Introduction

Mybucks.online is a password-only, self-custodial cryptocurrency wallet. It generates a private key from your password using an industry-standard, verified one-way hash function. Your private key forms your account, allowing you to transfer, receive, and hold your crypto assets permanently.

To further enhance security, it utilizes the scrypt Key Derivation Function (KDF). This mechanism increases the computational effort required to crack passwords, effectively delaying brute-force attacks and making them impractical.

It fully runs on your browser side without using any storage or invoking any third-party APIs for key management. It instantly generates your private key from your password input, and whenever you close or refresh, there is no footprint. This absolutely protects your privacy.

How it works

The password is the primary field used to generate a private key and create your account. To avoid password duplication among users, we have also introduced a shorter secondary field called the passcode, which is about 6 characters long.

By combining the password and passcode, we can achieve strong randomness, ensuring the safety of your account. Additionally, the passcode serves as a confirmation step when backing up your credentials or transferring assets.

Key generation

The minimal JavaScript code used to generate a private key from password and passcode inputs is shown below. You can generate your private key directly without using mybucks.online.

Here, the password is a traditional input that must be at least 12 characters long and include a combination of lowercase letters, uppercase letters, numbers, and special characters. The passcode is a shorter input, at least 6 characters long, used to prevent account duplication due to password reuse and also as a confirmation for secure areas.

import { Buffer } from "buffer";
import { ethers } from "ethers";
import { scrypt } from "scrypt-js";

const HASH_OPTIONS = {
  N: 32768, // CPU/memory cost parameter, 2^15
  r: 8, // block size parameter
  p: 5, // parallelization parameter
  keyLen: 64,
};

async function generatePrivateKey(password, passcode) {
  const salt = password.slice(-4) + passcode

  const passwordBuffer = Buffer.from(password);
  const saltBuffer = Buffer.from(salt);

  const hashBuffer = await scrypt(
    passwordBuffer,
    saltBuffer,
    HASH_OPTIONS.N,
    HASH_OPTIONS.r,
    HASH_OPTIONS.p,
    HASH_OPTIONS.keyLen,
    (p) => console.log(Math.floor(p * 100))
  );
  const hashHex = Buffer.from(hashBuffer).toString("hex");
  const privateKey = ethers.keccak256(abi.encode(["string"], [hashHex]));

  return privateKey;
}

You can find the code here. You can download the repository and execute it on your local machine as a backup for account generation.

Security Audit

Secure3 is a battlefield where elite auditors compete to safeguard Web3 innovations against security threats. They have provided security audits for over 140 projects, including zkSync, Polkadot, and more!

All findings have been successfully resolved and published on their site. The audit report can be found here: https://app.secure3.io/5c92d55acd

Links

Website: https://mybucks.online

Wallet: https://app.mybucks.online

Github: https://github.com/mybucks-online

Docs: https://docs.mybucks.online