Skip to main content

Monthly Archives: October 2025

Envoy version 2.1.0 is now available!

Posted on October 20, 2025 - 9:47 am by

The latest version of Envoy 2.1.0– is now published on all your favorite mobile platforms! To download it, simply visit our download page or check for updates on your platform of choice.

Please note that there can be a significant lag from publishing to general availability due to Apple App Store and Google Play Store review policies and delays.

What’s changed

In Envoy v2.1.0 we squashed a lot of bugs so we encourage all our users to update to have a more smooth and solid Envoy experience. Since Magic Backups have also been improved, we encourage everyone to perform a Magic Backup after the upgrade!

For more details on each of the changes, keep reading below!

Improvements

  • Improved the Magic Backup restoring flow – if the user changes any privacy settings during onboarding, these will prevail over those defined in the Magic Backup file
  • Improved the Personal Node selection. Previously, if you defined a Personal Node, then changed to a predefined node, then back to Personal Node, the field was overwritten by the predefined node’s address. This behavior has been updated so that the Personal Node saved remains there even when you return from a predefined node.
  • Major upgrade to Flutter to version 3.35.1
  • The Personal Node is now saved to the Magic Backup, so make sure to update and perform a magic backup again to save this setting!
  • Added warnings for users that last paired their accounts before Passport Core v2.3.0, and want to either enable Taproot by default, access the taproot descriptor, or show a taproot receive address
  • Improved the fee display for Canceling transactions for users with very big text size
  • Updated multiple repositories and dependencies
  • Added tor endpoints for signet, so users that use tor should enjoy a more stable connection while using signet
  • Moving forward, user preference will be remembered between transactions in terms of send unit. Previously it would always default to BTC or Sats depending on app setting.
  • Added the Explorer option to the transaction ID for the Coin Details view

Bug Fixes

  • Fixed a scenario where Magic Backups could be corrupted while being restored
  • Fixed a bug where sometimes an “Insufficient Funds” error could show up despite there being enough unlocked and confirmed coins
  • Fixed an edge case where sometimes two hot wallets could be created instead of one
  • Fixed an issue where tor would not be loaded on first app startup, and added checks to make sure tor is bootstrapped before attempting a connection to a node
  • Fixed a couple of issues that could error or show 0 send amount when scanning an all caps address
  • Fixed a visual bug where sometimes the fee would be displayed as 0 when accessing the transaction details
  • Fixed an issue where for some users the option to hide the Buy feature would not show up in settings -> advanced
  • Fixed a bug where under some scenario self-sends couldn’t be boosted while using Passport
  • Fixed a rare bug where sometimes a hot wallet would be created but the seed would not be displayed
  • Fixed a minor visual spacing issue when selecting a Tag
  • Fixed an issue where users with big text sizes couldn’t save a transaction’s notes
  • Fixed an issue where Envoy would attempt to redeem a Lightning Network BTCPay voucher instead of throwing an error
  • Fixed an issue where sometimes iOS users wouldn’t be able to delete an account that was still loading balance
  • Fixed a minor visual bug that would not provide visual feedback to the user when entering an incorrect seed
  • Fixed the date of the Envoy new version notifications to display the actual date of release, instead of the day the user connected to the internet and saw it
  • Fixed a visual bug where sometimes the red shield would not show up even if tor connection dropped
  • Fixed a bug where for some users Envoy could remain blurred even after unlocking the app
  • Fixed an issue where tor would sometimes not temporarily disable after explicitly asking it to do so
  • Fixed an issue where sometimes the PIN couldn’t be entered after faceID failed for iOS users
  • Fixed an issue where sometimes if the user performed multiple back to back transactions, some of them would not be logged in the Activity tab
  • Fixed a minor bug where the default Note for BTCPay transaction wouldn’t be pre-populated
  • Fixed a bug where after performing a migration a user could get stuck in the send screen because the “Send Max” option wouldn’t disappear
  • Fixed a visual bug where the confirmation time wouldn’t update as soon as the user changed fee rate in the transaction review screen
  • Overall improvements in the onboarding flow and other minor visual tweaks

Verifying Envoy on Android

If you’d like to take the optional additional step of verifying Envoy binaries on Android, follow our guide: Verifying Envoy on Android

Passport Prime Security Audit

Posted on October 16, 2025 - 9:59 am by

Our approach to security has always been consistent: build with care, and invite open verification. Before Passport Prime ships, we commissioned a full third-party security audit and made the results publicly available for anyone to review.

