Skip to content

Add ZEUS wallet listing#4797

Open
devdavidejesus wants to merge 1 commit into
bitcoin-dot-org:masterfrom
devdavidejesus:add-zeus-wallet
Open

Add ZEUS wallet listing#4797
devdavidejesus wants to merge 1 commit into
bitcoin-dot-org:masterfrom
devdavidejesus:add-zeus-wallet

Conversation

@devdavidejesus

Copy link
Copy Markdown
Collaborator

Summary

This PR adds ZEUS to the wallet listing — a self-custodial Bitcoin and Lightning wallet developed by Atlas 21 Inc., founded by Evan Kaloudis.

ZEUS is available on Android (Google Play, F-Droid, and the ZEUS Zapstore) and iOS (App Store), built with React Native and TypeScript. Open-source under AGPL-3.0. (Android build tested via Google Play.)

Files changed

  • _wallets/zeus.md — wallet entry with scoring, features, and platform links
  • img/screenshots/zeusandroid.png — 250×350, optimized with optipng -o7
  • img/screenshots/zeusios.png — 250×350, optimized with optipng -o7
  • img/wallet/zeus.png — 144×144 icon, optimized with optipng -o7
  • _translations/en.yml — added walletzeus description (233 characters)

Review process

The ZEUS team (@kaloudis, CEO of Atlas 21) extended an invitation for this listing in ZeusLN/zeus#3981 and requested the initial PR draft be prepared by the reviewer.

This PR also begins to address the "Missing Wallet Category" finding from the April 2026 wallet-section audit (#4662), which noted that no listed wallet had Lightning as its primary user experience. ZEUS is a dedicated Lightning-first wallet added with vendor involvement, as anticipated in that issue.

Architecture

ZEUS supports three operational modes (only the non-custodial modes are reflected in this listing):

On-device (non-custodial, default):

  • LDK Node — Esplora-based block sync, Rapid Gossip Sync, BOLT12 support, ~10MB footprint, 12-word BIP39 seed, automatic remote backup
  • Embedded LND — Neutrino block filters, Express Graph Sync, Simple Taproot Channels, 24-word aezeed seed, channel migration support

Remote node (non-custodial, user-controlled):

  • LND (REST), LND (Lightning Node Connect), Core Lightning (CLNRest)
  • Compatible node platforms: Umbrel, StartOS, RaspiBlitz, myNode, BTCPay Server, Alby Hub, nodl, Citadel

Custodial modes (clearly marked as such by the app):

  • LNDHub accounts and Cashu ecash — both labeled "CUSTODIAL WALLET" in the UI; this listing reflects the non-custodial defaults only.

Testing

  • iOS (v13.0.1): hands-on testing — wallet creation, default LDK Node onboarding, 12-word seed backup flow, full restore from seed, receive flow with LSP fee disclosure, send flow (BOLT11/BOLT12 inputs accepted), settings navigation (Privacy, Security, Block explorer customization, Tor support), Cashu mints exposure, on-chain address generation (Bech32 verified), multi-mode wallet interface confirmation. The Lightning channel-open flow was not exercised end-to-end with real sats: the app recommends a first Lightning receive of 100,000 sats or more (an LSP setup fee is deducted from the received amount), which was beyond the reviewer's test budget. This applies to the on-device LSP path; remote-node and custodial modes do not incur it.
  • Android (v13.0.2): hands-on testing — onboarding, LDK Node default wallet interface (Mainnet), the full nine-mode connection menu (On-device: LDK Node, Embedded LND; Remote: LND REST, LND LNC, Core Lightning CLNRest, Nostr Wallet Connect, LNDHub), Settings structure (Networking, Privacy, Security, Currency, Language, Display), Privacy settings (mempool.space default explorer, Lurker mode, Stealth Mode), Security settings (Set Password, Set PIN, Biometrics — all opt-in), and on-chain Bech32 address generation (bc1q...). Behavior matched iOS, consistent with the shared React Native codebase.

Source code & dependencies (verified)

  • License: AGPL-3.0 (copyright Atlas 21 Inc., maintained since 2019)
  • Stack: React Native + TypeScript
  • Crypto libraries: @noble/secp256k1, @scure/bip39, bitcoinjs-lib, bip32, scrypt-js
  • iOS permissions declared: Camera only
  • No analytics/telemetry SDKs detected (no Firebase Analytics, Sentry, Mixpanel, Amplitude, Crashlytics)
  • Tor: react-native-tor (ZeusLN fork at v0.2.1-zeus)
  • Releases signed with PGP key 96C225207F2137E278C31CF7AAC48DE8AB8DEE84 since October 2021
  • Reproducible builds documented for Android (docs/ReproducibleBuilds.md)

Scoring

check:
  control: "checkgoodcontrolfull"
  validation: "checkpassvalidationspvservers"
  transparency: "checkpasstransparencyopensource"
  environment: "checkpassenvironmentmobile"
  privacy: "checkpassprivacybasic"
  fees: "checkgoodfeecontrolfull"

privacycheck:
  privacyaddressreuse: "checkpassprivacyaddressrotation"
  privacydisclosure: "checkfailprivacydisclosurecentralized"
  privacynetwork: "checkpassprivacynetworksupporttorproxy"

Features: bech32 lightning segwit · Level: 2 · Compat: mobile android ios

Notes

  • Description text follows the style of existing entries (no superlatives, factual tone).
  • Assets meet the optipng -o7 optimization requirement.
  • HSTS: the four primary domains (zeusln.com, www.zeusln.com, zeusln.app, www.zeusln.app) serve Strict-Transport-Security with max-age=31536000, includeSubDomains, and the preload directive (verified via curl -sI -L immediately before this PR was opened). SSL Labs grade A on all primary domains. docs.zeusln.app is hosted on GitHub Pages and does not serve the app binary.
  • On taproot / hardware_wallet flags: both are left off. In the default LDK Node mode (what a new user lands on, and what was tested), on-chain receive generates bc1q addresses and there is no easy/obvious way to generate a bc1p address — the Receive screen's "Advanced" control is a Receive-via-NFC option, not an address-type selector. The developer (@kaloudis) confirmed that Taproot addresses and hardware-wallet support exist in the Embedded LND mode (not the default), with LDK Node parity targeted for 2026. Since the taproot criterion asks that bc1p generation be "easy and obvious," and that lives only in the non-default mode, I've left the flag off. Easy follow-up PR if/when LDK Node exposes Taproot.

cc @crwatkins @kaloudis

@kaloudis

Copy link
Copy Markdown

The ZEUS team is greatly appreciative of the consideration for inclusion on the Bitcoin.org website.

All information above appears to be accurate. I'm happy to answer any questions, should they arise.

Thank you.

@devdavidejesus

devdavidejesus commented Jun 17, 2026

Copy link
Copy Markdown
Collaborator Author

ZEUS — Review for bitcoin.org listing

Wallet: ZEUS
Developer: Atlas 21 Inc. (founded and led by Evan Kaloudis)
Tested version: v13.0.1 (iOS) and v13.0.2 (Android) — see Platform notes below
Review version: 2026061401 (updated from 2026052401 after Android testing)
Reviewer: Davi de Jesus


Summary

ZEUS is a self-custodial Bitcoin and Lightning wallet developed by Atlas 21 Inc., available on Android and iOS. The application offers a configurable, multi-mode architecture: users can run a Lightning node on-device (LDK Node or Embedded LND), connect to a remote node (LND, Core Lightning, or several node platforms via REST / LNC / NWC), or use the bundled Cashu and LNDHub modes (which the app itself labels as "CUSTODIAL WALLET" in the UI).

This review is based on hands-on testing of the iOS app (v13.0.1) and the Android app (v13.0.2). v13.0.0 (released 7 May 2026) introduced LDK Node as the new on-device default for first-time users, replacing Embedded LND as the default path. Both builds are generated from the same React Native + TypeScript codebase. See "Platform notes" below.

This listing was prepared in response to an explicit invitation from the ZEUS team in ZeusLN/zeus#3981, where Evan Kaloudis (CEO of Atlas 21) requested that the initial PR draft be prepared by the reviewer.

Recommend listing under Mobile (Android + iOS), Level 2.


Platform notes

ZEUS is built on React Native + TypeScript (single codebase) with thin native shims for Android (Kotlin) and iOS (Swift/Obj-C). Crypto, Lightning, key handling, and wallet logic live in the shared JS/TS layer; this means business behavior is identical across platforms by construction.

  • ZeusLN/zeus (TypeScript 51.9%, JavaScript 40.8%) — shared application logic
  • iOS native layer (Swift 5.5%, Obj-C 0.2%) — App Store bundle
  • Android native layer (Java 0.9%, Kotlin 0.5%) — Google Play / F-Droid / Zapstore builds

Reviewer tested both iOS (v13.0.1) and Android (v13.0.2). On Android, the reviewer confirmed: the onboarding flow, LDK Node as the default on-device wallet interface (Mainnet), the full nine-mode connection menu (On-device: LDK Node, Embedded LND; Remote: LND REST, LND LNC, Core Lightning CLNRest, Nostr Wallet Connect, LNDHub), the Settings structure (Networking, Privacy, Security, Currency, Language, Display), Privacy settings (mempool.space default block explorer, Lurker mode, Stealth Mode), Security settings (Set Password, Set PIN, Biometrics — all opt-in), and on-chain Bech32 address generation. Behavior matched iOS, consistent with the shared TypeScript codebase.

A further iOS pass on v13.0.2 (2026-06-15) additionally confirmed: the Wallet interface selector (Wallet Configuration → "Wallet interface" dropdown, defaulting to LDK Node, with "Wallet Active" status and Back Up / Delete Wallet Config controls); Node & Network Info (ldk-node v0.7.0-zeus-vss, ZEUS v13.0.2, synced to chain and graph, live block height); on-chain Receive generating a Bech32 bc1q address; the Lightning Receive screen showing the LSP toggle and the first-receive 100,000-sats / setup-fee notice; and a built-in Swaps feature (on-chain ↔ Lightning submarine swaps via an LSP, quoted at a 0.1% service fee plus on-chain network fee). The Ecash bucket on a freshly created wallet displays "NO MINTS FOUND. TAP TO CONFIGURE", confirming that ecash is strictly opt-in.


Architecture

ZEUS exposes nine connection modes, grouped into three categories. Only the non-custodial paths are reflected in this listing's scoring profile.

On-device (non-custodial, default):

  • LDK Node — default for new wallets as of v13.0.0. Esplora-based block sync (mempool.space or user-configurable Esplora node), Rapid Gossip Sync for LN graph, BOLT12 offers, ~10MB on-device footprint, ~3–10 sec initial sync, ~3–5% battery / 24h (per Embedded LND vs LDK Node). 12-word BIP39 seed, automatic remote backup.
  • Embedded LND — previous default. Neutrino block filters (private, slower), Express Graph Sync, Simple Taproot Channels, ~1–5 GB on-device footprint, 24-word aezeed seed, channel migration to remote nodes supported.

Remote node (non-custodial, user-controlled infrastructure):

  • LND (REST), LND (Lightning Node Connect), Core Lightning (CLNRest)
  • Compatible node platforms: Umbrel, StartOS, RaspiBlitz, myNode, BTCPay Server, Alby Hub, nodl, Citadel
  • Tor connectivity supported throughout

Custodial modes (explicitly labeled by the app):

  • LNDHub accounts and Cashu ecash mints — both surfaced under the "Ecash" bucket on the home screen with a "CUSTODIAL WALLET" badge (verified in v13.0.1 hands-on). The dev team's own documentation (The Importance of Self-Custody in Bitcoin) is explicit that ecash holders "are no longer under your control" and that ZEUS includes Cashu specifically as an on-ramp from which users are encouraged to "graduate" to full self-custody.

The scoring below reflects the non-custodial defaults (LDK Node and Embedded LND, on-device). The "Resolution of review questions" section at the end of this document records the mentor's guidance on how the listing handles ZEUS's multi-mode nature.


