Safety over everything: developing a cryptocurrency wallet in js

MyEtherWallet’s great success already proved, that having a cryptocurrency wallet in a browser is an interesting idea. At the end of the day, you cannot rely on the browser nor the dependencies you have or the lack of them when it comes to security.

MyEtherWallet’s great success already proved, that having a cryptocurrency wallet in a browser is an interesting idea. First, it’s portable and easy to install. Furthermore, thanks to private browsing and statelessness it’s quite secure (I’d argue it can easily be made more secure than a typical desktop app) and if integrated with a hardware wallet, the security is perfect. Since Cardano cryptocurrency is growing popular and it did not have a similar platform, we decided to take the challenge and start developing our solution for it. It’s called AdaLite and here’s how and why we did it.

Daedalus’s Labyrinth

There are currently more than 10,000 .js production files, that the official Daedalus wallet depends on. These are downloaded from the npm registry without any guarantee that they don’t include any malicious code. May any of these dependencies contain a key-logger, which is indeed easily doable, your security is screwed. Of course, this is a common problem of many javascript applications, but it’s especially important here when dealing with money.

Yes, there are paper wallets for Daedalus, but in general, they may help you only against some almost trivial attacks. Fundamentally, it’s more a quick-fix than a proper solution; a hardware wallet integration.

Another sad fact is that Daedalus has to store and sync the whole blockchain to work and this is time and disk space consuming.

However, we don’t like to complain in vain, so we decided to address those issues by coming up with our own Cardano light wallet implementation. Lacking a precise enough Cardano technical specification, we resorted to reverse-engineering Daedalus’s backend from the Cardano codebase, made mostly in Haskell.

Achieving Security

Those are the principles we are following to make our light wallet as safe as possible:

Make the project publicly auditable and easy to review

The source code is available on GitHub, you can review it, build it yourself locally and compare the resulting bundle with the one hosted on the site. The most relevant part of the code is around two thousand lines of ES6 JavaScript, which is a lot less than the official Cardano implementation of Daedalus and it’s certainly more readable for the majority of developers, as opposed to Haskell.

Keeping compatibility with the official wallet

We are aware that at any time our wallet may stop working because some breaking change in Cardano might be released. However, since we replicate the way Daedalus is deriving addresses from the passphrase, you can always fall back to it, i.e. recover your wallet from the passphrase.* If the change was breaking even for Daedalus, you can rely on the same instructions that would be provided to its users by the official community; therefore you don’t have to be afraid about being locked out from your funds in such case.

*to be efficient, we generate the addresses deterministically which is indeed a difference from Daedalus, that does it randomly. However, it’s not a difference that would prevent Daedalus from being able to recover a CardanoLite wallet. It’s a “problem” only the other way around.

Hardware wallet support

At the end of the day, you cannot rely on the browser nor the dependencies you have or the lack of them when it comes to security. We realise that currently there is probably no better way to provide a reasonable level of security for cryptocurrency wallets but to manage your private keys and sign your transactions with a dedicated device. That’s why we integrated AdaLite with Trezor Model T and Ledger Nano S, so virtually no matter what goes wrong in your computer or the network, you can be quite confident that your private keys are safe, never leaving the circuits of the hardware wallet.

Work with us

If you’re interested in the inner workings of Vacuumlabs, click below to browse our Jobs.

At the end of the day, you cannot rely on the browser nor the dependencies you have or the lack of them when it comes to security. We realise that currently there is probably no better way to provide a reasonable level of security for cryptocurrency wallets but to manage your private keys and sign your transactions with a dedicated device. That’s why we integrated AdaLite with Trezor Model T and Ledger Nano S, so virtually no matter what goes wrong in your computer or the network, you can be quite confident that your private keys are safe, never leaving the circuits of the hardware wallet.

Share:

Related posts

Let’s shape your ideas
together

No sales pitch or commitments. Just an honest talk to see if it’s a good fit
and build our cooperation from there.
 
You can also contact us via email contact@vacuumlabs.com

By submitting this form you agree to the processing of your personal data according to our  Privacy Policy.

Message sent

Thank you for contacting us! One of our experts will get in touch with you to learn about your business needs.