Development Update 013— Updates & Wallet Prototype
Welcome to our exciting thirteenth development update post regarding our wallet prototype and other progresses.
We have completed our first version of the wallet prototype. It will allow accounts on Social to store and send SCL and ETH securely since all wallets will be encrypted and decrypted client side via a user created password.
Here is a step by step breakdown of how we plan on integrating our wallet to the platform.
- Generate a new wallet on request via Web3.
- Encrypt new private key via user created password.
- Send encrypted keystore file to server and encrypt server-side via slow hashing functions and bcrypt.
- Store encrypted keystore file within our decentralised database.
- On transfer request, send keystore file down to client for decryption.
- Sign all transactions client side on request via user created password.
The prototype code is complete and we have begun testing it on the testnet (Ropsten). By creating a wallet from the above criteria, it allows us to setup a wallet where all we are doing is storing encrypted keystore files and not the raw private keys. This makes the wallet creation and storing process extremely safe and secure.
Let’s say the unfortunate happened and our database were (somehow) hacked and all keystore files were stolen. In this case, the hacker would have to know our servers slow hashing functions and variables, along with also brute forcing the users unique 10 character password they encrypted their private key with. Even if they somehow got around our slow hashing functions, it would take them thousands of years to brute force the raw keystore file since all wallet passwords must be 10 characters in length including capitals, symbols and numbers. By then, we would have simply announced that all users change their wallets password and everything would be secure once more.
Jeff Atwood (Co-founder of Stack Overflow and Discourse) states that you should always:
Use bcrypt or PBKDF2 exclusively to hash anything you need to be secure. These new hashes were specifically designed to be difficult to implement on GPUs. Do not use any other form of hash. Almost every other popular hashing scheme is vulnerable to brute forcing by arrays of commodity GPUs, which only get faster and more parallel and easier to program for every year.
That is why we’ll be using slow hashing functions with bcrypt for the safest encryption possible.
For transferring SCL within the platform for purchases and transactions, the user must also have a positive ETH balance. This is because ETH acts as Gas for transferring other ERC20 tokens within the network. We will eventually implement a solution where users do not need ETH for transactions and can simply pay for all TXfees via SCL instead. We have a great plan for this, although it will not be implements until later in 2018.
All users must note that the password they create to encrypt their private key is very important to remember. We will not be storing this password anywhere within our systems and it will never touch our server (for security reasons). If the password is lost or forgotten, it means that access to your wallet will be forever lost. We will provide ways to create a new wallet, for your existing Social account, although that will not give you access to the funds within your old wallet as it will be lost forever.
We also have plans to integrate MetaMask in the near future so that users can host their wallets locally instead. This would be alongside the account hosted wallet as MetaMask currently only works as a Chrome extension, and Social will be a cross-platform application (browser, iOS, Android).
We will also be allowing the export of keystore files so that users can take their entire wallet from Social, and import it to other compatible wallets such as MyEtherWallet or MetaMask for example. This will come in a future version.
Lastly, we plan on integrating ShapeShift in the near future so that we can start supporting more ERC20 based tokens. This will allow users to convert their SCL to and from other ERC20 tokens supported by ShapeShift. Only ERC20 tokens will be supported for the time being since our wallet will be Ethereum based, as stated above. We may support more wallets in the future (BTC, XRP), although do not have any plans or dates for that in the roadmap just yet. This means that users on Social will be able to store SCL, ETH and eventually almost any other ERC20 token available on ShapeShift.
Note that the wallet feature will not be integrated into the initial 2.0 version launch as we need to perform third party security audits on all wallet features before a public release. It will most likely be pushed within the 2.1 release as stated within our new roadmap.
We hope you enjoyed the more technical post this week regarding our wallet integration. As always, if you have any questions, email us at support@nexus.social or join us on Telegram.