Basic Requirements

The numbering below was added by the reviewer for organizational purposes and does not correspond to any numbering in docs/managing-wallets.md (which uses unnumbered bullet points with conditional sub-lists). Items are presented in the order they appear in the source document, including conditional branches that apply to ZEUS (single-signature, software wallet, exclusive private-key access).

# Requirement Status Note
1 Sufficient users/developers feedback without concerning issues, or independent security audit PASS Atlas 21 / ZEUS has been a continuously active contributor in the Lightning ecosystem since 2019. Public GitHub repository with ~1,386 stars, 241 forks, an active commit history, dozens of contributors, and 250+ tagged releases (verified 2026-06-15). Active public issue tracker (~300 open issues), Telegram support, public developer Slack. No independent security audit is published — flagging as parallel to the Phoenix precedent (#4714, item 1).
2 No indication users have been harmed considerably PASS No known incidents. No CVEs registered in CVE Details, OpenCVE, or Vulmon for "ZeusLN/zeus" or Atlas 21 (verified 2026-05-08).
3 No indication that security issues have been concealed/ignored PASS Public bug tracker, public release notes across 250+ releases. Release commits signed with PGP key 96C225207F2137E278C31CF7AAC48DE8AB8DEE84 (zeusln@tutanota.com) since October 2021; prior key 989CC718EBA8BB68 (Jan 2020 – Oct 2021) — full key history is published both in the repo (PGP.txt) and on zeusln.com/PGP.txt.
4 No indication of unstable/insecure libraries PASS Cryptography stack: @noble/secp256k1, @scure/bip39, bitcoinjs-lib, bip32, scrypt-js. @noble/secp256k1 is an audited, widely-deployed pure-JS implementation of secp256k1 with deterministic RFC 6979 nonces by specification. No analytics or telemetry SDKs detected (no Firebase, Sentry, Mixpanel, Amplitude, Crashlytics). Tor connectivity through react-native-tor (ZeusLN's own fork, v0.2.1-zeus).
5 No indication that changes are not properly tested PASS Public CI on the repo (GitHub Actions), tagged releases, signed commits, and an active multi-year commit history with dozens of contributors.
6 Wallet publicly announced and released ≥ 3 months PASS First public ZEUS release in 2019. Tested releases: v13.0.1 (iOS, published 7 May 2026) and v13.0.2 (Android). Continuous release history with 250+ tagged releases.
7 No concerning bug found when testing PASS Tested on iOS (v13.0.1): wallet creation, default LDK Node onboarding, 12-word seed backup flow (including the in-app scam-warning copy: "...A equipe de ZEUS nunca pedirá essas palavras"), full restore from seed (wallet deletion → recovery using the 12 words → successful restore), settings navigation, Receive screen for both Lightning and on-chain, on-chain address generation, Cashu mints exposure, multi-mode interface confirmation. Re-confirmed on Android (v13.0.2): onboarding, LDK Node default, the nine-mode connection menu, Settings (Networking/Privacy/Security/Currency/Language/Display), Privacy and Security sub-screens, and on-chain Bech32 address generation. No concerning bugs observed on either platform.
8 Bug reporting method on website and/or app PASS Bug reporting via GitHub issues. The official docs (docs.zeusln.app) additionally direct users to community Telegram (t.me/zeusLN), Twitter (@ZeusLN), and the developer Slack as support channels.
9 Website supports HTTPS and 301 redirects HTTP PASS All five domains (zeusln.com, www.zeusln.com, zeusln.app, www.zeusln.app, docs.zeusln.app) serve HTTPS and 301-redirect HTTP requests. Verified via curl -sI -L (re-confirmed 2026-06-14).
10 SSL certificate passes Qualys SSL Labs test PASS All three primary domains score Grade A on Qualys SSL Labs (verified 2026-05-08): zeusln.com, zeusln.app, and docs.zeusln.app (8 endpoints). ECDSA 256-bit / SHA384withECDSA certificates. TLS 1.3 enabled.
11 HSTS — new listings: max-age ≥ 1 year + preload + includeSubDomains PASS The four primary domains (zeusln.com, www.zeusln.com, zeusln.app, www.zeusln.app) serve Strict-Transport-Security: max-age=31536000; includeSubDomains; preload. Verified via curl -sI -L on 2026-06-02 and again on 2026-06-14. The ZEUS team deployed HSTS during the review process (initial max-age + includeSubDomains, with the preload directive added subsequently). docs.zeusln.app is hosted on GitHub Pages, does not serve the app binary, and is outside the scope of this requirement.
12 Identity of CEOs and/or developers is public PASS Evan Kaloudis (CEO, Atlas 21 Inc.) is publicly identified — active on GitHub as @kaloudis, on Twitter as @kaloudis, and as project lead. Other notable contributors include fiatjaf (Nostr / BLIP-39 author) and 64 additional contributors with public identities. Copyright "Atlas 21 Inc." appears in all official docs.
