π₯πBurner Wallet to move crypto quickly in a web browser. Sweep to cold storage when you get home. π π¨π»βπ
Home Page: https://xdai.io
License: MIT License
For some reason it fails right away in Firefox. It might have something to do with MetaMask being locked or on the wrong network, but we'll need to catch that. It might be in Dapparatus.
It's not clear this address is for xDAI, it should be very clear that you need to send xDAI explicitly to this address not Ether not DAI.
For some reason sending via link doesn't seem to work right now:
https://blockscout.com/poa/dai/address/0x9c790f04ca68018230a280a21b15a4d19d1f0c70/transactions
the funds go there but can't get claimed.
The actual hash requires a destination field. It is not obligatory anymore because there are more parameters that make unique each fund.
The idea is to have a new feature for enhancing the send with link capability. There is no need to know the destination beforehand. If a user is claiming a fund with a link, the app could show a text field to write the destination address. In a future enhancement this could even be an ENS.
Haven't used SubtleCrypto before myself, but it seems it could increase security.
https://developer.mozilla.org/en-US/docs/Web/API/Web_Crypto_API
https://caniuse.com/#feat=cryptography
Nothing happens when you press it
use case like pizza restaurant with friends I paid with my credit card, and then I could xdai.io >> request funds >> I enter the amount and possibly a message, and share the link on WhatsApp maybe? or by QR ..
ideally, that request fund shall generate a URL >> which if opened in web3 wallet would auto-populate the amount and receiver address, if not just QR code/Wallet address like:
xDAI:0x0000000000000000000?amount=5.6&message=Payment-Piza&label=devcon&extra=other-param
I personally like Burner Wallet name but I've learned the hard way to look at things through the eyes of the audience
the Q. is how "burner wallet" as a name would convey a user-friendly, seamless, trustworthy experience? do you wanna consider something else? maybe
We should have step by step guides (maybe even videos) that show how to:
an instant exchange, from any token sent to the address to xDAI would defiantly go far away, imagine a world where for a small things like "sharing the pizza or uber" you don't need to worry about tokens, exchange rate, addresses, just send to this address anything you have (or you wish) and it would exchange it to xDAI if the token you sent was recognized by the connected DEX, otherwise the wallet will reject/auto-refund/send back your fund back to your address.
./src/components/Bridge.js Module not found: Can't resolve '../contracts/Exchange.abi.js' in '/dapp/src/components'
For testing, I just commented the line 45 on Bridge.js to let it build abi:require("../contracts/Exchange.abi.js"),
Create a confirmation dialog when burning the key so you can be sure they really want trash the key forever.
May be due to an under powered phone but QR code only partially loads on both Android Chrome & Brave browsers. Phone HTC One, Android 5.0.2
The current design/UI is very ugly. It was a quick proof-of-concept. Please create and implement a gorgeous and intuitive design.
We want it to look great and work intuitively even in different languages.
This is a big task and will take a lot of thought and style.
it was on mainnet and I was logged out
prompt came up and I ignored it and got the orange screen
For some reason when I visit DenDai on Brave with my shields up it hangs and chews CPU.
Leaving a note here so I'll figure this problem out eventually
The signature in claim() refers only to the destination address.
So, once a valid signature has been published for a specific destination, It can be reused to claim all the funds for any Id where funds[Id].signer is the same signer.
I am not sure that it is or not the intention of the developper, but we can have N send() from one signer, then 1 claim() with its signature and we can generate immediately the N-1 claim() to the same destination.
I propose to sign keccak256(Id, address) to prevent this replay attack.
Site is getting a 0 on Google's PageSpeed test.
Links to reports:
There are two very low hanging fruit ways to get the PageSpeed score significantly improved.
Great blog post outlining how to do this: https://christianoliff.com/blog/optimizing-cloudfront-performance.
I'd be happy to do this, but it requires CloudFront access.
Create a bad ass loader gif for the burner wallet.
There are moments when you are waiting for the Burner to scan QR code or send a transaction.
Right now there is a filler loader but let's create something awesome.
It would be cool if it was "burner" / "cypherpunk" themed maybe even one that is qr code themed
It should be around 150px x 150px and still load quickly on old phones
First of all, let's have a prompt that comes up letting them know they don't have any gas and they need to send ETH to the address.
Second, I got this error when going DAI to ETH:
After a certain amount of time, value sent in messages over services like WeChat will expire.
When they expire the sender will need to withdraw them from the Links contract.
