OTP Wallet / 1wallet v16.3 Release Note

Date: Jan 13, 2024

Key updates:

• Standalone app on iOS / macOS / Android (as PWA)
• Customizable wallet duration, name, limit
• Contacts management (address book)
• NFT rescue tool for compromised EOA wallet
• Bug fixes and UI improvements

Details

Standalone app

You can now install the wallet app as a standalone app on macOS, iOS, and Android. This solves a major issue on iOS / macOS, that the browser sometimes automatically deletes all wallet data if you don't visit the site for 7 days. As standalone apps, the wallets are guaranteed to be permanently stored and won't be auto-deleted by the browser or the operating system.

To install the standalone apps, go to app.otpwallet.xyz (or 1wallet.crazy.one for Harmony special version), then

• on macOS: (use Safari or Safari Technology Preview) click the share icon on the top right of the browser, then click "Add to Dock". After that, close the browser window. You can now launch the wallet app as a standalone app from the dock.

  

• on iOS: (use Safari) click the share button in the buttom, swipe up (scroll down) on the share sheet, click "Add to Homescreen". After that, close the browser window. You can now launch the wallet app as a standalone app from the home screen, and you can find the app in search bar, just like any other app you installed from App Store.

  

Here is how the iOS app looks like on the home screen, after installation:

How the macOS app looks like:

How the iOS app looks like:

Customizable wallet

You can now configure your wallet name, lifespan, spending limit, and recovery address before you create the wallet. To do that, click "Customize" button at the bottom of wallet creation screen. Choose desired wallet name and lifespan before scanning the QR code using your authenticator. After you confirm your authenticator's verification code, you will be able to change spending limit and recovery address in the next screen.

Contacts

You can now manage and label addresses in the "Contacts" page. You may click on any address to edit its label, or add new contact from the top of the page. If you have a large number of contacts and want to search for a particular address, you may use the address format switcher to make the search easier.

NFT Rescue Tool

This tool is designed for victims whose wallet got drained by hackers and have a drain-bot attached to the wallet. The victim still has NFTs left in their wallet, which they want to move to other wallets. Victims are unable to do anything by themselves because when a drain bot is attached to the victim's wallet, any fund sent to that wallet will be quickly transferred to a hacker's wallet, causing victim's transactions to fail for unable to pay gas.

In other words, it makes you spam NFT transactions faster than the hacker who is draining your wallet. This tool will be made available for other networks in the future, such as on Ethereum.

Bug fixes and UI improvements

• Renamed Recovery tab to "Safety" on wallet page
• Removed duplicate wallet connect tools
• Fixed wallet connect icon distortion issue on wallet page in Safari
• Added recommended authenticators and their download links in mobile wallet creation page
  • Google Authenticator
    • iOS: https://apps.apple.com/us/app/google-authenticator/id388497605
    • Android: https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2
  • Raivo (iOS): https://raivo-otp.com/
  • Aegis (Android): https://getaegis.app/
• Added QR code format switcher on wallet creation page
• Added hex-equivalent address display in more address input boxes
• Fixed NFT IPFS gateway, now photos and metadata are displayed properly
• Fixed mobile viewport and responsiveness issues, so pages are no longer displayed with 900px+ width
• Fixed various links and names

OTP Wallet / 1wallet v16.2 Release Note

Date: Jan 7, 2024

Key updates:

• WalletConnect integration
• Auto-fill OTP code on iOS / macOS
• Built-in Recovery File Cloud Backup
• Password manager / Apple Keychain integration
• New site (app.otpwallet.xyz) and upcoming multi-chain support
• Multi-branding deployment
• New private RPC - Substantially improved speed, decreased failure rate
• Cleaned-up UI. Removed dysfunctional integrations (daVinci, Sushiswap)

Details

WalletConnect integration

Now the wallet can be used at any dApp that supports WalletConnect (e.g. Multisig / Safe, Swap, .country, and others). To use a wallet for WalletConnect session, click the WalletConnect icon in your wallet, or go to "Tools" and find WalletConnect there. Past the session link or scan WalletConnect QR code to start a session.