13 Avoid address reuse by displaying new receiving address per transaction (UI) PASS On-chain receive flow generates Bech32 (P2WPKH) addresses by default. Empirically verified on both platforms across multiple freshly created wallets: e.g. bc1q2yx8ws8x7tmcy7myae5key6rjs3s20w3nf22nr (iOS) and bc1qty9xg9t5dsah38a4gnxjncafvfcu7v03m68y67 (Android). On Android, an actual on-chain receive of 15,400 sats was completed and confirmed in the wallet (transaction 11f3eded...22bd0). HD wallet design with a new address per receive request is standard for bip32-based wallets. (Note: the on-chain Receive screen's "Advanced" control is a Receive-via-NFC option, not an address-type selector; the LDK Node default does not surface an easy way to generate Bech32m/Taproot bc1p addresses, so the taproot flag is not claimed — see features note below.)
14 Avoid address reuse by using new change address per transaction PASS ZEUS uses BIP84 derivation for Bech32 wallets (bip32 dependency). New change address per transaction is standard HD wallet behavior. Not empirically isolated in this review (ZEUS is Lightning-first; on-chain spends are infrequent and the LSP-mediated flow rarely produces user-visible change). Same evidence pattern as Phoenix (PR #4714, item 14).
15 Does not show "received from" Bitcoin addresses in the UI PASS Verified empirically on Android (v13.0.2). After receiving 15,400 sats on-chain, the transaction detail screen shows the amount, total fees, transaction hash, status, and timestamp — but does not display the sender's ("received from") address. The Coins/UTXO view shows only the wallet's own receiving address holding the UTXO, not the origin address.
16 Uses deterministic ECDSA nonces (RFC 6979) PASS ZEUS signs through @noble/secp256k1, which uses deterministic RFC 6979 nonces by specification (and is the recommended audited pure-JS implementation in the Bitcoin JS ecosystem). Not empirically tested at the bit level — ZEUS does not expose PSBT signing for end-user nonce verification in a way that would allow byte-level inspection from within the app UI. Same evidence pattern accepted in PR #2808 (Eclair) and PR #4714 (Phoenix).
17 User has access to private keys for all major components PASS ZEUS is fully self-custodial in its default modes. The user holds the 12-word BIP39 seed (LDK Node) or 24-word aezeed (Embedded LND). The dev's own self-custody page (docs.zeusln.app/self-custody) is explicit: "If you don't hold your keys, you don't hold your Bitcoin." Custodial modes (Cashu, LNDHub) are clearly demarcated in the UI with a "CUSTODIAL WALLET" badge and are not part of this listing's scoring profile.
18 If keys stored online — refuses weak passwords / lock-out N/A ZEUS does not store keys online in its default (on-device) modes. The seed remains on-device. LDK Node has an automatic remote backup feature for channel state, but the seed itself is the user's local responsibility.
19 Supports HD wallets (BIP32) PASS ZEUS is a hierarchical-deterministic wallet. It derives keys from a BIP39 seed (12-word for LDK Node, 24-word aezeed for Embedded LND) via the bip32 library, using BIP84 derivation for Bech32 accounts. A single seed backs up the entire wallet.
20 Backup of wallet allowed (seed on setup) PASS Recovery seed accessible via Settings → backup wallet. Tested empirically: the app surfaces an explicit scam-warning screen ("...A equipe de ZEUS nunca pedirá essas palavras") before revealing the seed words. 12-word BIP39 for LDK Node, 24-word aezeed for Embedded LND.
21 Restoring wallet from backup works PASS Tested empirically: backed up the 12-word seed → reset the wallet → restored using the seed → wallet returned to clean state successfully. Standard BIP39 implementation via @scure/bip39 + bip32.
22 Source code public, version-controlled, up to date PASS https://github.com/ZeusLN/zeusAGPLv3 license (full copyleft; the LICENSE file also notes an optional dual-licensing arrangement for non-AGPL-compliant use, via zeusln@tutanota.com), active commits, 250+ tagged releases, full commit history preserved. Latest tagged release at time of review is v13.0.2 (verified 2026-06-15).
23 Multi-sig with non-self-controlled keys (2FA, session, etc.) N/A ZEUS is single-signature self-custodial in its default modes. Vault (multisig) accounts are listed as work-in-progress in the official docs and are not enabled in the tested releases.
24 Hardware wallet requirements N/A ZEUS is a software wallet. (ZEUS does support interoperating with hardware wallets via PSBT and External Signer Accounts, but the wallet itself is software. The hardware_wallet feature flag is not claimed in this listing — see the features note under "Proposed _wallets/zeus.md".)
25 App-level access control (additional, beyond OS) PASS ZEUS offers configurable app-level access controls under Settings → Security: Set Password, Set PIN, and Biometrics (confirmed on Android v13.0.2; the iOS build shows the same controls). All are opt-in — the app does not enforce a lock by default. The official feature list (docs.zeusln.app) also lists "PIN or passphrase encryption" and a privacy/Stealth Mode (verified in Privacy settings). OS-level isolation (iOS / Android sandboxing) provides the base layer; the in-app controls are additional.

