[OPEN SOURCE] Serverless Anon Web Wallet

[coinableS]

Wanted to share something I have been working on and using for small casual sums.

100% FOSS free and open-source HD web wallet, FastWallet.

Source: https://github.com/fast-wallet/fastwallet
Live Demo: https://coinables.github.io/fastwallet
YouTube: https://www.youtube.com/watch?v=Egt-BWDNkKs

An instant non-custodial HD bitcoin web wallet that runs in your browser. Serverless, nomadic, privacy-focused throwaway bitcoin wallet. Instantaneous use! No sign up process, no wallet setup process or upfront back up.

Some key notes:

- Be aware this is a serverless web wallet with your private keys stored in the browser! YIKES! You probably shouldn't use this wallet for significant sums.   
- This wallet uses public APIs like Blockchain and Blockchair for UTXO data and they probably track your IP! Use a VPN.   
- Your keys are ONLY stored on YOUR device's temporary internet files. If you don't save your back-up mnemonic and you clear your browser cache you will lose access to your funds permanently.     

FastWallet is a serverless bitcoin web wallet I built for casual/throwaway use cases. Similar to throwaway email accounts a throwaway wallet is temporary and anonymous for when you don't want transactions to mingle with your primary wallet(s). Although it is an HD wallet the wallet is limited to only 21 addresses, when you use up all 21 addresses just start a new wallet, although you are not prevented from re-using addresses if you wish(not recommended). The 21 address limit is to prevent a bloated wallet with too many addresses that will exceed free API usage limits, and to avoid any look-ahead gap issues if you attempt to recover on another device that support BIP84 deterministic wallets.
 

This is free and unencumbered software released into the public domain.

Anyone is free to copy, modify, publish, use, compile, sell, or distribute this software, either in source code form or as a compiled binary, for any purpose, commercial or non-commercial, and by any means.

[ABCbits]

- This wallet uses public APIs like Blockchain and Blockchair for UTXO data and they probably track your IP! Use a VPN.

I checked the live demo and saw there's network access to wss://api-pub.bitfinex.com/ws/2, did you forget to mention it?

[coinableS]

- This wallet uses public APIs like Blockchain and Blockchair for UTXO data and they probably track your IP! Use a VPN.

I checked the live demo and saw there's network access to wss://api-pub.bitfinex.com/ws/2, did you forget to mention it?

Ahh yes a simple websocket in order to grab the current exchange rate.

The disclosure related to Blockchain and Blockchair API is related to privacy and associating addresses and UTXOs with an IP address.

The websocket connection for the exchange rate on the other hand, does not include any address, UTXO data. Simply just grabbing the US dollar exchange rate.

[DaveF]

Is the 20 address arbitrary or is the there a programming reason you have that limit?
And is there a way to show the private key for a particular address instead of revealing the seed words?

Either way VERY cool project.

-Dave

[coinableS]

Is the 20 address arbitrary or is the there a programming reason you have that limit?
And is there a way to show the private key for a particular address instead of revealing the seed words?

Either way VERY cool project.

-Dave

Thanks Dave!

The 21 address limit is for two reasons:
1) Unleashing the full potential of an HD wallet could lead to an enormous amount of addresses in a wallet which will exceed public API usage limits. Blockchair for example uses a point/cost system. Larger requests "cost" more and you will hit your limit with larger requests.
2) Most HD wallets have a look-ahead gap of around 20. Without a limit users could potentially create 30 addresses (for example)in a keychain and then send funds to the 30th address which may go unnoticed if they try to recover on a wallet that has a look-ahead gap less than 30. To the user it may appear like they have lost funds when attempting to recover from the mnemonic, when in reality the wallet just can't see it due to the look-ahead gap issue.

If you are an advanced user and want to get the WIFs simply typing `fkarr` in the browser console will reveal the 21 private key array. They are in respective order with the address array named `farr`.

[dkbit98]

I like how youtube video you posted is saying that this is Worlds Most Dangerous Bitcoin Wallet 
This wallet could be useful for fast and small transactions, but I would never recommend it to any newbies and people who always click, open and download on any email links they receive.

Question for @coinableS: Is it possible to make a version of this wallet that work with Bitcoin testnet, and can we can manually set fees for sending transactions or not?

[coinableS]

The websocket connection for the exchange rate on the other hand, does not include any address, UTXO data. Simply just grabbing the US dollar exchange rate.

I see, but IMO it's better mention the live demo access several 3rd party website (bitfinex for exchange rate and google for font) for optional feature.

Thanks! I didn't even think about the font dependency in the bootstrap CSS file. Definitely don't want that. I'm going to remove that ASAP. Also I'll make a note of the use of bitfinex's websocket for exchange rate.

I like how youtube video you posted is saying that this is Worlds Most Dangerous Bitcoin Wallet 
This wallet could be useful for fast and small transactions
...<snip>...
Question for @coinableS: Is it possible to make a version of this wallet that work with Bitcoin testnet, and can we can manually set fees for sending transactions or not?

Right, designed to be a throw-away wallet, similar to throw away email.

It could be converted to testnet but I have not done it.

[BlackHatCoiner]

Excuse me from asking, but why would anyone want to use this? You've said that the wallet uses public APIs and so, your IP can be tracked, that the users should be extremely cautious etc. You've literally called it the most dangerous wallet, and it's true. There are many things you should be aware of such as your browser extensions, programs that have access to your browser etc.

Sure, it might was a good exercise to code it, but to serve it as a "fast & anonymous wallet"? I think it's just bad. Benignly.

[DaveF]

Excuse me from asking, but why would anyone want to use this? You've said that the wallet uses public APIs and so, your IP can be tracked, that the users should be extremely cautious etc. You've literally called it the most dangerous wallet, and it's true. There are many things you should be aware of such as your browser extensions, programs that have access to your browser etc.

Sure, it might was a good exercise to code it, but to serve it as a "fast & anonymous wallet"? I think it's just bad. Benignly.

It's just about as anonymous as you are going to get.
You can download and run it locally and connect to any public Wi-Fi
Someone can send you BTC and there is never a wallet on your PC so to speak.
You can then send it to a mixer and once you clear your browser cache it never existed.

-Dave

[coinableS]

Excuse me from asking, but why would anyone want to use this? You've said that the wallet uses public APIs and so, your IP can be tracked, that the users should be extremely cautious etc. You've literally called it the most dangerous wallet, and it's true. There are many things you should be aware of such as your browser extensions, programs that have access to your browser etc.

Sure, it might was a good exercise to code it, but to serve it as a "fast & anonymous wallet"? I think it's just bad. Benignly.

First of all, this is a Project Development board, not a Service Announcement. So I'm not asking anyone to use it -- I'm sharing an open source project.

Second, you can't come up with a reason why someone would want a single-page open source instantaneous web wallet without setup or registration that they could run from their own machine? Hmm... that doesn't seem sincere but okay.

As someone who develops browser extensions I can say that I'm aware of their localStorage access capabilities and their risks. I can also say almost all the same things about desktop wallets.  Seems rather naïve to be coming from someone with "BlackHat" in their name but your IP will be also leaked using a desktop wallet to the wallet server, and malware may steal your keys stored on your PC.

[BlackHatCoiner]

Second, you can't come up with a reason why someone would want a single-page open source instantaneous web wallet without setup or registration that they could run from their own machine? Hmm... that doesn't seem sincere but okay.

For someone who doesn't want to install any software, it's definitely useful, but I'm trying to find one case where a Bitcoin user has no wallet software installed already. Unless that's for a person who's never used Bitcoin before.

Seems rather naïve to be coming from someone with "BlackHat" in their name but your IP will be also leaked using a desktop wallet to the wallet server, and malware may steal your keys stored on your PC.

Sure, I don't disagree, I'm just saying that it introduces more risks, such as the browser extensions that I mentioned, the reliability to the browser that is used (if it's closed source), the less variety of nodes available to broadcast the transaction (as they're only those with APIs), the use of javascript for randomness generation which is not recommended for a number of reasons.

Then, it's the reputation of the software; yours is something new and judging from the 1.83 MB js file, I don't have the time to check what is the back end doing.


Again, I don't criticize you. You made your software and that's good for you. All I'm saying is that I don't find serious utility, especially given the above risks.