralized, secure future.
Let’s look at the journey of a new digital asset owner:
DIGITAL ASSETS WALLETS
Like any fiat currency, all digital assets require a storage medium to ensure their safety.
As discussed above, cryptocurrency wallets (or addresses) act as virtual storage mediums. All data associated with the wallet addresses is stored on the blockchain and available to the public (yet privacy is ensured).
Other than storing cryptocurrencies and NFTs virtually, wallets are also responsible for safely generating/importing public and private keys of the user. These keys are used for signing and encrypting transactions, which help verify the identity of the sender to the receiver along with additional messages. An important thing to note here is that a good wallet should have a highly secure key generation mechanism in order to ensure the safety of a user’s funds.
Cryptocurrency wallets can be classified into hot wallets and cold wallets. A hot wallet can be imagined as the pocket wallet that one carries, which is more susceptible to theft but easy to transact with, whereas a cold wallet can be thought of as an account in the bank (say, a vault), where money is more safely stored but is not as readily accessible.
In a more technical definition, a hot wallet refers to any cryptocurrency wallet that is connected to the internet. Generally, hot wallets are easier to set up, access, and have integrations with more tokens. But, hot wallets are also more susceptible to hackers, possible regulation, and other technical vulnerabilities (side-chain attacks or malicious configuration). For example, a hot wallet server or an internet server where the end user’s verification occurs acts as a single point of failure, as the likelihood of message interception and online spoofing is high. One of the major challenges facing a hot wallet is the security breaches of private keys which are stored on the internet and in the wallet’s browser. Importantly, the end user’s behavior largely determines the hot wallet’s safety and security. Some examples of hot wallets are –
A cold wallet refers to any cryptocurrency wallet that is NOT connected to the internet. Generally, cold wallets are more secure due to the offline nature of the hardware devices but support a lesser variety of cryptocurrencies due to slightly more complicated integration processes and less user demand.
Hardware wallets are specially designed devices that provide almost airtight security. Most hardware wallets (generally, cold wallets) are never connected to the internet and some do not even use wireless technologies such as NFC, bluetooth, etc., functioning solely on QR codes (particularly, NGRAVE) or similar technologies. Examples of hardware wallets include Ledger and Trezor.
In cold wallets, private keys are often stored in a protected area of a microcontroller, and cannot be transferred out of the device in plaintext. Moreover, private keys never need to touch any potentially vulnerable software or leave the cold wallet in any form.
MARKET DEMAND FOR WALLETS
In 2021, we saw:
- Ethereum trading at all-time highs of US$ 4,891.70
- Institutions buying Bitcoin
- Coinbase’s listing on NASDAQ
- US$ 100bn+ total value locked in DeFi
- 220mn+ global crypto users (July 2021)
and so much more in NFTs, gaming, blockchain development, etc.
All these signals suggest that retail and institutional interest in blockchain is stronger than ever. It is estimated that there will be 1bn digital asset users in the next 2 years, and this next wave of users will require a secure way to store their digital assets. Inevitably, it will lead to a large growth in the crypto-wallet market numbers.
The global hardware wallet market was valued at US$ 178.20mn in 2019, and it is expected to grow to US$ 661.23mn by 2025, registering a CAGR of 26.72% during 2020-2025. Given the meteoric rise in the number of users in 2021, the estimate of US$ 661.23mn looks conservative by a good margin.
Market Leader Analysis: Ledger
Most of the market share is currently held by giants like Ledger and Trezor. Unfortunately, these companies do not share sales details on a periodic basis. We have compiled some data points for Ledger’s hardware wallets from various sources (approximate values):
|Time||Mar ’17||Jan ’18||Oct ’18||May ’19||Jul ’20||Dec ’20||Dec ’21|
|Cumulative units sold||50,000||1,000,000||1,300,000||1,441,683||1,800,000||2,200,000||4,000,000|
These numbers can be directly correlated to the performance of the digital assets industry. In the ICO mania of 2017-18, users rushed to purchase wallets for their new tokens. This was followed by a “crypto-winter” when sales dropped. However, the sale for the market leader in hardware wallet, Ledger, more than doubled between 2019 and 2020 and tripled between 2020 and 2021. 2022 definitely looks very optimistic, as new users enter the digital assets space.
PROBLEMS USERS ARE FACING
Most hardware wallets do not offer an end-to-end security solution. They suffer from problems such as insecure random number generation, imperfect implementation (bugs, firmware, hardware issues), and compromised production and shipping procedures.