Score decisions

check:
  control: "checkgoodcontrolfull"
  validation: "checkpassvalidationspvservers"
  transparency: "checkpasstransparencyopensource"
  environment: "checkpassenvironmentmobile"
  privacy: "checkpassprivacybasic"
  fees: "checkgoodfeecontrolfull"

privacycheck:
  privacyaddressreuse: "checkpassprivacyaddressrotation"
  privacydisclosure: "checkfailprivacydisclosurecentralized"
  privacynetwork: "checkpassprivacynetworksupporttorproxy"

Justifications

control: checkgoodcontrolfull — ZEUS is non-custodial in its default modes; the user holds the 12-word BIP39 seed (LDK Node) or 24-word aezeed (Embedded LND). No third party can freeze or move funds. The dev's own self-custody page is explicit on this point. Cashu and LNDHub modes are custodial but excluded from scoring per the architecture note.

validation: checkpassvalidationspvservers — LDK Node (the default in v13.0.0+) uses Esplora for block sync, which is an SPV-style model relying on remote servers (mempool.space by default, with user-configurable custom endpoints). Embedded LND uses Neutrino block filters (BIP157/BIP158), which is also SPV-style but more privacy-preserving. Both fall within checkpassvalidationspvservers. Same pattern as Phoenix (#4714) which uses Electrum servers — different protocol family, same trust model.

transparency: checkpasstransparencyopensource — AGPLv3 license, public source on GitHub since 2019 (codebase and releases public well beyond the 6-month minimum). Reproducible builds are documented for Android (docs/ReproducibleBuilds.md). iOS builds are not deterministic — confirmed by both the maintainer (Apple's signing/notarization model precludes deterministic iOS builds for all wallets) and the ZEUS team. This is therefore checkpasstransparencyopensource rather than the "good" tier, consistent with Phoenix (#4714) and Eclair (#2808).

environment: checkpassenvironmentmobile — iOS and Android, both with OS-level app isolation. ZEUS additionally offers configurable in-app access controls (PIN, passphrase, FaceID) — all opt-in (see item 23). The combination of OS app isolation + optional in-app authentication is consistent with the passing criterion.

privacy: checkpassprivacybasic — Address rotation OK (BIP84 / BIP86 derivation), but the default LDK Node mode discloses on-chain queries to Esplora servers. However, ZEUS explicitly documents (Privacy page) that "LDK Node wallet users can point to their own Esplora node for additional on-chain privacy" — the privacy disclosure is configurable rather than hard-wired. Same level as Phoenix.