Auto-fill OTP code on iOS / macOS

Now you can use the built-in autofill feature from iOS / macOS to automatically fill in your 6-digit OTP code for any operation. To enable that, you need to signup for an account when you create the wallet, let your browser automatically save the account with password, then follow the instructions on the prompts to save the verification code to that account. After this is done, whenever you click the input box for entering OTP code, you will be able to see the option to let your browser automatically fill-in the 6-digit code

Built-in Recovery File Cloud Backup

You can backup your recovery file under "Recover" tab - click "Cloud Backup" and login your account to proceed. If you do not have an account (signed-up at wallet creation), you can still create an account there, but the account would not have the OTP code autofill capability. You can find all your backups in "Backup" page in the sider menu.

This service is provided free-of-charge, but in the future a small subscription fee will be required.

Password manager / Apple Keychain integration

When you sign up an account (either at wallet creation stage, or at "Recover" tab), it is recommended to let your browser automatically generate a password for you. This ensures the smoothest experience in macOS, iOS, Chrome, and Brave, especially if you want to use the OTP autofill feature on macOS or iOS.

New site and upcoming multi-chain support

New website (app.otpwallet.xyz) and documentation are work-in-progress. Soon, the wallet will be available on multiple blockchains such as Polygon, Base, Arbitrum, Avalanche

Multi-branding deployment

Future multi-chain deployments will be at app.otpwallet.xyz. The original 1wallet (i.e. Harmony deployment) that prioritize Harmony dApps and integrations will always be available at 1wallet.crazy.one. We may also deploy other versions that are optimized for other blockchains in the future.

New private RPC

All wallet transactions from now on, including those from the relayer and the client, will be conducted via modulo.so's validator network and private RPC nodes, which have much lower latency than the public RPC nodes provided by Harmony. This ensures smooth user experience and transactions even when the blockchain is in high usage.

Cleaned-up UI

• Renamed Collectible to NFT
• Removed "Swap" tab temporarily since it is based on Sushi Swap, which is no longer actively operated on Harmony
• Moved QR Code feature under "About" tab.
• Improved text explanations in Restore page. Now it is simpler and makes more sense
• Added equivalent hex address under address bar for "Call" feature
• Various other small improvements

1wallet v16 release notes

This update (April 5, 2022) includes two security patches, the staking feature, the transaction viewer, several developer libraries, and better test coverage and utilities.

Related issues:

• staking
• transaction viewer
• reliable relayer
• medium-severity security patch
• high-severity security patch
• event parsing library
• command library
• test utilities and token tests

Feature updates

1. Staking and Earn Rewards: Staking enables you to earn reward in ONE over time using funds in your wallet. You can now delegate your funds to any validator on Harmony network. A "Staking" button is added to the main UI of the wallet. To stake, you need to find a validator to delegate your funds to. You can get a list of validators from Harmony Staking Dashboard.

   • Delegated funds are deducted from the wallet's balance
   • Delegated funds earn you reward every epoch (~18 hours). You can collect the reward from the staking UI.
   • You can undelegate your funds at any time. Undelegation takes 7 epochs (~5 days) to complete. When it is complete, the funds will be returned to the wallet.
   • Redelegating funds after undelegating only requires you to wait until the next epoch, which takes a maximum of ~18 hours, instead of 7 epochs (~5 days).

2. Transaction Viewer: You can now view historical transactions of your wallet using the "History" tab.

   • Each operation needs to be committed first, before they are executed. Thus, there are at least two transactions per operation. The "commit" transactions are shown in grey color.
   • Wallet emits some events during each successful operation. The events correspond to operations performed during each transaction.
   • Approximate amounts are displayed for events involving transfer or staking some amount of ONE or ERC-20 / ERC-1155 tokens.
   • Human-readable event names are shown for each transaction. They are decoded from the "logs" of the transaction, which can also be viewed in "Logs" section in the Harmony explorer. You can view the transaction in the explorer using the link provided in "TxHash" column.

3. More Reliable Transactions: In prior versions, users sometimes experience transaction failures during peak usage times. In extreme cases, all subsequent transactions become stuck after some transactions fail to execute. Although there were many reasons behind the failure (such as congestions in the underlying RPC nodes, or the blockchain itself), we improved the relayer so that:

   • the transactions are spread out across multiple relayer accounts, so failures or dropped transactions in one account would not affect transactions executed from other accounts, and
   • the transactions are automatically retried at higher gas price

   These improvements allow the relayer to scale horizontally to handle arbitrary amount of peak-time usage, and user experience will be significantly improved as a result.

