This week we cover important security improvements to existing dApps and explore Staking Models.
Tabby Rewards
Tabby Rewards continues to be a main focus for our team. We recently revamped our entire user interface as the design we had simply didn’t work. Our new design has been tested with a dedicated focus group over the past few weeks and there have been some positive improvements. We will continue iterating this new design until we get it right.
Changes to Metamask
As some of you may be aware, Metamask recently announced changes to their browser plugin to mitigate a serious privacy vulnerability. All third party dApps that communicate with Metamask are now required to request access to user accounts. This in turn will ask the user to approve or deny the request. Previously, Metamask would automatically inject an Ethereum provider and Web3 instance for the webpage to use, revealing a whole class of personally-identifiable information. There were serious privacy issues with the old way of communication between dApps as malicious websites could use the injected objects to view a user’s active Ethereum address. Our team is, of course, in favor of the updated security measures. These changes are necessary to keep users information (i.e., balance, transaction history, etc.) private.
We have integrated the new permission request with our multiple-wallet select-and-unlock flow in the underlying BlockCAT and Tabby architecture, so it will be immediately available across all our products and all future smart contracts.
Other dApp browsers such as Status, Mist, and imToken are following suit. Since our contracts interact with some of these dApps, we have to incorporate the changes into our smart contracts. In addition, this work will be added to our library for future smart contracts. We are working hard on having the changes implemented prior to the Metamask deadline of November 2, 2018. You can read more about the update to Metamask and how it will affect users in their Medium Article.
Further Experimentation on Staking
Although our primary focus is on Tabby Rewards and keeping up to date with recent security changes, we have had one of our Junior Developers working on new project. We are not quite ready to share what the project is, however it has been a great testbed for experimenting with and getting a better understanding of the implications of staking models.
Like all other smart contract development, there are some complex questions related to incentives, extensibility, usability and security which have to be answered when developing an effective staking model — and different implementation models to be considered for a given application area. Security is also a major concern and the developer must be able to identify any vulnerabilities in a given staking model (i.e., implications in voting systems, vouching systems and risk management) — security here isn’t just the story of known vulnerabilities, code review and validation process, but also the need to understand the incentives and game theoretic implications at varying scales.
As we’ve communicated numerous times, it is absolutely essential to us that the end product (in this case, the concept of a staking model) is usable and understandable to regular users. If we’re building “smart contracts for everyone,” we absolutely cannot require a deep understanding of game theory, cryptography or even web3 and Ethereum characteristics. Getting these details right remains a core focus.
Dev Notes
A few quick notes about what went on behind the scenes this week.
🎁 Rewards
+ Port token selection widget from Tabby Pay.
+ Integrate user friendly widgets for token selection and payment details.
+ Integrate gas fetch/polling.
+ Improve create campaign/dashboard flow per the UX review.
+ Fix toast styling and improvements to notification framework.
+ Improve infrastructure for intake of third-party token data.
+ Iterate on authorization modal.⚙️ General
+ Comprehensive code review and process mitigation for a new community discovered token transfer reentrancy vulnerability (good news: we were not vulnerable!).
+ Initial framework for new staking model experimentation project.
+ Update wallet workflow everywhere for new Metamask changes.
🐞 Bug Fixes
+ Fixed bug for detecting invalid wallet types.
That’s it for this week! If you have any questions, be sure to join our Discord channel, tweet to us on Twitter or chime in on the /r/BlockCAT subreddit!