fees: checkgoodfeecontrolfull — ZEUS exposes RBF, CPFP, full LND coin control, configurable routing fees, batch transactions, broadcast transactions, mempool-aware fee estimation via mempool.space (toggleable in Privacy settings), and granular route hints control. Channel management UI exposes fee settings explicitly. This is broader fee control than Phoenix offers (Phoenix received checkpassfeecontroloverride because it does not expose RBF/CPFP).

privacyaddressreuse: checkpassprivacyaddressrotation — Bech32 (P2WPKH) is the default on-chain receive format in LDK Node mode. Taproot (P2TR) is available in Embedded LND mode. Address rotation is standard HD wallet behavior; ZEUS does not surface any "static address" option.

privacydisclosure: checkfailprivacydisclosurecentralized — LDK Node default uses Esplora (centralized servers, including mempool.space by default). Even though the user can point to a custom Esplora node, the out-of-box default discloses on-chain queries to a third party. Same precedent as Phoenix (#4714) and Eclair (#2808).

privacynetwork: checkpassprivacynetworksupporttorproxy — Unlike Phoenix (which delegates Tor to an OS-level Orbot proxy), ZEUS bundles react-native-tor (ZeusLN's own fork, v0.2.1-zeus) as a JS module within the app, and the official feature list (docs.zeusln.app) presents "Connect over Tor" as an in-app feature without external dependencies. The nodl and StartOS connection presets default to Tor automatically. The maintainer has confirmed that embedded Tor qualifies for a PASS on this criterion.


Proposed _wallets/zeus.md

---
# This file is licensed under the MIT License (MIT) available on
# http://opensource.org/licenses/MIT.

id: zeus
title: "ZEUS"
titleshort: "ZEUS"
compat: "mobile android ios"
user: beginner
level: 2
platform:
  - mobile:
    name: mobile
    os:
      - name: android
        text: "walletzeus"
        link: "https://play.google.com/store/apps/details?id=app.zeusln.zeus"
        source: "https://github.com/ZeusLN/zeus"
        screenshot: "zeusandroid.png"
        features: "bech32 lightning segwit"
        check:
          control: "checkgoodcontrolfull"
          validation: "checkpassvalidationspvservers"
          transparency: "checkpasstransparencyopensource"
          environment: "checkpassenvironmentmobile"
          privacy: "checkpassprivacybasic"
          fees: "checkgoodfeecontrolfull"
        privacycheck:
          privacyaddressreuse: "checkpassprivacyaddressrotation"
          privacydisclosure: "checkfailprivacydisclosurecentralized"
          privacynetwork: "checkpassprivacynetworksupporttorproxy"
      - name: ios
        text: "walletzeus"
        link: "https://apps.apple.com/app/zeus-wallet/id1456038895"
        source: "https://github.com/ZeusLN/zeus"
        screenshot: "zeusios.png"
        features: "bech32 lightning segwit"
        check:
          control: "checkgoodcontrolfull"
          validation: "checkpassvalidationspvservers"
          transparency: "checkpasstransparencyopensource"
          environment: "checkpassenvironmentmobile"
          privacy: "checkpassprivacybasic"
          fees: "checkgoodfeecontrolfull"
        privacycheck:
          privacyaddressreuse: "checkpassprivacyaddressrotation"
          privacydisclosure: "checkfailprivacydisclosurecentralized"
          privacynetwork: "checkpassprivacynetworksupporttorproxy"
---

user: beginner — follows the bitcoin.org convention.

features: "bech32 lightning segwit" — matches the Phoenix feature set.