For ephemeral accounts, just withdraw them automatically, but for injected web3 accounts, provide a button to withdraw.
If I have $1.25 and I try to send $1.25 it will fail because it needs a little gas.
I think a good solution to this would be to display their balance a little smaller than it actually is.
If we are rounding down 0.01 we should probably change any default fields from 0.01 to 0.10 too.
email private key (possibly JSON format encrypted with a password) is quite more useful and safer than copy private key, we all know browsers isn't reliable and you could be browsing intentionally or accidentally with incognito mode
Front-end: click on private key >> pop-up private key half hidden >> and three options below that
Show, Copy, and Email it
Users could be much more relaxed knowing he has a backup of his private key on the email and just use xDAI.io without that extra heartbeat :P
Ideally check if balance != 0; show warning pop-up with the private key hidden, and three options below
Show, Copy, and Email
I love Burner, just added it to my iPhone home screen but I'm sad there is no π₯ icon.
I'd gladly push a PR if you have any icon assets.
Normally you link to etherscan but that won't work for xdai.
The Brave browser on iOS blocks everything. The scanner doesn't work, the bridge doesn't work, etc.
When working locally if you visit http://localhost:3000/ then the app doesn't display. Can be fixed easily by going to https instead so: https://localhost:3000/
The Contributing part in the readme probably needs to be updated to show this (happy to do this - just let me know).
I think this is due to the extra -e "HTTPS=true" added to the Docker command.
This is just a simple change to the index.html title
I'll do it in a sec, just reminding myself. Anyone could jump on this too.
There is a weird UX issue where after you scan on a slow network you don't get any feedback until the page loads.
As soon as the qr scanner detects a code, we should show an intermediate screen while the link loads. Some kind of burner loader.
Right now the src/App.js is one big file. Please apply React best practices and divide the large file into many, easy to use components.
The goal would be to make it much easier to read and update the code.
This task could take a while and requires a good understanding of React
Make sure injected web3 is on dai.poa.network and if it isn't throw up a big warning.
The Links contract provides an escrow for users to send value through messages using services like WeChat.
Since this contract will move and store value, it would be good to get some extra eyes on the contract.
Please help list possible bugs and attack vectors that may be critical to the launch of Burner Wallets.
https://github.com/austintgriffith/burner-wallet/blob/master/contracts/Links/Links.sol
Using an old iPad and safari it works fine, but if I "add to home screen" and then access it from there, I get this error when I try to open the scanner:
Hi, others have been mentioning that a nonce is need to prevent replay attacks. However, I think a nonce might not be enough if burner wallets exist on mainnet and testnets. Even with a nonce, a replay attack is possible when a claim (happened on testnet) is replayed on mainnet. This assumes that the other fields are identical as well, which is possible IMO.
A workaround, in case my concern is valid, is to add another net-unique constant, e.g. the chain id, to the signed data.
Curious to hear if others share that opinion
There is a missing variable in the Token SC.
Undeclared identifier: _balances[msg.sender] ...
The reason for this to happen is related to some changes in Openzeppelin SC introduced for the 2.0.0 version. In this case it is affected by a private variable instead of a previous internal variable definition.
In openzeppelin-solidity/contracts/token/ERC20/ERC20.sol in line 17 the _balances variable is defined as private.
Private variables can't be inherited or accessed from child SCs. Internal variables can be.
Changing the variable defintion from private to internal, fixes the issue.
mapping (address => uint256) private _balances;
to
mapping (address => uint256) internal _balances;
Current version doesn't support ENS.
As a community venue here @ The Block Cafe our audience are often more comfortable using theblockcafe.eth than scanning a random QR code.
Thanks for all your work!
Once a fund is claimed, the fund[Id] entry is destroyed.
Anyone can replay the send() and claim() transactions using the same Id, especially the previous recipient. The old transactions will be valid for the reused Id.
The recipient can initiate a cycle of send() and withdraw() replaying the 2 first legitimate transactions and empty the signer account.
You should use a nonce attached to each signer to avoid replay attack, and include the nonce in the signatures in send() and claim(). See EIP1077
A nonce is also a solution for #13 and #14 since it changes the structure of the signed data and prevent replay attack.
When I log out of Metamask and go to either https://xdai.io/ (or localhost:3000 when working locally), the app crashes. Output from developer console is below. Not sure if it's maybe something to do with the WEB3_PROVIDER setting?