We took the same approach with Passport Core, which was also independently audited. The earlier audit set the precedent for how we handle security at Foundation: by opening our devices to outside scrutiny before they reach users, and by publishing the results in full. Passport Prime continues this same commitment, proving that transparency isn’t a one-time exercise, but an ongoing standard for every product we build.

Today, we’re outlining what was tested, what was discovered, how we addressed it, and where you can explore all the details for yourself.

 

Who Conducted the Audit — and What They Tested

The audit was performed by Keylabs (Nedos Consulting EMEA FZ-LLC), a specialist security firm focused on wallet technologies, embedded device audits, and secure storage systems.

Their team includes researchers known in the hardware wallet security community, including involvement in the wallet.fail presentation, which exposed vulnerabilities in wallets like Ledger and Trezor. With a track record of finding real flaws in the hardware wallet industry, Keylabs approached Passport Prime with the same rigor, giving us confidence that the evaluation reflected genuine attack scenarios and industry-leading standards.

The audit examined every layer of Passport Prime. From hardware and firmware to system architecture, to assess its resilience against real-world attack scenarios:

  • Threat modeling & architecture
    • Keylabs defined likely adversaries and reviewed how Passport Prime’s layered design is intended to protect against them, validating that the architecture aligns with our security goals.
  • Firmware review
    • They examined PIN authentication, key handling, memory clearing, secure boot behavior, and many other aspects.
  • Hardware testing
    • They evaluated components such as the ATECC608C secure element, SECURAM volatile memory, tamper detection, and PCB layout, including the accessibility of debug/test interfaces.
  • Physical attack considerations
    • The team assessed side-channel considerations, fault-injection feasibility, and what a skilled attacker with direct device access might realistically attempt.

This overview is only a snapshot of what was audited. The full report below goes much deeper and covers every component and process in detail.

 

Results Summary

No critical or high-severity vulnerabilities were found. All observations were low severity, requiring physical access and advanced tooling to attempt exploitation.

Keylabs concluded:

The overall architecture demonstrates exceptional security design principles and sophisticated implementation.”

and further:

The proactive approach to security demonstrates Foundation’s dedication to transparency and continuous security improvement. This results in a highly secure hardware wallet architecture that exceeds industry standards for protecting users’ digital assets.”

The findings themselves were focused on best-practice hardening recommendations:

  • Randomizing PIN verification timing to reduce side-channel risk.
  • Clearing memory more aggressively after failed attempts and on boot.
  • Ensuring Shamir shares are wiped immediately after use.
  • Zeroing SECURAM when PIN retries are exhausted.
  • Reducing exposure of non-essential debug pads on the PCB in future hardware revisions.

These are refinements rather than structural flaws, and all have already been addressed.

 

Our Response

We treated every observation from the audit as an opportunity to strengthen Passport Prime before it ships.

  • PIN verification — we implemented changes to add timing randomization and mitigate side-channel analysis.
  • Memory clearing — firmware was updated to ensure more aggressive zeroization on boot and after failed PIN attempts.
  • Shamir shares — handling was improved to guarantee that temporary shares are securely wiped immediately after use.
  • SECURAM behavior — logic was updated so volatile memory is cleared when PIN retries are exhausted.
  • Debug/test pads — while already hidden and protected by tamper detection, future hardware revisions will reduce or eliminate exposure further.

Our goal isn’t to pass an audit once, but to keep raising the bar. A complete, detailed breakdown of how we addressed each point is provided in our official response below.

 

Full Report & Response

Both documents are available in full and open for public review

 

Closing Thoughts

Security is never “finished.” What matters is building systems that can evolve, improve, and stand up to constant inspection. Every observation has been addressed or planned for, and publishing the results ensures anyone can examine the process for themselves.

We are proud of these results. The audit confirmed that Passport Prime’s architecture is not only resilient, but in the words of the auditors demonstrates “exceptional security design principles” and “a highly secure architecture that exceeds industry standards.”

As Passport Prime begins shipping, this audit is an important step in our commitment to transparency and verifiable security. It confirms what we’ve built: not just another hardware wallet, but a security platform whose architecture has been recognized as exceptional, sophisticated, and ahead of industry standards.