What Protocol X-Ray and Yardstick Demand From Stellar Wallets
Two protocol upgrades in four months. This was what the Stellar Lumen network delivered in early 2026, and both featured changes to how XLM wallet security works at the protocol level. Protocol 25 "X-Ray" integrated native zero-knowledge cryptography into Soroban smart contracts on January 22, 2026. Protocol 26 "Yardstick" arrived May 6 and introduced the Quorum Freeze mechanism and checked 256-bit arithmetic. For Stellar Lumens holders these weren't just feature additions. They rewrote the security baseline for every wallet that touches the network. If you're trying to pick an xlm wallet today, you need to know what changed and what those changes mean for your store of value.
Protocol 25 brought zero-knowledge tech to Stellar, and because of native BN254 elliptic curve operations and the addition of the Poseidon hash function now embedded into Soroban smart contracts, wallets looking to sign and verify smart contract calls on Stellar can validate zero-knowledge proofs on-chain with configurable privacy parameters that were non-existent six months ago. If an XLM wallet has not upgraded its signing libraries to account for the new transaction types, it will throw an error or silently ignore contract call validation.
Two upgrades, two distinct wallet implications. Source data: Stellar Development Foundation upgrade announcements (X-Ray, Yardstick), CAP-77 and CAP-82 specifications.
Protocol 26 CAP-77 Quorum Freeze was the larger change. It allows the validator network to freeze individual contract states with real capital at risk on-chain in the event of failure. With now over $2 billion of real-world asset value tokenized on Stellar this feature is significant. CAP-77's protocol-native freeze is the first of its kind on a major L1 blockchain. CAP-82 checked arithmetic variants has implications for wallet parsing of transaction results returned from Soroban contracts: they will no longer trap on overflow but instead return Void, which must be handled by wallets. This isn't an edge-case that applies to developers only. Buy XLM on an exchange with your credit card, deposit to your wallet that runs outdated firmware, and your transactions can get dropped. The current narrative being pushed through the crypto news cycle when discussing Stellar over the past six months has been RWA growth, March's SEC and CFTC commodity ruling, and subsequent regulatory and compliance announcements. Less publicized has been Stellar's wallet compatibility issue. Which is what this article is here to remedy.
Wallet Categories Every XLM Holder Should Know
Every Stellar hodler needs to understand what wallet type they're using. The five types will all react differently when the 2026 protocol changes go live. Exchange wallets that are custodial (Coinbase, Kraken, Binance) means they are holding your private keys on your behalf. It's the wallet provider's responsibility to make sure they are staying current with protocol upgrades that occur on the backend. As you are trusting them to custody your asset, you have to trust their security practices, any insurance they may have, and that they are actually solvent. Purchasing XLM with a credit card will usually generate a custodial wallet by default when transacting through these exchanges. Easy option but highest trust required.
Non-custodial wallets are software wallets (Freighter, LOBSTR, StellarTerm) that live on your own device. Since you host the keys yourself, you control who has access to your keys. All of these wallets will have to be updated to enable the new protocols when Protocol 25 and later 26 go live on mainnet. Freighter is a browser extension wallet that was built specifically for Stellar. They were able to push out their update under 48 hours after Protocol 26 went live on mainnet. Stellar's most widely used mobile wallet, LOBSTR, updated not too long after that. If you use either of these wallets, double check what version you're using before you sign any Soroban contract transaction. For a broader primer on custodial versus non-custodial setups across networks, the crypto wallet beginner guide walks through the same trust tradeoffs at a more general level.
Hardware wallets (Ledger Nano S Plus, Ledger Nano X) store your keys on a secure element chip. Essentially this means they're stored offline. Ledger natively supports the Stellar Lumen token by downloading their Stellar app onto the device. In order to sign Soroban smart contract transactions you can use Freighter as the frontend wallet and connect it to your Ledger hardware device. This method allows for two layers of security and is recommended for highest security for individuals.
The fourth category is multi-signature wallets. Multisig is a process that requires multiple separate parties to sign off on a transaction before it's broadcast and sent to the network. Stellar has native multi-sig support at the protocol layer. No need for a smart contract to allow multi-sig functionality.
Lastly there are institutional custody solutions. Fireblocks and Copper are two big companies that specialize in enterprise solutions for organizations that need to custody large XLM balances. These types of wallets come equipped with standard enterprise features like governance controls, audit logs, and insurance.
Soroban Parsing, Derivation Paths, and Trustline Hygiene
Security features can vary wildly when it comes to 2026. Let's talk about a few features that good wallets have. The first is Soroban contract parsing. When you sign a smart contract transaction in your wallet, you should always be shown exactly what that contract is going to do. Which tokens will be sent? Where will they be sent? Under what conditions? Wallets that show users raw XDR data instead of a human readable summary are asking their users to sign blindly. Soroban contract transaction payloads also use several new response types due to checked arithmetic being added in Protocol 26. If the wallet can't parse those properly, it won't know how to show you what you are approving. Currently Freighter has the most complete support of the non-custodial wallets. LOBSTR has partial support but will have full Soroban parsing in their next update.
The second security feature is support for the key derivation path. Stellar uses SEP-0005, which is the hierarchical deterministic key derivation standard. The derivation path used is m/44'/148'/0'. Some third party wallets use an alternative derivation path. If you try to recover your funds from a seed phrase to a wallet using an alternate derivation path, it will fail. Double check that your wallet follows SEP-0005 before using it for long term holdings. This isn't something you'll hear posted on most xlm news sites, but it is the difference between your recovery phrase working or not when you need it.
The last one is trustline management. Stellar requires that you have explicit trustlines in order to hold any asset other than native XLM. If a wallet has poor UX around trustlines, it can trick users into approving trustlines to fake tokens. Both the XLM logo and name can be spoofed when stored on-chain. Wallets that verify assets being sent to you against a directory like Stellar Expert or StellarTerm's verified list are adding a real layer of security.