SECURITY ISSUES WITH CRYPTOCURRENCIES
Any digital technology comes with inherent security risks. Email accounts, bank accounts, sensitive information on local machines, etc. are all prone to hacking. Cryptocurrency wallets/smart contracts are no exception to these risks. In 2021 alone, hackers stole between US$ 4bn and US$ 9.8bn in DeFi-related exploits, exchange-related incidents, blockchain attacks, and more. Cumulatively, it is believed that the total exploited value since the birth of Bitcoin falls anywhere between US$ 17bn and US$ 22bn. Here are some of the important hacking events of the past –
- NGRAVE co-founder and CTO, Xavier Hendrickx was a cyber-attack victim, when back in 2017, his previous blockchain company (SwarmCity) got hacked in one of the largest heists in the history of the industry: The Parity Hack (over US$ 162mn worth of ETH frozen). Xavier lost 44,000 ETH, worth around US$ 10mn at the time (~US$ 168mn on January 5, 2022).
- Hugh Karp, the co-founder of Nexus Mutual, was the target of an attack in December 2020, where the hacker had altered the Metamask extension from disk and replaced it with an infected version. Hugh lost 370,000 NXM tokens worth approximately US$ 8mn (~US$ 47mn on January 5, 2022) to the hacker as he was tricked into sending the tokens to the hacker’s account due to the changed configuration settings of MetaMask.
- On April 20, 2021, EasyFi, a decentralized finance project, reported a US$ 75mn hack (2.98mn EASY tokens at ~US$ 25 each at the time of the hack) due to compromised private keys to the network admin MetaMask account. This hack was somewhat similar to what Hugh Karp had faced in December 2020.
- In Uranium FInance, at least US$ 57mn was stolen on April 28, 2021, due to a simple math bug introduced to the UraniumPair contracts which had been forked from the Uniswap v2 code.
- Poly Network, a cross-chain DeFi protocol, lost US$ 610mn in August 2021 to (thankfully) a white-hat hacker who returned majority of the funds post negotiations. This was the biggest “crypto-heist” in the history of cryptocurrencies.
- In December 2021, BitMart, a cryptocurrency exchange, lost US$ 196mn to a stolen private key attack on the exchange’s hot wallets. BitMart has reached out to affected blockchain projects to identify solutions, and will use reserve funds to compensate affected users.
- This short video provides a visual representation of the size of these hacks.
Most of these hacks have been possible due to negligence or human error. A lot of exchanges use passwords for signing in and that’s where one of the problems lies, other than misplaced private keys. Hot wallets, software that are used by individuals and exchanges, generally run into the same trouble since passwords and pin codes are not as safe as a properly handled private key or mnemonic phrase.
NGRAVE: A TRUE SECURITY SOLUTION
NGRAVE offers a hardware cryptocurrency wallet solution that functions completely offline, and therefore, is out of reach of remote attackers. It boasts the highest security certification in the world – Evaluation Assurance Level 7 (EAL7, video) – higher even than banks, secure government systems, and in fact most solutions in the entire global financial services ecosystem. The hardware wallet comes with beautifully designed and (almost) indestructible alloy metal plates, GRAPHENE, which serve as the private key backup, replacing the paper backup that is often used today. The offline wallet connects to the internet through a safe app, LIQUID, that runs on the user’s mobile device.
- Founders of NGRAVE talking about the company’s vision and the products – video
- Sneak peek into the NGRAVE production factory – video
The following section explores these products in a greater depth to provide a more thorough understanding:
- Introduction – ZERO is the flagship hardware wallet that is 100% offline, completely tamper-proof (explained later), and highly secure. Users can safely generate and store their private keys in cold storage and use an intuitive UI for transaction signing. Here is a video providing a sneak-peek into ZERO’s development process.
- No Online Attack Vectors – The NGRAVE ZERO generates private keys offline and never exposes them afterward. The device is completely “air-gapped”, meaning it does not rely on any kind of network connection capability (such as WiFi/Bluetooth/NFC), nor does it require USB (except for charging).
- One-way QR Code Communication – ZERO allows secure signing of transactions in simple steps: initiate transaction on LIQUID (or any other app), scan the QR-code request on ZERO, verify and sign using ZERO, check the signature on the LIQUID app, and finally, send to the blockchain. This video gives a tutorial on signing transactions.
- Introduction – GRAPHENE is a stainless-steel solution that is resistant against temperature, water & corrosion damage, and is shock & buried-proof. GRAPHENE has a dead man switch powered by the private-key backup hardware and Chainlink’s decentralized oracle network.
- Split Backup – It encrypts the key backup into two different plates (upper and lower), which allows keys to be recoverable in case of loss (even death). Each upper plate configuration is unique and personal and can be recovered by NGRAVE in case of loss. However, the lower plate needs to be kept safe since even NGRAVE (or any other party) has no access to it.
- Use – Users first generate their perfect key on ZERO, then they punch their key (using the pen provided) to the lower plate using the upper plate. After the process is done, the plates should ideally be kept in separate locations for maximum security. This video gives information on GRAPHENE and the backup mechanism.
- Introduction – LIQUID is a mobile app (plug and play) that powers the NGRAVE ecosystem by providing users the ability to manage all their cryptocurrencies in a single phone application. Although using LIQUID is not a necessity with NGRAVE’s ZERO, it is highly recommended due to the inbuilt security provided by the mobile application itself.
- Anti-tampering Framework – LIQUID uses secure QR codes to communicate with ZERO and share non-secret information only. The private keys are never shared with the app and remain safe within ZERO’s secure element.
- User Interface – LIQUID provides an intuitive and smooth UI for user convenience. Users can easily consult real-time balances of their secure accounts and send/receive payments with one-way QR codes. This video explains the LIQUID app as well as its usage.
- NGRAVE Perfect Key – It is the 64 character hexadecimal equivalent of the 256-bit master seed (which is also known as the mnemonic phrase). The underlying rationale is that this format allows for a more secure backup and a novel recovery method in case a user loses both the hardware device and the backup. The GRAPHENE plates serve as a backup to store those 64 characters and help in the recovery of an account. This video explains mnemonic keys and passphrases.
- Key Generation – NGRAVE uses one of the strongest key generator chips available for True Random Number Generation (TRNG), which is CC EAL5+ certified. Biometric data is included in the key generation input process, together with light sensor measurements to add further entropy. Finally, a user interaction process is added as the last step to prevent any malicious tampering or attacks.. This also assures the user that only he/she has ever had access to and knowledge of the key and that even the manufacturer (NGRAVE) has no way of knowing what the key is since the difficulty of brute-forcing becomes too high. This video provides an overview of the key generation in NGRAVE ZERO.
- Dead Man’s Switch – A dead man’s switch is a trigger designed to be activated if the human operator becomes incapacitated, such as through death. The functioning of the switch is explained in the below diagram. GRAPHENE plates and third-party KYC providers (ChainLink’s oracle service) enable such a recovery mechanism. OO=Original Owner; LP=Lower Plate; TP=Top Plate; B=Beneficiary(ies).
- Tamper X – NGRAVE ZERO provides 4 cascading features to protect the device. The devices are protected from side-channel attacks, supply-chain attacks, firmware attacks as well as physical tampering. This video explains the physical security that ZERO offers.
- Tamper Resistant – On the outer level, ZERO has a strong metal device-casing that is tightly sealed to a tamper-proof screen. In the inner level, a secure element and microcontroller unit with anti-tampering features exist. To tackle side-channel attacks, ZERO’s metal casing allows for shielding radio frequencies that could otherwise be picked up by an attacker to pin down and reduce the range of potential private keys.
- Tamper Evident – Even in the event someone successfully breaks open the device, this will be noticeable to the end-user. When setting up the device for the first time, there is also a “cryptographic attestation” process where the ZERO has to cryptographically sign a challenge received by NGRAVE’s servers with a secret key to prove it was originally shipped by NGRAVE. If anything goes wrong or is “hacked” in this step, the device will show up as compromised during initialization by the user.
- Tamper Responsive – The device wipes itself clean if physically tampered with in order to ensure no one other than the user can access the keys or cryptocurrencies. The user can recover his/her wallet address from the GRAPHENE backup on another device.
- Tamper Resolution – Any tampering that might have occurred is cancelled out by an important interaction step in the key generation process itself, as mentioned above. There is an offline key generation interaction by the user, which makes the key truly personal.
- Totally Offline – ZERO and GRAPHENE are totally offline products. There are no USBs, connected devices, Bluetooth, WiFi, or 4G, and thus, the device is completely air-gapped for security. ZERO uses unidirectional QR code scanning with the LIQUID app for creating and signing transactions with the user’s key.
- Firmware Updates – Updates are transmitted over the USB charging port of ZERO. The updates are cryptographically signed by NGRAVE’s secret key and are verified by the device. ZERO boots in a separate, empty partition (using ARM®TrustZone®) specifically for the purpose of receiving the new firmware, in order to ensure the safety of existing data.
SECURITY FEATURES SUMMARISED
NGRAVE built its proprietary security solution together with IMEC and COSIC, who are core partners in the NGRAVE ecosystem and have been heavily involved since the very beginning of the project. For their dead man switch, NGRAVE has partnered with Chainlink.
- Computer Security and Industrial Cryptography (COSIC at KU Leuven) is an applied cryptography research group renowned for inventing the security encryption protocols such as AES256 (also known as the “Advanced Encryption Standard” or “Rijndael”), the worldwide standard for data encryption. COSIC has also been involved in SHA2, SHA3, keccak, breakthroughs in Multi-Party Computation (MPC) and Fully Homomorphic Encryption (FHE), and post-quantum cryptography.
- Interuniversity Microelectronics Centre (IMEC) is a world-leading research and development organization, offering vast expertise in chip manufacturing on nano-scale7. Ruben, CEO, talks about the technology partnership with IMEC in this video.