!!!!DAPPARATUS~~~~~ {DEBUG: false, POLLINTERVAL: 777, showBalance: true, metatxAccountGenerator: false, onlyShowBlockie: true,Β β¦}
dapparatus.js:253 Generating account...
react-dom.production.min.js:3843 Error: Invalid JSON RPC response: undefined
at Object.InvalidResponse (inpage.js:1)
at a.send (inpage.js:1)
at n.accounts (inpage.js:1)
at Dapparatus.eval (dapparatus.js:254)
at fi (react-dom.production.min.js:2713)
at di (react-dom.production.min.js:2699)
at Ra (react-dom.production.min.js:5312)
at Pa (react-dom.production.min.js:5017)
at Ma (react-dom.production.min.js:4983)
at Aa (react-dom.production.min.js:4927)
at Yo (react-dom.production.min.js:4847)
at Object.enqueueSetState (react-dom.production.min.js:2844)
at Dapparatus.w.setState (react.production.min.js:72)
at eval (dapparatus.js:248)
at inpage.js:1
at inpage.js:1
go @ react-dom.production.min.js:3843
Eo.t.callback @ react-dom.production.min.js:4118
fi @ react-dom.production.min.js:2713
di @ react-dom.production.min.js:2699
Ra @ react-dom.production.min.js:5328
Pa @ react-dom.production.min.js:5017
Ma @ react-dom.production.min.js:4983
Aa @ react-dom.production.min.js:4927
Yo @ react-dom.production.min.js:4847
enqueueSetState @ react-dom.production.min.js:2844
w.setState @ react.production.min.js:72
(anonymous) @ dapparatus.js:248
(anonymous) @ inpage.js:1
(anonymous) @ inpage.js:1
(anonymous) @ inpage.js:1
(anonymous) @ inpage.js:1
i @ inpage.js:1
(anonymous) @ inpage.js:1
(anonymous) @ inpage.js:1
u @ inpage.js:1
a @ inpage.js:1
(anonymous) @ inpage.js:1
(anonymous) @ inpage.js:1
(anonymous) @ inpage.js:1
(anonymous) @ inpage.js:1
u @ inpage.js:1
a @ inpage.js:1
(anonymous) @ inpage.js:1
t @ inpage.js:1
(anonymous) @ inpage.js:1
(anonymous) @ inpage.js:1
u @ inpage.js:1
(anonymous) @ inpage.js:1
ze @ inpage.js:1
(anonymous) @ inpage.js:1
value @ inpage.js:1
(anonymous) @ inpage.js:1
n @ inpage.js:1
i @ inpage.js:1
(anonymous) @ inpage.js:1
(anonymous) @ inpage.js:1
n @ inpage.js:1
i @ inpage.js:1
(anonymous) @ inpage.js:1
(anonymous) @ inpage.js:1
(anonymous) @ inpage.js:1
(anonymous) @ inpage.js:1
u @ inpage.js:1
a @ inpage.js:1
(anonymous) @ inpage.js:1
(anonymous) @ inpage.js:1
(anonymous) @ inpage.js:1
setTimeout (async)
(anonymous) @ inpage.js:1
write @ inpage.js:1
g @ inpage.js:1
(anonymous) @ inpage.js:1
v.write @ inpage.js:1
y @ inpage.js:1
(anonymous) @ inpage.js:1
s.emit @ inpage.js:1
w @ inpage.js:1
_ @ inpage.js:1
b.push @ inpage.js:1
_write @ inpage.js:1
g @ inpage.js:1
(anonymous) @ inpage.js:1
v.write @ inpage.js:1
y @ inpage.js:1
(anonymous) @ inpage.js:1
s.emit @ inpage.js:1
w @ inpage.js:1
_ @ inpage.js:1
b.push @ inpage.js:1
i._onMessage @ inpage.js:1
postMessage (async)
Z._write @ contentscript.js:1
a @ contentscript.js:1
(anonymous) @ contentscript.js:1
p.write @ contentscript.js:1
y @ contentscript.js:1
(anonymous) @ contentscript.js:1
m.emit @ contentscript.js:1
L @ contentscript.js:1
I @ contentscript.js:1
h.push @ contentscript.js:1
m.push @ contentscript.js:1
(anonymous) @ contentscript.js:1
Z.afterTransform @ contentscript.js:1
transform @ contentscript.js:1
m._read @ contentscript.js:1
m._write @ contentscript.js:1
a @ contentscript.js:1
(anonymous) @ contentscript.js:1
p.write @ contentscript.js:1
y @ contentscript.js:1
(anonymous) @ contentscript.js:1
m.emit @ contentscript.js:1
L @ contentscript.js:1
I @ contentscript.js:1
h.push @ contentscript.js:1
Z.onMessage @ contentscript.js:1
EventImpl.dispatchToListener @ VM989 extensions::event_bindings:403
publicClassPrototype.(anonymous function) @ VM995 extensions::utils:138
EventImpl.dispatch @ VM989 extensions::event_bindings:387
EventImpl.dispatch @ VM989 extensions::event_bindings:409
publicClassPrototype.(anonymous function) @ VM995 extensions::utils:138
dispatchOnMessage @ VM996 extensions::messaging:392
react-dom.production.min.js:5000 Uncaught Error: Invalid JSON RPC response: undefined
at Object.InvalidResponse (inpage.js:1)
at a.send (inpage.js:1)
at n.accounts (inpage.js:1)
at Dapparatus.eval (dapparatus.js:254)
at fi (react-dom.production.min.js:2713)
at di (react-dom.production.min.js:2699)
at Ra (react-dom.production.min.js:5312)
at Pa (react-dom.production.min.js:5017)
at Ma (react-dom.production.min.js:4983)
at Aa (react-dom.production.min.js:4927)
at Yo (react-dom.production.min.js:4847)
at Object.enqueueSetState (react-dom.production.min.js:2844)
at Dapparatus.w.setState (react.production.min.js:72)
at eval (dapparatus.js:248)
at inpage.js:1
at inpage.js:1
InvalidResponse @ inpage.js:1
a.send @ inpage.js:1
(anonymous) @ inpage.js:1
(anonymous) @ dapparatus.js:254
fi @ react-dom.production.min.js:2713
di @ react-dom.production.min.js:2699
Ra @ react-dom.production.min.js:5312
Pa @ react-dom.production.min.js:5017
Ma @ react-dom.production.min.js:4983
Aa @ react-dom.production.min.js:4927
Yo @ react-dom.production.min.js:4847
enqueueSetState @ react-dom.production.min.js:2844
w.setState @ react.production.min.js:72
(anonymous) @ dapparatus.js:248
(anonymous) @ inpage.js:1
(anonymous) @ inpage.js:1
(anonymous) @ inpage.js:1
(anonymous) @ inpage.js:1
i @ inpage.js:1
(anonymous) @ inpage.js:1
(anonymous) @ inpage.js:1
u @ inpage.js:1
a @ inpage.js:1
(anonymous) @ inpage.js:1
(anonymous) @ inpage.js:1
(anonymous) @ inpage.js:1
(anonymous) @ inpage.js:1
u @ inpage.js:1
a @ inpage.js:1
(anonymous) @ inpage.js:1
t @ inpage.js:1
(anonymous) @ inpage.js:1
(anonymous) @ inpage.js:1
u @ inpage.js:1
(anonymous) @ inpage.js:1
ze @ inpage.js:1
(anonymous) @ inpage.js:1
value @ inpage.js:1
(anonymous) @ inpage.js:1
n @ inpage.js:1
i @ inpage.js:1
(anonymous) @ inpage.js:1
(anonymous) @ inpage.js:1
n @ inpage.js:1
i @ inpage.js:1
(anonymous) @ inpage.js:1
(anonymous) @ inpage.js:1
(anonymous) @ inpage.js:1
(anonymous) @ inpage.js:1
u @ inpage.js:1
a @ inpage.js:1
(anonymous) @ inpage.js:1
(anonymous) @ inpage.js:1
(anonymous) @ inpage.js:1
setTimeout (async)
(anonymous) @ inpage.js:1
write @ inpage.js:1
g @ inpage.js:1
(anonymous) @ inpage.js:1
v.write @ inpage.js:1
y @ inpage.js:1
(anonymous) @ inpage.js:1
s.emit @ inpage.js:1
w @ inpage.js:1
_ @ inpage.js:1
b.push @ inpage.js:1
_write @ inpage.js:1
g @ inpage.js:1
(anonymous) @ inpage.js:1
v.write @ inpage.js:1
y @ inpage.js:1
(anonymous) @ inpage.js:1
s.emit @ inpage.js:1
w @ inpage.js:1
_ @ inpage.js:1
b.push @ inpage.js:1
i._onMessage @ inpage.js:1
postMessage (async)
Z._write @ contentscript.js:1
a @ contentscript.js:1
(anonymous) @ contentscript.js:1
p.write @ contentscript.js:1
y @ contentscript.js:1
(anonymous) @ contentscript.js:1
m.emit @ contentscript.js:1
L @ contentscript.js:1
I @ contentscript.js:1
h.push @ contentscript.js:1
m.push @ contentscript.js:1
(anonymous) @ contentscript.js:1
Z.afterTransform @ contentscript.js:1
transform @ contentscript.js:1
m._read @ contentscript.js:1
m._write @ contentscript.js:1
a @ contentscript.js:1
(anonymous) @ contentscript.js:1
p.write @ contentscript.js:1
y @ contentscript.js:1
(anonymous) @ contentscript.js:1
m.emit @ contentscript.js:1
L @ contentscript.js:1
I @ contentscript.js:1
h.push @ contentscript.js:1
Z.onMessage @ contentscript.js:1
EventImpl.dispatchToListener @ VM989 extensions::event_bindings:403
publicClassPrototype.(anonymous function) @ VM995 extensions::utils:138
EventImpl.dispatch @ VM989 extensions::event_bindings:387
EventImpl.dispatch @ VM989 extensions::event_bindings:409
publicClassPrototype.(anonymous function) @ VM995 extensions::utils:138
