It is open source, not to be confused with open hardware which it is not. The hardware is transparent, literally, it has a clear protective coating on the hardware which allows visually verifying everything. For security things check out https://docs.crp.to/security.html - TL;DR Before you enter the PIN its not doing any crypto which means lots of side-channel attacks don't apply, you would have to know the PIN to even attempt many types of side-channel attacks.
> The hardware is transparent, literally, it has a clear protective coating on the hardware which allows visually verifying everything
Right and that's bullshit. How do I know you aren't embedding a advanced joule thiefing silicon die disguised as a pull-up resistor to manipulate usb communication or even interface with the micro in a backdoor?
Fair question. But it makes me wonder: what would be the accepted way to provide schematics/PCBs and prove the provided ones are also what gets used to create the actually sold hardware? Same question for the source code actually.
When you say open-source it's rather general. I.e. not open-source software or hardware, so it does imply it's open-source both (e.g. https://en.wikipedia.org/wiki/Open-source_hardware not "open hardware")