- Chainlink is a decentralized oracle network that enables smart contracts to securely access off-chain data feeds, web APIs, and traditional bank payments.
Launch: In June 2020, the NGRAVE team launched its pre-orders on Indiegogo. Within 15 minutes, the campaign crushed its funding goal. Within the first 24 hours, NGRAVE pre-orders crossed the $100,000 mark. 30 days later, the presale clocked out at 1535% of its goal, besting the second-best hardware wallet pre-order campaign by 8x. The generated sales from the campaign were worth US$ 460k+.
Current: In December 2021, NGRAVE had started shipping its first set of hardware wallet orders (batch ZERO). A total of 2,800 wallets were shipped worldwide to the customers from the Indiegogo 2020 pre-sale campaign. All 2,100 website orders (batch 1) made between July 2020 and October 2021 are currently shipping to the next set of buyers. Orders placed during the AIBC Summit in Malta are in production and will be shipped out within this quarter. Currently, all NGRAVE ZERO wallets are sold out, and the next batch of orders will be open for sale in February 2022.
Future: The business team is working on B2B deals for bulk orders in 2022, with the product side focused on various new integrations to enable an even better user experience, more secure custody, and quantum-resistant cryptography.
Ruben, CEO, is a repeat tech entrepreneur with a focus on digital asset security and financial empowerment. In 2021, he was selected for Belgium’s 40 under 40. Before that, he was a finalist in scale-ups.eu‘s Disruptive Innovator of the Year 2020 Award, and in Google/PWC/Trends’ Digital Pioneer 2020 nomination. Ruben holds an M.Sc. in Business Engineering (MBE), several postgraduate degrees, and is a certified PMP (Project Management Professional) and LEAN Six Sigma Black Belt. Ruben also successfully completed Oxford University’s Blockchain Strategy Program.
Xavier Hendrickx, CTO, is the person whose story inspired the foundation of NGRAVE. Xavier holds an undergraduate degree in Information Technology and started in the blockchain industry in 2013. He was previously the CTO of Swarm City, a blockchain-based marketplace with a built-in reputation system. He has expertise in cybersecurity, and was part of the white-hat hackers team that helped recover funds from ‘The Parity Hack’.
Edouard, COO, is a former IT and management consultant, making him the ideal translator of business requirements to the back-end side. Edouard is a connector, which also proved crucial for NGRAVE, as it was Edouard who got Ruben and Xavier acquainted and excited about a collaboration. Edouard is leading the Operations side at NGRAVE, making his passion his profession. Edouard has an M.Sc. in Business Engineering (MBE) from KU Leuven.
Dr. Jean-Jacques Quisquater is a cryptographer and a professor at University of Louvain. He received, with Claus P. Schnorr (creator of Schnorr signatures), the RSA Award for Excellence in Mathematics in 2013. Dr. Quisqarter is a visiting professor and research affiliate at MIT and is closely involved with Silvio Micali (Algorand founder), Ron Rivest (RSA creator), and Erik Demaine. Dr. Jean-Jacques has over 30k citations, 20+ patents, and wrote about blockchains in the 1980s (including 2nd reference of the Bitcoin whitepaper).
NGRAVE has also received grants from Agency Innovation & Entrepreneurship (VLAIO) and the European Commission’s European Innovation Council (EIC). VLAIO is the Flemish government’s point of contact for all entrepreneurs in Flanders (Belgium). The government-supported entity stimulates and supports innovation and entrepreneurship, and contributes to a favorable business climate in Belgium. The EIC is Europe’s flagship innovation programme to identify, develop and scale up breakthrough technologies and game-changing innovations. The NGRAVE team has applied to various other grants programs along with reapplication to the EIC for a larger grant.
NGRAVE is solving a critical problem of storage and security for the Web3 ecosystem and they have cracked a great product to solve the same. We have used the product ourselves and were taken away by its simplicity and wonderfully seamless UX. We have faith in the NGRAVE team to elevate digital asset security for the masses to the next level in the coming quarters and we believe they are on the right track to achieving their goal of making digital asset investments safer for everyone.
We extend our gratitude to Ruben Merre and the NGRAVE team for their valuable input.
DISCLOSURE & RISK WARNING
Woodstock is an investor in NGRAVE. Every financial product, asset class, or investment has risk. A cryptocurrency (also known as digital tokens, digital coins, or crypto(s)) is no different. That is why it is important for users to be aware of the potential risks present in cryptocurrency and blockchain projects. You should not invest funds in the cryptocurrency market that you are not prepared to completely lose; i.e., only allocate risk capital to digital tokens. Furthermore, we will not accept liability for any loss or damage that may arise directly or indirectly from any such investments.
Author: Abhinav Pathak