Setting Up a Non-Custodial XLM Wallet in Seven Steps
If you would like instructions on setting up Freighter (which we recommend), here's a step-by-step guide.
Step one: Open a new window to freighter.app and install the browser extension from the browser store (Chrome or Firefox only). Ensure the publisher of the app is called "Stellar Development Foundation" before clicking install.
Step two: Upon opening Freighter, click "Create New Wallet." Freighter will present you with a 24 word recovery phrase. Write this phrase down on paper. Do NOT screenshot this step, take a photo of your screen, or write or store this phrase in a digital format under any circumstances.
Step three: To ensure you wrote down your recovery phrase correctly, input the words in the order Freighter prompts you to.
Step four: Create a strong password for your local device. This is not your recovery phrase. This password will encrypt your keys while they are stored on your device. Make this at least 16 characters long and include a combination of upper and lower case letters, numbers, and symbols.
Step five: Your wallet has now been created. Click "Network" in the settings panel. It should be set to "Mainnet." Testnet is the default in previous versions (added because Freighter was beta). If you send real funds to a testnet address, they will be irreversibly lost.
Step six: Your public address for this account (starts with G) should now be visible on the main screen. You may begin taking deposits of XLM from an exchange or another wallet. The minimum amount required to bring a new Stellar account online is 1 XLM, used to pay the base reserve.
Step seven (optional): Connect a Ledger hardware wallet to further secure your funds. Click the gear icon to open Freighter's settings, select "Connect Hardware Wallet" and follow the prompts. Your Stellar app should be open on your Ledger device before you click continue. Transaction signing will now be pushed to the hardware device. Your private keys will never exist on your browser, enabling institutional level security for those wanting to access Soroban contracts and DeFi protocols such as Blend's $80 million TVL without the risk of browser attacks.
The Recovery Phrase Problem Most Guides Skip Over
Virtually every recovery seed phrase instruction ends with something along the lines of "write down your 24 words." That is dangerously incomplete unless you're referring to the Ledger hardware wallet seed phrase.
An XLM wallet recovery phrase may back up multiple accounts. SEP-0005 allows for multiple Stellar accounts to be derived from one single 24 word mnemonic seed simply by incrementing what's called the account index in the derivation path. If you had created multiple accounts using the same seed within Freighter, you need to know how many accounts were created total to properly restore your seed.
Freighter automatically scans for existing active accounts upon restore, but this feature isn't available on all wallets. LOBSTR by default will only restore account 0 from your seed phrase. Many users have accidentally restored their seed into LOBSTR, losing access to tokens they've had in derived accounts that exist on-chain, but are not displayed in the wallet due to the derivation difference.
How you store your recovery phrase is as important as the words themselves. Paper degrades over time. Ink can run. Fires can incinerate both. Metal seed phrase storage plates like those made by Cryptosteel or Billfodl are far more resilient when exposed to fire and water. Keep multiple backups in multiple physical locations. Depositing one in your bank safe deposit box and home safe would be a decent minimum. Some go as far as storing their 24 words in two locations, but split between them with twelve words each. The problem with that method is it doubles your likelihood of actually losing access to your coins if either location is compromised.
A mistake seen often when users are trying to verify their recovery phrase is deleting their wallet and restoring it. This should only be done on a wallet with zero balance. You can install Freighter on another browser profile and attempt to recover your seed there. You should see that same public address displayed. If it restores with your address you most likely will be ok. Make sure you delete the test installation when finished. You will notice the XLM logo show up on your restored account, with your balances if everything restored correctly. This process will incur zero risk to your funds while being able to verify your backup works.
Where the Wallet Security Conversation Goes Next
Today the Stellar Lumens blockchain network is home to $2 billion in real-world assets tokenized on its network and $5.5 billion in payment volume. The ecosystem has grown to a point in which wallet security shouldn't be the worry of retail investors alone. There are institutional investment firms that hold risk on this network. Franklin Templeton and Amundi are two notable names. Those firms have billions of dollars of fiduciary responsibility riding on the aptitude of this technology. That is the entire reason the Protocol 26 Quorum Freeze mechanism exists at the infrastructure level: to protect that type of capital on the network.
For day traders and individuals out there browsing Stellar Lumen token news, whether you freshly bought some stellar lumens or your portfolio is staring you in the face as a recovery nightmare, the outcome is up to you and how you keep the wallet containing those tokens safe when they inevitably swing in price. For right now the xlm price today is $0.1654. With an xlm crypto price this stagnant and sitting in the top 20 by market cap, it's a cheap place to start if you are looking to buy into crypto for the first time.
Yes, buying XLM with your credit card on an exchange is the most common way to acquire it. But did you know most of those buyers keep those tokens in custodial wallets? This isn't a directive to self-custody. That option is just powerful, with tradeoffs that go along with the decision. Self-custody is much more powerful but also demands more responsibility with upgrades like the ones coming in 2026. Having the XLM logo on your wallet screen amounts to nothing if that piece of software won't validate transactions properly against the latest upgrades.
Two things to do right now. If you own an existing Stellar wallet, make sure you are running the latest version and it explicitly states compatibility with Protocol 26. If you're currently on a custodial solution and don't mind jumping through hoops to switch to self custody, follow the seven steps above to initialize Freighter with your Ledger device, test your recovery phrase with a new browser profile, and send 0.0001 XLM to yourself. Your cryptocurrency doesn't have the luxury of waiting for you to improve your security. Neither will the Stellar network. Reading up on the latest stellar lumens price prediction coverage matters far less than making sure the wallet underneath your position is actually compatible with the network that prediction is about.