taproot is not included. The on-chain Receive screen in the default LDK Node mode generates Bech32 (bc1q) addresses, and the "Advanced" control on that screen is a Receive-via-NFC option, not an address-type selector — there is no easy/obvious way to generate a Bech32m (bc1p) receive address in the default flow (verified empirically on both iOS and Android). The developer (Evan Kaloudis) confirmed that Taproot addresses and hardware-wallet support exist in the Embedded LND mode, but not in LDK Node, and that closing that gap in LDK Node is on the roadmap for 2026. Because the taproot criterion requires bc1p generation to be "easy and obvious," and that capability lives only in the non-default Embedded LND mode (which was not exercised end-to-end in this review), the flag is left off. The final call on whether non-default-mode support qualifies is deferred to the maintainers. The flag can be added in a follow-up PR if/when LDK Node exposes Taproot.

hardware_wallet is not included: although ZEUS supports External Signer Accounts (PSBT) and the developer confirmed hardware-wallet support in Embedded LND, the bitcoin.org hardware_wallet feature definition requires support for signing with a hardware wallet listed on bitcoin.org specifically, which was not separately verified in this review. The flag can be added in a later update if that support is confirmed.

multisig is not included because Vault accounts are listed as work-in-progress in the official docs.


Description (walletzeus in _translations/en.yml)

ZEUS is a self-custodial Bitcoin and Lightning wallet developed by Atlas 21. The app can run a Lightning node on the device or connect to a remote LND or Core Lightning node. Available for Android and iOS. Open-source under AGPL-3.0.

(233 characters)


Assets (attached)

  • zeusios.png (iOS screenshot) — 250×350, optimized with optipng -o7. iOS home screen with a funded wallet (15,000 sats) showing the three balance buckets (Lightning, On-chain, Ecash) with the "CUSTODIAL WALLET" badge on Ecash.
  • zeusandroid.png (Android screenshot) — 250×350, optimized with optipng -o7. Android home screen with a funded wallet (15,400 sats on-chain) showing the Lightning and On-chain buckets.
  • zeus_icon_144.png (icon) — 144×144, 8,274 bytes, optimized with optipng -o7.

Items not verified in this review

For full transparency, the following items were not independently verified by the reviewer:

  • Embedded LND mode — Hands-on testing was done with the LDK Node default (on both iOS and Android). Embedded LND was the previous default and remains available as a user choice; its behavior is documented in the official ZEUS docs but was not exercised empirically in this review.

  • Remote node modes (LND/CLN/LNC/NWC/LNDHub) — Not tested in this review because they require user-owned remote infrastructure (Umbrel, StartOS, RaspiBlitz, etc.) that I do not currently operate. Documented architecturally based on the official docs.

  • Lightning receive empirical end-to-end — The on-device LSP path recommends a first Lightning receive of 100,000+ sats with a setup fee deducted, which was beyond the reviewer's test budget. The on-chain receive flow was verified empirically; the Lightning channel-open flow is documented architecturally. See "Resolution of review questions" item 4.

  • RFC 6979 nonce derivation, empirical — Confirmed via library specification (@noble/secp256k1, RFC 6979 by design) but not bit-level verified. ZEUS does not expose PSBT signing in a way that would allow nonce inspection from the UI. Same evidence pattern as Phoenix (Add Phoenix wallet listing #4714) and Eclair (Add Eclair Mobile #2808).

  • iOS reproducible builds — Not applicable. The maintainer and the ZEUS team both confirmed that Apple's platform constraints preclude deterministic iOS builds for all wallets. Android reproducible builds are documented (docs/ReproducibleBuilds.md).


Final status before PR submission

All Basic Requirements are met:

  • HSTS (item 11) — resolved. The four primary ZEUS domains serve Strict-Transport-Security: max-age=31536000; includeSubDomains; preload (verified 2026-06-02, re-confirmed 2026-06-14). docs.zeusln.app is hosted on GitHub Pages, does not serve the app binary, and is outside the scope of this requirement.
  • iOS reproducible builds — confirmed not applicable (Apple platform constraints).
  • Listing description — reviewed and approved by the ZEUS team.
  • Hands-on testing — completed on both iOS (v13.0.1) and Android (v13.0.2).
  • user: beginner and features: "bech32 lightning segwit" — verified during the review (no taproot flag, since the app does not provide an easy and obvious way to generate bc1p receive addresses; no hardware_wallet flag, since support for a bitcoin.org-listed hardware wallet was not independently verified).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants