Skip to content

Instantly share code, notes, and snippets.

@learner-long-life

learner-long-life/DecentWebWallets.md

Last active May 26, 2021 23:21
Show Gist options
  • Save learner-long-life/c9367f924984fb1f5988d2e76422e060 to your computer and use it in GitHub Desktop.
Save learner-long-life/c9367f924984fb1f5988d2e76422e060 to your computer and use it in GitHub Desktop.
Download ZIP
Ethereum / Decentralized Web Wallets, Desiderata and Tradeoffs
Raw
DecentWebWallets.md

Decentralized Web Wallets

After reading about current options for secure browser storage for wallets, https://www.rdegges.com/2018/please-stop-using-local-storage/

I think I understand the tradeoffs of the different approaches, which is helping me write my own web wallet (called Democracy), currently for Ethereum.

I'd like to check my understanding here. Any feedback appreciated below in comments.

Here are the properties I would want from any decentralized web wallet (desiderata) 0) doesn't require browser extensions or installing any special software

  1. encrypted private key available for signing transactions in memory that's accessible from all browser tabs, can be unlocked with user password
  2. notifies the user when a valid dapp signing request happens (requires trusting 1st party code if open source)
  3. relocks after a certain period of time, requiring a user password to unlock again (requires trusting 1st party code if open source)
  4. protects against malicious third-party code included on page unknowingly, from doing #2 or #3 outside of first-party dapp code
  5. easy backup and restore, ideally using automated 2FA with trusted tech support

The available Ethereum web wallets that I know about right now are

  • Metamask (from Consensys)
  • Portis
  • Fortmatic
  • Democracy (written by me)
  • Torus

A) HTML5 localStorage/sessionStorage of the main page in browser URL Satisfies #0 To satisfy #1: it needs to be manually replicated to each new browser tab. Different browser tabs could have different accounts logged in. Satisfies #2 and #3 if library is open source Fails #4 If a privateKey is stored anywhere in memory/localStorage/memoryStorage, any third-party code included on the page can access it Satisfies #5 as encrypted keys are stored on a Democracy server (can run your own) and can be restored into new devices / browsers via REST call.

B) Chrome extension storage (aka Metamask) Satisfies #1 Satisfies #1: has a separate memory area backed up in a file on the hard drive, encrypted with user password and can only be decrypted by grinding. Satisfies #2 and #3: The Metamask source code is open-source and can be verified to notify the user and relock. Satisfies #4: all 3rd-party requests to the web3 provider would trigger user notification Fails #5: seed words need to be backed up separately from a user password, and restored manually.

C) iframe's (similar to Torus) Satisfies #0 Satifies #1: have a separate memory area from the main page, and can be included in multiple browser tabs / different URLs, and maintain the same localStorage/sessionStorage of the iframe URL. Satisfies #2 and #3 if open source. Satisfies #4: if the only way to execute signing requests from the main page is to reload the iframe with different URL params, or through a server request, the first-party code in iframe can notify the user similar to Metamask popups, as above. Satisfies #5: since iframe loads from server every time, that is where the backup is store, similar to A)

@tomholford
Copy link

Is there a repo for Democracy?

Also, what is your take on this web wallet?

https://chrome.google.com/webstore/detail/mew-cx/nlbmnnijcnlegkjjpcfjclmcfggfefdm

@learner-long-life
Copy link
Author

https://github.com/invisible-college/democracy

MEW is an OG wallet, and a Brooklyn company that friends of friends work at. It was my first Ethereum web wallet, and could work offline. I like it, but I've never used the chrome extension version.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment