ReactiveConf is coming! Get the tickets
Since Cardano cryptocurrency is growing popular and it did not have a platform similar to MyEtherWallet, we decided to take the challenge and start developing our solution for it. It’s called AdaLite and here’s how and why we did it.
MyEtherWallet’s great success already proved, that having a cryptocurrency wallet in a browser is an interesting idea. First, it’s portable and easy to install. Furthermore, thanks to private browsing and statelessness it’s quite secure (I’d argue it can easily be made more secure than a typical desktop app) and if integrated with a hardware wallet, the security is perfect. Since Cardano cryptocurrency is growing popular and it did not have a similar platform, we decided to take the challenge and start developing our solution for it. It’s called AdaLite and here’s how and why we did it.
Yes, there are paper wallets for Daedalus, but in general, they may help you only against some almost trivial attacks. Fundamentally, it’s more a quick-fix than a proper solution; a hardware wallet integration.
Another sad fact is that Daedalus has to store and sync the whole blockchain to work and this is time and disk space consuming.
However, we don’t like to complain in vain, so we decided to address those issues by coming up with our own Cardano light wallet implementation. Lacking a precise enough Cardano technical specification, we resorted to reverse-engineering Daedalus’s backend from the Cardano codebase, made mostly in Haskell.
Those are the principles we are following to make our light wallet as safe as possible:
We aim at having minimum client-side dependencies. That’s why we chose for example Preact instead of React. Significant dependencies with lots of unused features make reasoning about the overall safety of the code harder since they aren’t as easily reviewable and they vastly increase the attack surface.
We don’t use local storage at all, except for trivial things like whether you want to display the disclaimer the next time you open the page or not, but we do not store anything related to your wallet. Our wallet is a light wallet, so instead of storing and syncing the blockchain locally, we fetch all the data we need from the blockchain explorer—a publicly available and synced copy of the blockchain.
After the initial load we interact only with the blockchain explorer to fetch public data about addresses and with the transaction submission node to be able to submit transactions to the blockchain. The worst that can happen is the transaction being stopped or made invalid by a “man in the middle”, but only an attacker who guesses right or somehow gains access to your private keys can steal funds from your wallet.
We are aware that at any time our wallet may stop working because some breaking change in Cardano might be released. However, since we replicate the way Daedalus is deriving addresses from the passphrase, you can always fall back to it, i.e. recover your wallet from the passphrase.* If the change was breaking even for Daedalus, you can rely on the same instructions that would be provided to its users by the official community; therefore you don’t have to be afraid about being locked out from your funds in such case.
*to be efficient, we generate the addresses deterministically which is indeed a difference from Daedalus, that does it randomly. However, it’s not a difference that would prevent Daedalus from being able to recover a CardanoLite wallet. It’s a “problem” only the other way around.
At the end of the day, you cannot rely on the browser nor the dependencies you have or the lack of them when it comes to security. We realise that currently there is probably no better way to provide a reasonable level of security for cryptocurrency wallets but to manage your private keys and sign your transactions with a dedicated device. That’s why we integrated AdaLite with Trezor Model T and Ledger Nano S, so virtually no matter what goes wrong in your computer or the network, you can be quite confident that your private keys are safe, never leaving the circuits of the hardware wallet.
Of course, we don’t think that online light wallets are the silver bullet of cryptocurrency storages. For example, the statelessness sacrifices your comfort when making transactions frequently—you probably won’t be paying for your coffee with it. We are also fully aware that Cardano and Daedalus are still a year and a half from its initial release—kudos to their developers for the fast progress. Nevertheless, we are always happy to bring diversity to the Cardano community, and we are sure that a Cardano online lightweight wallet with Trezor and Ledger support, as an alternative to the official Daedalus and Yoroi wallets will find its fans.
Please help us make the wallet better with your feedback and pull requests!
Rafael KorbasSenior engineer