Security Patches

v16 fixed two issues.

Batch Operation Security Circumvention

The first is that some v15 wallets users may be able to execute some operations using only a single auth code (6-digits) instead of six auth codes (6x6-digits) if they wrap the operation (that would otherwise require six auth codes) inside a BATCH operation. The BATCH operation allows arbitrary number of operations to be wrapped inside, but it only requires a single auth code to execute. See issue 276 for more details. V16 fixed this issue by limiting the operations BATCH is allowed to wrap around.

Authentication Parameter Reuse

The second issue is reveal-authentication parameters may be reused across upgraded wallets and its prior versions (which allow same authentication parameters to execute a transaction). This is documented in issue #253 and #278. V16 fixed this issue by preventing wallets of prior versions (with a minimum version of v16) to execute any transaction by itself. It can only perform operations when it is commanded by the latest upgraded wallet (which wallets of prior versions point to). Note that this patch does not affect the behavior of wallets prior to v15, because their smart contract code remains immutable.

For most users, this issue poses little risk because all assets are already migrated out from their wallets of prior versions. For users who use wallets of prior versions in an app (such as Harmony Multisig) and actively use the upgraded wallet (i.e. storing assets or performing transactions), this would pose significant risk because an attacker could read the EOTP submitted to the blockchain in one version, and re-use the EOTP in the other version, therefore:

• use the upgraded wallets (to move assets or make transactions) while the user performs operations in wallets of prior versions (e.g. authorize a multisig transaction), or
• use the wallets of prior versions (e.g. authorize a multisig transaction) while the user uses the upgraded wallets (to move assets or make transactions)

In either case, the attacker could potentially cause significant harm to the user by executing arbitrary, unintended operations. Therefore, it is highly recommended that any user who uses wallets of prior versions in an app should:

• upgrade their wallet to 16.1
• immediately unlink the wallet of prior version from their app, and link the latest upgraded version (>= 16.1) instead.
• For example, in the case of Harmony Multisig, it means to remove the wallet of prior version from the list of owners.

Technical notes

v16 made significant technical improvements, which may be of interest to developers who are building tools for the wallet, are using it as wallet infrastructure, or considering to integerate the wallet into their app.

Event Parsing Library

Events can now be parsed from transaction receipts (obtained from standard eth_getTransactionReceipt RPC calls or web3 libraries) using this library, which is located at code/lib/parser.js. See code/client/src/pages/Show/TransactionViewer.jsx for usage examples, and issue #277 for the purpose of this library.

Command Library

When COMMAND operation was introduced in v9, it was rarely used. With the introduction of the security patch in v16 (see above, "Authentication Parameter Reuse"), COMMAND will become a frequently used operation. However, converting an operation into a COMMAND operation is non-trivial. The parameters in the reveal operation must be transformed completely, and the wallet address which the transaction is originally issued to must also be changed. The challenges and solutions are documented in detail at issue #278. The library introduced in v16 can be found at code/lib/api/command.js. The transformations and usage examples can be found in code/lib/api/flow.js:L447 (SecureFlowsV16), and tests in code/test/command.js

Test Framework and Token Tests

A slew of test utilities are introduced in v16, followed by a new testing framework, thanks mostly to the work of @johnwhitton. Based on this framework, we now have complete test coverage for token related operations. See the README notes in testing framework.

Backward compatibility

v16 will be fully compatible with v15. There is no change in relayer parameters or smart contract interfaces.

1Wallet v15 release notes

This update provides substantially enhanced security, usability, and functionalities.

