As security geeks, we wanted a local Ethereum wallet with a small attack surface, a front-end easy enough for non-technical users to use securely, and hardware wallet support. None of the existing options met our needs; for instance:
Mist still runs Chromium 54, which was released in April of last year, and thus is vulnerable to old Chromium vulnerabilities. In fact this caused them to issue a severe security alert recently: https://blog.ethereum.org/2017/12/15/security-alert-chromium-vulnerability-affecting-mist-browser-beta/. Furthermore Mist runs without Chromium's renderer sandbox, so many high-severity vulnerabilities in Chromium are actually critical vulnerabilities in Mist that can lead to full system compromise. Mist's advice is "don't browse to untrusted websites", but it's unclear that non-technical users can practically follow this advice, since Mist makes it easy to browse to untrusted websites in their Electron interface.
MetaMask lacks hardware wallet support. https://github.com/MetaMask/metamask-extension/issues/717
wallet.ethereum.org is a remote website with poor XSS protection since it doesn't define a Content Security Policy. Furthermore, websites lack the same level of code integrity as apps since they are not signed/versioned and can be modified without detection by the server operator at any time. Thus an attacker only needs to compromise the wallet.ethereum.org web server in order to compromise its users' wallets. In addition, websites are prone to phishing attacks.
Same with MyEtherWallet, although they now have a Chrome extension. However, it's unclear whether to what extent the extension is stable or recommended. (See https://github.com/kvhnuke/etherwallet/issues/1406#issuecomment-352719852 for instance.)
Parity runs a local web interface. This is a great approach but their app is not code-signed and previously on MacOS was downloaded over plain HTTP (https://github.com/paritytech/homebrew-paritytech/issues/65). It is also not the most friendly tool for non-technical users, since it requires downloading a command line tool (https://paritytech.github.io/wiki/Setup) and running terminal commands.
This state of affairs was concerning to us. You shouldn't have to be a security expert in order to have a secure Ethereum wallet!
What it does
We integrated an Ethereum wallet in Brave browser (https://brave.com). All you have to do is install Brave and flip a switch to get a secure, local Ethereum wallet.
- 1-click wallet creation
- Launch the wallet directly from the Brave toolbar
- 1-click shortcut to transfer funds from the ETH wallet into Brave's builtin BAT wallet
- Keys are only stored client-side
- Uses geth light sync by default, so you're synced in minutes (or even seconds if you're not on the ethdenver wifi).
- Supports hardware wallets like Ledger and Trezor
- Uses a strict Content-Security-Policy to defend against XSS (no inline scripts except those that are hash-whitelisted, no remote connections except to https://min-api.cryptocompare.com https://mini-api.cryptocompare.com)
- All open source
- Brave is up-to-date with the latest upstream Chromium release and enables sandboxing on all platforms
- Automatically watches BAT token contract
How we built it
We added three main new components to Brave:
- a geth binary, which is run as a subprocess of Brave. It is downloaded during the Brave build process.
- a slightly-modified version of the wallet.ethereum.org front-end (which is also used in Mist): https://github.com/ethereum/meteor-dapp-wallet. Our fork is published as an open-source NPM package from https://github.com/brave/meteor-dapp-wallet-prebuilt and downloaded during the Brave build process.
- a Brave extension which implements the local ETH wallet UI and the toolbar shortcuts.
This is all implemented in https://github.com/brave/browser-laptop/pull/13177.
Challenges we ran into
The wallet.ethereum.org front-end is built on Meteor, which was troublesome to use in a serverless Brave extension context. We had to patch it to work in
chrome-extension:// contexts (since Brave extensions use the same protocol as Chrome extensions). We also had to insert some hacks to make it possible to launch the 'Send Funds' page from a button click with a pre-populated address, since Meteor doesn't allow navigating to an endpoint unless the main app page is already loaded.
We had some trouble at the end with launching geth wallet creation as a subprocess and passing in the user's wallet password securely. We also couldn't get ledger nanos to work with testnet.
Accomplishments that we're proud of
Above all we're proud to have a wallet that is basically functional and hassle-free to set up. We are especially proud that we were able to create a more secure wallet than existing solutions like wallet.ethereum.org and Mist by applying a content security policy, loading the code in a client-side package (that will eventually be code-signed when it's released as part of Brave browser), and rendering the web app in a sandboxed context that is up-to-date with Chromium. We are also proud that the app doesn't require users to download any command-line tools or understand the inner workings of geth. We hope this will allow users of diverse backgrounds to get started with using secure hardware Ethereum wallets.
Finally, as creators and users of Brave, we are super excited that Brave will have a builtin Ethereum wallet, hopefully making secure cryptocurrency management more accessible to folks who are already using Brave.
What we learned
We learned a lot about packaging geth and running it as a subprocess. We also learned how to write Brave extensions and include HTML files from an NPM package. In the process of coming up with this project, we learned some new things about security weaknesses in existing Ethereum wallets.
What's next for best ethereum wallet ever
We want to improve upon the wallet.ethereum.org UI by updating our fork of it to the latest web3, doing user studies, and figuring out how to make the UI more friendly for newbies. We also would like to build in wallet support for other cryptocurrencies, starting with Zcash. We also need to build in localization for non-English speaking users.