Locked VX? Is that a good thing?

On-chain 2FA? Is that a thing?

Owl
5 min readApr 9, 2022

What if you had the convenience of using a hot wallet while keeping the security of a cold wallet?
Even if you give out your seed phrase, fear not, kongz are safu…

Hello frens,
It’s been a while since my last blogpost. Things don’t change, I got my private key leaked again… But this time I did it deliberately!
Tweet thread for proof at the end of article.

NEVER DO THIS! I’m a professional so it’s ok

The question you might ask yourself is: “But why, Owl?”
To this I shall answer: “For the culture…”
And to prove a new system that perfectly secures assets held in an address.

The LockRegistry

What is it? Basically, the lock registry is a system that plugs itself on the erc721 standard with negligible gas impact and allows whitelisted addresses to lock and unlock assets in place. What I mean by locking is to prevent them from being transferred out of a wallet.
Think of your asset as some box on which you can add as many locks as you want. As long as there is one, you can’t open it, but once all locks are gone, you can open it. It’s the same with NFTs but instead of opening it, you can’t transfer it.
More details can be found on this repo.

The simple locking mechanism opens the possibility to a variety of new system such as…

Stakeless staking

Wait, Owl... what..? Yes!
Stake your assets without losing ownership. In CyberKongz’s recent release of their Play & Kollect experience, VX Cyberkongz assets are locked (virtually staked) in the Adventure contract to enable them to earn fuel rods which allows them to run free adventures every day! While being locked, VX assets cannot move, ensuring that the fuel rod generation is valid.

Each vx is locked, means they can’t move anymore. First and last time I force you to read code. Promise!

The lock registry was built with the ability to have parallel staking in mind. Assets could be used in multiple systems where locking the asset in place would be beneficial.
The day of the Play & Kollect release, a user had his private key sadly compromised but thanks to the Lock Registry the hacker could not extract the VX.

And here you are witnessing the birth of an amazing concept…

It filled me with joy seeing that the system helped a user rescue his assets. It wasn’t 100% secure but good enough to buy some time and prevent the hacker from figuring out that if he had unlocked the VX from the adventure contract, he would have been able to steal them as well.

This small interaction gave birth to the next concept I want to talk to you about…

On-chain 2fa

I’m lost Owl, what on earth is that?
Easy - the hacker mentioned earlier wasn’t able to unlock the assets in time. What if the hacker would have never been able to unlock those assets? Even with an exposed private key, your assets would still be safe…

A simple infographic to explain the guardian contract

The tech for such system is finally here, we call it the Guardian contract.
Here is how it works:
- A user sets up a different address to be their guardian. Ideally, the guardian is also controlled by the user and resides in a more robust signing scheme (multi-sig or hardware wallet).
- Once set up, the guardian cannot be changed by the user. Only the guardian can renounce from its role, enabling the user from setting up a new guardian.
- The guardian has the power to lock, unlock and unlockAndTransfer assets of the user. Once assets are locked by the guardian, they cannot be transferred, but the user still holds ownership of those assets.
- If the user’s private key is compromised, the unlockAndTransfer call will allow the guardian to atomically unlock assets and transfer them over to a safe recipient (requirement: user has allowed the guardian contract to transfer assets on their behalf).

You can check out a functioning implementation live for CyberKongz VX assets!

WebApp made by the formidable Gaspacho.eth!

That’s cool Owl, but what does this solve?

We all know that hot wallets are convenient and we love using them for our daily activities, but with that convenience comes great vulnerability… The Guardian Contract allows you to enjoy the convenience of a hot wallet, while adding the security of a cold/hardware/multi-sig wallet on top. It even allows you to guard assets that already reside on a hardware wallet with a second hardware wallet to add another layer of protection from signing unwanted transfer or approval transactions.

Furthermore, scams will be harder to pull off.
Email scams, social engineering scams, luring users to approve OpenSea sales, approvals to some rogue contract, hot wallet hacks or giving seed phrases away etc…
All those methods won’t work if your assets are locked up.
The amount of hacks would reduce drastically and this would save hundred of thousands if not millions to users.

You have the convenience of using a hot wallet while keeping the security of a cold/HW/multi-sig wallet.

Conclusion

This is in fact just the beginning. The Lock Registry can be added to any erc721 implementation and allow for more systems that can enhance security, enable novel staking mechanics, being involved in on-chain games and many more things we haven’t thought of yet.

That’s all folks. Hope I taught you something here. I’ll see you guys on my next blogspot!

Chat soon, anon.

Owl

Some links:

--

--