Major updates

1. Wallet address in authenticator: 1wallet address and creation time are now part of the authenticator account name.
   • Example: Movie Wood 21-12-24 16:27 [one1397exhkl6t55z2w5ff6z9np0pw6vmydhy8uzd0]
   • Only two random words are now used for the wallet's name.
   • The format is [word1] [word2] [YY-MM-DD HH:mm] [one1... address]. Time is local.
2. Restore 1wallet without exposing seed QR Code: 1wallets created since v15 can be recovered by providing 6 consecutive authenticator codes ("6x6 auth codes"), plus a recovery file. Using this method, the user must setup a new authenticator code in the process.
   • The recovery file contains no sensitive information and it can be safely stored anywhere, even publicly.
   • The recovery file is available for download at any time, but is only available for 1wallets created since v15.
3. Restore 1wallet without address: Restoring a 1wallet created since v15 no longer requires an address to be provided explicitly.
4. Restore 1wallet using local import/export: Local import and export processes (using .1wallet files) are redesigned to make cross-device synchronization easy and seamless.
5. Restore 1wallet using JSON export: 1wallet can be restored using JSON exports produced by 1wallet batch restoration tool (see Technical Notes below)
6. Adjustable spending limit 1wallets created since v15 can increase or decrease its spending limit, without requiring the user to create a new wallet. Depending on the amount, the operation may require a simple 6-digit auth code, or 6x6 auth codes.
   • Spending limit can be increased to up-to 2x the current limit plus 1.0 ONE, per spending limit interval (1 day by default)
   • Spending limit can be decreased to any amount (including 0 ONE) at any time (no time restriction)
   • Spending limit can be restored to the wallet's all-time-high limit, with 6x6 auth codes. (no time restriction)
   • Example: a wallet starts with 1000 ONE limit per day. The user then increases its limit to 2001 ONE (using simple 6-digit auth code). The user then decides to lower the limit to 100 ONE (again using simple 6-digit auth code). Now, if the user wants to increase its limit to 200 ONE, it must uses 6x6 auth codes, because the user has to wait for a day to increase the limit using simple 6-digit code. But if the user waits for a day, he can again change the limit to 200 ONE using simple 6-digit code. However, if he wants to change the limit back to 1000 ONE or 2001 ONE, he would need to use 6x6 auth codes.
7. Verifiable 1wallet contract: 1wallet is now verifiable through a smart contract function
   • External services may use this to verify whether an address is a 1wallet or not
   • Users and apps could use this to check the on-chain code integrity of their 1wallet.
8. More secure renewal: Renewing 1wallet created since v15 requires 6 consecutive authenticator codes (36 digits in total).
   • The user may optionally setup a new authenticator code after renewal.
9. Unlock v15 features with renewal: 1wallets created before v15 are deemed "created since v15" if the 1wallet is renewed after v15.
   • Only normal 6-digit code is required if it is the first time the 1wallet is renewed after v15.
10. Promptly displayed spending limit: Spending limits and remaining limits are now promptly displayed on wallet home screen.
11. Promptly displayed errors: When an operation fails, errors are promptly displayed as notifications. The user will not be misinformed with a simple "Done" message (indicating success) as they were in v14 or before.
12. Fast transactions: Substantial improvements were made in relayer and client contract calls. Transactions are now executed a lot faster.

Technical notes

1. Batch restoration tool: A batch 1wallet restoration tool (based on command line) is available at https://github.com/polymorpher/1wallet-qr-parser, designed for people who have too many authenticator accounts to manually deselect non-1wallet accounts.
   • Please use this tool offline to avoid security risks and hacks, and delete all generated images and QR codes promptly after the use.
2. Predictable address: 1wallet addresses are now predictable upfront (following EIP-1014 CREATE2 standard) and its code integrity is now verifiable.
   • The address depends on only the current version and the authenticator seed.
   • Several factory smart contracts are made available, responsible for creating and verifying 1wallets.
   • The bytecode of 1wallet can also be retrieved from those smart contracts.
3. Public key / seed as private key: An ECDSA public key is generated using the authenticator seed as the private key.
   • Thus, authenticator seed is now randomly generated for 32 bytes, instead of 20 bytes.
   • The public key is stored on the 1wallet smart contract as an identifier key, which is used for code integrity verification and various other purposes.
   • The private key may used in the future for special purpose operations (e.g. operate the wallet after expiry time)
4. Enhanced security: 1wallet operations are now divided into normal operations and sensitive operations. Sensitive operations require 6 consecutive authenticator codes to authorize.
   • The concept of "core" and "recovery core" are introduced and documented on 1wallet smart contract. They are responsible for verifying normal and sensitive operations, respsectively.
   • Each core or recovery core contains security parameters which authenticator codes will be verified against.
5. "Core" parameters: "Core" is used for verifying EOTPs resulted from a regular 6-digit authenticator code input. "Recovery Core" is used for verifying EOTPs resulted from 6 consecutive authenticator codes (36-digits)
   • "Core" and "Recovery Core" can be accumulated (e.g. by recovery via 6 consecutive authenticator codes, or by extending life).
   • For any EOTP input, it will be verified against all cores of the same type accumulated so far, and the EOTP is considered correct as long as it matches one core.
   • Cores cannot be removed as of now, but their setup time can be viewable so the user can check whether a new core is added unknowningly to the user.
6. More Merkle trees: 1wallets created since v15 generate 7 OTP merkle trees instead of 1 (as before v15).
   • The 6 new OTP merkle trees are for recovery purposes.
   • Each OTP merkle tree corresponds to a "core" as mentioned earlier.
7. Sensitive operations: Three operations are considered sensitive at this time
   • Adding a new core (used in "Renew" and "Restore"), because if it is the attacker who did it, they would gain prolonged access to the wallet
   • Adjusting spending limit to be more than 2x of the current limit (but no more than historical maximum of the 1wallet), because an attacker could potentially steal a large sum of money after adjusting the limit, even if the user intended to freeze the 1wallet (by setting limit to 0).
   • Permanently forward assets beyond spending limit to another 1wallet (used in "Upgrade" feature), but without an recovery address. This is because normally only assets up to spending limit would be forwarded, and the remaining amount needs to be approved by using the recovery address to send 0.1 ONE to the 1wallet. Without an recovery address, the operation becomes very sensitive since the user could potentially lose all their assets if it is the attacker who executed the operation.

