Address Spoofing
While the Casa system is highly secure, the user still needs to obtain a destination address for each transaction from an exchange or wallet outside Casa’s systems. Malware on a user’s computer could theoretically cause their web browser or other communication software to display an incorrect address. This would defeat the security of any storage system, as it occurs outside of that system.
Mitigation:
- Use of a mobile app mitigates browser extension based address modification.
- We re-derive receiving addresses independently on both server and mobile device. The app will throw an error if there is a mismatch between server and mobile device.
- Use of a separate non-Casa "watch only wallet" allows for independent validation of addresses.