Try   HackMD

How to minimize security issues caused by plugins in a contract wallet

Context:

  1. The wallet use delegatecall to implement flexible plugins.
  2. It is not allowed for hacker(stole your private key) to add malicious plugins to destroyed the storage slot before social recovery (social recovery will never be able to run if some storage slot destroyed).

Implementation suggestions:

  1. The wallet owner must have a 48-hour delay confirmation period for adding any new plugins (or can be immediately effective through joint signature by owner and guardian).
    (This prevents the wallet from being stolen by hackers and destroying the storage, causing social recovery to not run as expected.)

  2. The wallet contract needs to add a simulate(calldata) function, where calldata is all the operations that the user will execute (if key storage such as owner, guardian, etc. are modified after executing the user's operation, the specific information that is modified should be reverted). The wallet UI side should call this function in advance before the user executes any operation, if key storage is not modified as expected, the user should be prompted to avoid the wallet storage being destroyed by contract wallet plugin's bug.

more contexts :
https://twitter.com/cejay519/status/1637494675845287936?s=20

Last changed by 
Jayden
0
288

Read more

Blockchain carries dreams of its own

Dec 9, 2024
Privacy protocol <> Contract wallet

When researching the integration of privacy protocols within wallets, I found that stealth addresses and privacy protocols (e.g., Labyrinth) are a perfect match.

Dec 4, 2024
EIP-3074: AUTH and AUTHCALL opcodes

EIP-3074: AUTH and AUTHCALL opcodes represents a significant advancement. It allows users to uses some features of smart wallets without paying contract deploy gas fee:

Apr 15, 2024
基于 Scroll 提供低成本的 ENS 二级域名

[EN] [zh-CN]

Jan 18, 2024
Read more from Jayden
Published on HackMD