Crypto

Safety over everything: developing cryptocurrency wallet in js

Since Cardano cryptocurrency is growing popular and it did not have a platform similar to MyEtherWallet, we decided to take the challenge and start developing our solution for it. It’s called AdaLite and here’s how and why we did it.

Rafael Korbas
17.4.2019
5 min read

MyEtherWallet’s great success already proved, that having a cryptocurrency wallet in a browser is an interesting idea. First, it’s portable and easy to install. Furthermore, thanks to private browsing and statelessness it’s quite secure (I’d argue it can easily be made more secure than a typical desktop app) and if integrated with a hardware wallet, the security is perfect. Since Cardano cryptocurrency is growing popular and it did not have a similar platform, we decided to take the challenge and start developing our solution for it. It’s called AdaLite and here’s how and why we did it.

Daedalus’s Labyrinth

There are currently more than 10,000 .js production files, that the official Daedalus wallet depends on. These are downloaded from the npm registry without any guarantee that they don’t include any malicious code. May any of these dependencies contain a key-logger, which is indeed easily doable, your security is screwed. Of course, this is a common problem of many javascript applications, but it’s especially important here when dealing with money.

Yes, there are paper wallets for Daedalus, but in general, they may help you only against some almost trivial attacks. Fundamentally, it’s more a quick-fix than a proper solution; a hardware wallet integration.

Another sad fact is that Daedalus has to store and sync the whole blockchain to work and this is time and disk space consuming.

However, we don’t like to complain in vain, so we decided to address those issues by coming up with our own Cardano light wallet implementation. Lacking a precise enough Cardano technical specification, we resorted to reverse-engineering Daedalus’s backend from the Cardano codebase, made mostly in Haskell.

Achieving Security

Those are the principles we are following to make our light wallet as safe as possible:

Make the project publicly auditable and easy to review

The source code is available on GitHub, you can review it, build it yourself locally and compare the resulting bundle with the one hosted on the site. The most relevant part of the code is around two thousand lines of ES6 JavaScript, which is a lot less than the official Cardano implementation of Daedalus and it’s certainly more readable for the majority of developers, as opposed to Haskell.

As little code in dependencies as possible

We aim at having minimum client-side dependencies. That’s why we chose for example Preact instead of React. Significant dependencies with lots of unused features make reasoning about the overall safety of the code harder since they aren’t as easily reviewable and they vastly increase the attack surface.

Statelessness

We don’t use local storage at all, except for trivial things like whether you want to display the disclaimer the next time you open the page or not, but we do not store anything related to your wallet. Our wallet is a light wallet, so instead of storing and syncing the blockchain locally, we fetch all the data we need from the blockchain explorer—a publicly available and synced copy of the blockchain.

Minimum interaction with the outside world

After the initial load we interact only with the blockchain explorer to fetch public data about addresses and with the transaction submission node to be able to submit transactions to the blockchain. The worst that can happen is the transaction being stopped or made invalid by a “man in the middle”, but only an attacker who guesses right or somehow gains access to your private keys can steal funds from your wallet.

Keeping compatibility with the official wallet

We are aware that at any time our wallet may stop working because some breaking change in Cardano might be released. However, since we replicate the way Daedalus is deriving addresses from the passphrase, you can always fall back to it, i.e. recover your wallet from the passphrase.* If the change was breaking even for Daedalus, you can rely on the same instructions that would be provided to its users by the official community; therefore you don’t have to be afraid about being locked out from your funds in such case.

*to be efficient, we generate the addresses deterministically which is indeed a difference from Daedalus, that does it randomly. However, it’s not a difference that would prevent Daedalus from being able to recover a CardanoLite wallet. It’s a “problem” only the other way around.

Hardware wallet support

At the end of the day, you cannot rely on the browser nor the dependencies you have or the lack of them when it comes to security. We realise that currently there is probably no better way to provide a reasonable level of security for cryptocurrency wallets but to manage your private keys and sign your transactions with a dedicated device. That’s why we integrated AdaLite with Trezor Model T and Ledger Nano S, so virtually no matter what goes wrong in your computer or the network, you can be quite confident that your private keys are safe, never leaving the circuits of the hardware wallet.

Conclusion

Of course, we don’t think that online light wallets are the silver bullet of cryptocurrency storages. For example, the statelessness sacrifices your comfort when making transactions frequently—you probably won’t be paying for your coffee with it. We are also fully aware that Cardano and Daedalus are still a year and a half from its initial release—kudos to their developers for the fast progress. Nevertheless, we are always happy to bring diversity to the Cardano community, and we are sure that a Cardano online lightweight wallet with Trezor and Ledger support, as an alternative to the official Daedalus and Yoroi wallets will find its fans.

Please help us make the wallet better with your feedback and pull requests!

Web: https://adalite.io

GitHub: https://github.com/vacuumlabs/adalite

Rafael Korbas

Senior Engineer

Let’s build your digital product together