Backward compatibility

1. 1wallet web client (1wallet.crazy.one) and relayer will be fully compatible with older verions of 1wallet.
2. Apps relying on 1wallet relayer must decide which version they want to use, and (1) either add the new parameters required for /create API calls (to create new 1wallets) for v15 compatibility, or (2) switch endpoints to a v14 URL.
   • Apps wish to continue to create v14 1wallet must use a new endpoint at v14relayer.onewallet.hiddenstate.xyz.
   • Apps whose existing 1wallets are based on older versions (including v14) can continue to rely on v15 endpoints such as /commit and /reveal without any change, provided that (1) they use 1wallet core library (Javascript) for REST requests, or (2) already use appropriate headers (X-MAJOR-VERSION and X-MINOR-VERSION) or body parameters (majorVersion and minorVersion) if they use custom implementations.

Next updates (minor versions)

In the minor updates of this major version (v15), we will add integration with built-in authenticator provided since iOS 15, macOS Monterey, and Safari 15. We will also add email/password as an option to the user, for cross-device (even cross-app) wallet synchronization, email alerts, recovery-file storage, and more. We will also provide storage services (for recovery files) and potentially 1-click synchronization with iCloud, Google Drive, and Dropbox.

Table of Contents

• New features
  • Buy ONE with fiat
  • Wallet Renewal / Add Authenticator Code
• Improvements
  • Higher Limit Wallet
  • Batch Operations
  • Better Upgrade Process
  • Expiration and Renewal Alerts
  • Warnings After Recovery
  • Tools
  • Notifications
  • Call and Sign
• Minor Improvements
• Internal Improvements

New features

Buy ONE with fiat

Users can now buy ONE using fiat currencies with bank accounts and credit or debit cards. The payment is processed by Harmony's partner, Transak. 1wallet does not charge any fees for fiat purchases. Transak may charge some card processing fees.

The list of supported fiat currencies are shown in the currency selector pop-up modal. USD is not yet among the list. According to Transak, support for USD will become available in the coming months (pending legal clearance).

Wallet Renewal / Add Authenticator Code

This features addresses the issues https://github.com/polymorpher/one-wallet/issues/171 and https://github.com/polymorpher/one-wallet/issues/179. When a wallet is renewed, its expiry time will extend. During renewal, the user has two options: (1) add another authenticator code to the wallet, so that both the old and new code can be used for authorizing transactions; (2) use their old authenticator code, in which case the need to export the QR code in authenticator and scan it with a camera (like what they do in Restore procedure).

If a wallet is used in multiple devices, the renewal does not automatically extend to other devices. For example, assume a wallet is used on both device A and B and has a life of 1 year from Jan 1, 2021. After 6 months (in July 1, 2021), the user renewed the wallet on device A. Now the user can use the wallet on device A until July 1, 2022. On device B, the user can continue to use the wallet until Jan 1, 2022. If the user wants to continue using the wallet until July 1, 20222 on device B, the user would need to either (1) delete the wallet on device B and use Restore procedure (scan authenticator QR code by camera) to restore the wallet on device B, or (2) renew the wallet on device B.

