On 2025-03-13, SSP Wallet v1.16.0 closes a long arc and opens a new one. The audit engagement with Halborn that began with the Account Abstraction Solidity contracts now extends across the full stack — the SSP Wallet browser extension, the Relay service, the SSP Key mobile app, and the supporting libraries. The same release ships in-wallet swap, so users can exchange between the chains SSP supports without leaving the multisig setup.
Halborn completes the full SSP audit
Halborn's prior review of SSP looked at the smart-contract layer: the Factory and Account Implementation behind every Ethereum and Sepolia account. That review came back clean on the things that matter, and SSP redeployed against the cleaned-up versions in v1.9.0. What's different now is that the engagement has been extended to everything else SSP runs.
In scope this round: the SSP Wallet browser extension, including the key-management surface and the multisig signing logic that drives every spend; the SSP Relay, the coordination service that lets the browser extension and the mobile Key talk to each other for co-signing; and the SSP Key mobile application, which holds the second key half on the user's phone. The supporting libraries that all three depend on were reviewed alongside them.
The summary of where this leaves the project: every piece of SSP that touches a user's funds — the code that constructs transactions, the code that exchanges signing data between devices, and the code that produces the second signature — has now been independently audited. Halborn's published audit page for this round lives at halborn.com/audits/influx-technologies/ssp-wallet-relay-and-key.
Why "fully open-sourced + fully audited + multi-asset multisig" is rare
Most wallets pick two of those three. Plenty are open source but custodial or single-signature. Many are multisig but for a single ecosystem — Bitcoin-only, or Ethereum-only — and don't carry the same model across chains. A small number have had a third-party audit on the wallet binary, but their supporting infrastructure — the relay, the mobile app, the libraries — is closed or unreviewed.
SSP's combination is unusual. The wallet is open source under a permissive licence. The Relay is open source. The SSP Key Android and iOS apps are open source. The underlying cryptography libraries are open source. Multisig is the default flow on every supported chain, not a feature toggled on for the cautious. And — now — every one of those pieces has been audited by Halborn.
We're not claiming SSP is the only wallet in the world with this combination. We are claiming that the combination is rare enough that we can point at the audit pages, the repositories, and the architecture and say: this is what a fully-open, fully-audited, multi-asset multisig stack looks like in practice. If a comparable stack exists, we'd like to read its audit reports too.
Swap functionality is live
The second story in v1.16.0 is in-wallet swap. From this release on, users can swap between the chains SSP supports — Bitcoin, Ethereum, Bitcoin Cash, Zcash, Flux, and the ERC-20 tokens the wallet recognises — directly from the SSP interface, without exporting keys, without copying addresses between tabs, and without giving any third party custody of the funds before they're spent.
The custody model is the same one that governs every other spend in SSP. Funds stay in the user's multisig addresses until the swap is signed. When the user accepts a quote and confirms it, the transaction that funds the swap is constructed in the wallet, co-signed by the browser extension and the SSP Key, and only then broadcast. There is no intermediate hot custodial account that holds the user's balance "while the swap is pending." The same two keys that sign every other spend sign the swap.
Quotes are sourced through routing partners that aggregate liquidity across chains. The wallet shows the rate, the expected output, and the fee before the user signs. If the user doesn't like the quote, they don't sign — and the funds never leave the multisig. The user remains the one who clicks the green button.
Reading the audit reports
If you want to read the audit work directly rather than take our summary for it, Halborn publishes the reports at their audit hub. The current round's page is halborn.com/audits/influx-technologies/ssp-wallet-relay-and-key. The earlier Account Abstraction contracts review — the previous instalment in this story — lives at a separate URL on the same site and is summarised in the v1.9.0 audit post.
For the full release notes that ship Swap and incorporate the audit work, see the v1.16.0 release on GitHub. The auditing isn't a single milestone — it's a posture, and the public record at Halborn is the receipt.