dispatchOnMessage @ VM996 extensions::messaging:392
inpage.js:1 Uncaught TypeError: e is not a function
at inpage.js:1
at inpage.js:1
at i (inpage.js:1)
at inpage.js:1
at inpage.js:1
at u (inpage.js:1)
at a (inpage.js:1)
at inpage.js:1
at inpage.js:1
at inpage.js:1
at inpage.js:1
at u (inpage.js:1)
at a (inpage.js:1)
at inpage.js:1
at t (inpage.js:1)
at inpage.js:1
In send(), the signer signs bytes32 Id, but if the Id is chosen to be equal to keccak256(destination), then the data and signature are identical in send() and claim(): both refer to keccak256(destination) as data.
So the issue is how the Id is generated, and if it is controlled by a third-party, it can be set to a specifically crafted value of keccak256(address_attacker) and submitted to the signer. The signature can then be used by the attacker in claim() after 100 blocks.
Legitimate users are at risk of being robbed by a malicous third-party generating Id on their behalf.
The fix is, for example, to sign keccak(Id, "CONSTANT") instead of Id to make the signed data unpredictable.
Hi, in claim(..., address destination) the line destination.call.value(value).gas(msg.gas)() can fail in case destination is a smart contract that requires more than msg.gas to execute its fallback function or simply reverts because of other reasons. If it fails, call() returns false which will make the transaction succeed. However, the Fund is destroyed by delete funds[id]; and not successfully transferred to destination.
destination.transfer(value) is safer to use as it reverts on failure and costs max. 2300 gas.
Correct me if I'm wrong.
It's incredibly important that this wallet works on older browsers. QR code scanning and everything.
Specifically Android 4.1
Right now I got it working past the SSL part but it loads a blank page.
To allow for seamless recovery of lost token sent to xdai.io (burner wallet) It would be great to have sort of "Reject" // Auto-refund functionality, in another word if you send anything to this burner address but xDAI the smart contract would transfer it back to the sender within n hrs
On front end user shall be notified, he should see sort of notification with x fund/tokens received with error (it's not xDAI) and maybe 1) click to refund immediately 2) export private key
Currently, a user sending n DAI instead of xDAI, wouldn't be able to recover it easily even with the private key, he would still need to send some small ETH to the address >> to be able to recover his funds, too much complexity..
When Dapparatus tries to used the RPC and MetaMask is unlocked but then later locked, I get this:
Make a MetaMask prompt when this error comes up!
The current QR Code scanner doesn't work on a lot of different browsers.
In particular, Chrome and Firefox.
It would be awesome if we could find a scanner that worked on every browser on mobile and desktop.
An dropdown could be added with all of the world's fiat currencies, and then DAI balance could be displayed in that currency. https://exchangeratesapi.io/ has a free foreign exchange rate API, so the service could be free.
This would be great for adoption outside of US (for instance, in EU).
localStorage would be better than cookies
One thing we might want is a small explanation that can be easily translated for a couple of key things:
Explanations should be concise and the use of technical terms should be avoided where possible.
On Android/firefox it isn't obvious that users should save to home screen. Its an important step in making everything fast, that I think should be made clear.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. πππ
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google β€οΈ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.