By default, users can now renew their wallet when their wallet is to expire in less than 6 months. Users may activate developer mode by visiting /dev once (twice to disable), after which they would be able to renew the wallet at any time.

Improvements

Higher Limit Wallet

Users can create wallets with higher spending limit following a link after they create a standard wallet. The default spending limit is also now promptly shown to the user so they don't miss it and become confused later.

Batch Operations

This addresses https://github.com/polymorpher/one-wallet/issues/175. 1wallet smart contract now supports batch operations. We will use them in 1wallet client to improve the user experience in many scenarios (e.g. Upgrade) in the next few versions.

Better Upgrade Process

This addresses issue https://github.com/polymorpher/one-wallet/issues/183. The upgrade instructions are simplified and made easy to understand. Prior to upgrading a high value wallet, the user is required to set up a recovery address if they have not done so. Users are also allowed to skip this version entirely.

Expiration and Renewal Alerts

Users are alerted if their wallet is about to expire, or their wallet is renewed on other devices, or their wallet is already expired, or when the wallet's local storage is corrupted. Instructions are provided for each scenario.

Warnings After Recovery

This addresses issue https://github.com/polymorpher/one-wallet/issues/166. After recovery (not "Restore), wallets are now marked as "deprecated" with clear instructions to the user on what's going on and what they can do / should do with the wallet from now on.

Tools

A few tools are added which can be accessed under "Tools" page:

1. One-click setup for MetaMask to switch to Harmony network

https://1wallet.crazy.one/tools/metamask-add

2. SushiSwap Encoder Tool for performing transactions on Harmony Safe (based on Gnosis Safe Multi Signature Wallet)

3. Wallet State Dumping Tool

Accessible in developer mode, for developers to debug and study the wallet.

Notifications

Notifications are now much larger and more visible on all screen sizes.

Call and Sign

Call and Sign features are now accessible in developer mode and for wallets created using expert mode

Minor Improvements

• Swap is now mobile compatible
• Wallet address buttons are now always shown on the title section of a wallet, instead of requiring users to click / hover the address first
• Input boxes (address, OTP, etc.) no longer causes page to zoom on mobile
• Global usage statistics no longer change back and forth (issue https://github.com/polymorpher/one-wallet/issues/162)
• Authenticator code boxes are now 3 per row on mobile
• Authenticator code can now be pasted on mobile (not just during creation)
• A warning is added to prevent people from depositing ONE to exchange-owned addresses
• Authenticator code boxes now only show numeric keypad on mobile, and only accepts numerical inputs on mobile.
• All input boxes expecting numerical or decimal inputs now prompt numeric or decimal keypad and only accept numeric or decimal inputs.
• Error messages are now easier to understand
• Progress bars and timelines are now mobile-compatible
• Changed 1wallet DAO address. All wallets upgraded will use the new address if they were using the old 1wallet DAO address.

Internal Improvements

• A new contract library is created for Reveal related operations (as in commit-reveal process)
• Reduced size of core 1wallet contract
• 1wallet contract now accepts multiple "core settings" (i.e roots and time validity information)
• 1wallet contract can now validate incoming operations against multiple core settings
• Restructured 1wallet contract data structures and functions so they are now easier to understand, use, and extend from
• Added several frontend common infrastructural components (e.g. useOps, useWallet, FloatContainer, SpaceCapped, ScanGASteps, and many more) for ease of integration, library use cases, and developer extensions
• Added minimal QR code setup components and options (OtpSetup, OtpTools, WalletCreateProgress, and others)
• Added scripts for generating event lookup tables (from topic hash)

PR: #160 Resolves: #156 #150 #134 #133 #132 #122

Authenticator code remains valid for 30 more seconds after they expire on Google Authenticator - this will substantially improve user experience and reduce "time mismatch" error.

Simplified OTP Confirmation - removed confirmation button. Typing 6 digits (or 12) automatically triggers confirmation. This change is applicable to every place where OTP input is asked for.

Allowing users to inspect old wallet and control them after an upgrade: Inspect: you can temporarily use the old wallet, track tokens, and transfer assets out if needed Reclaim: you can reclaim domain and tracked assets (NFTs / tokens) in one go. It may still miss some assets, especially ERC-20 tokens that you have never sent out, or non-standard NFTs that are not tracked. Use Inspect to transfer these assets to your wallet ad-hoc.

The user experience is still not ideal. In future versions I will simplify this flow and transfer some popular ERC-20 by default, and/or have most assets transferred along with the upgrade in one-go, instead of having to do this ad-hoc transfer / reclaim.

Various other client side updates:

• Top 9 tokens are automatically tracked: https://github.com/polymorpher/one-wallet/pull/158
• Apps can now ask wallets to call a contract directly using binary hex data, instead of specifying method and values: https://github.com/polymorpher/one-wallet/pull/152
• Verified app calls are automatically decoded: https://github.com/polymorpher/one-wallet/pull/159
• Aegis Authenticator is supported: https://github.com/polymorpher/one-wallet/pull/157
• daVinci NFTs can be purchased from 1wallet directly: https://github.com/polymorpher/one-wallet/pull/154 https://www.youtube.com/watch?v=KJG593CI3c4
• Added Gnosis Safe integration: https://www.youtube.com/watch?v=kUXQBh_h2Ig
• Expired red packets can return assets to creator (part of #160)
• Wallet address QR code scanning and saving are supported: https://github.com/polymorpher/one-wallet/pull/141 https://github.com/polymorpher/one-wallet/pull/142 https://github.com/polymorpher/one-wallet/pull/138
• Improved support for some special NFTs (e.g. Harmonaut, daVinci, etc)
• Many other small fixes. See open dev log

New features:

• You can now send and receive gifts (a.k.a. red packets) in 1wallet. See the images below and this video for an illustration: https://www.youtube.com/watch?v=eybRhU5pNoQ

Major improvements

Wallet creation, main screen

• Eliminated all unnecessary text
• QR Code now looks like a button on mobile
• Added clear instructions for mobile users to tap the button
• The screen no longer zooms into little boxes when the user selects / types the authenticator code
• Made it clear that authenticator code should be copied, not memorized and typed, from authenticators (latter of which often causes expiry)
• Added a "Paste" button for mobile users to easily paste the code from authenticator

Wallet creation, deployment screen (step 2)

• Hided all text setting and explaining fund recovery address. They are visible only after the user clicks "Set a fund recovery address?"
• Fund recovery address is now always set to 1wallet treasury by default (which can be changed later), unless otherwise specified, instead of a previously created wallet (if available)
• Substantially simplified the language explaining what fund recovery address is (less than 3 lines on mobile)
• Substantially simplified the language explaining 1wallet treasury (1 simple paragraph)

Wallet creation, post-creation

• Warning messages such as "your wallet is outdated" no longer briefly appears then disappears when new wallet is created
• Address is displayed in full in the one-time box which reminds the user to save their address (this will be changed to QR code image in the upcoming version)

Miscellaneous

• Improved mobile and desktop component spacing and alignment
• Maximum spending amount now takes into account of existing spend for the current time period (e.g. how much is already spent today)
• Address input now shows addresses' names or labels correctly after they are selected
• Progress bar now shows up faster when sending tokens (previously only showing up on step 2, commit)
• Renamed local testing network to "Ganache"

Critical bug fixes

• Fixed a bug where Android users may see a blank screen after the wallet is created (caused by .replaceAll not supported by older Chrome browser versions)

Frontend Infrastructure

• Added support for "temporary wallet". They are not count towards total balance computation, are not be displayed on wallet listing screen, and are automatically deleted after pre-set expiration time. They are identified by a temp flag
• Created exportable components for NFT grid items, NFT loader, NFT metadata loader, NFT balance auto-updater
• Created components for WalletCreationProgress
• Created components for Gift and Unwrap (red packet)
• Added "merge mode" for updating wallet state. They are identified by a _merge field in the payload. They are ideal for use cases which multiple parts of a wallet may be loaded asynchronously
• Made frontend loading flow fail-safe across many components even when wallet information fails to load due to various unexpected errors

Wallet Contract

• lastOperationTime is now publicly accessible
• getNonce is now consistently computed using uint32 in all steps

Core library

• Call data can now be encoded correctly for empty calls (e.g. sending funds via .call(""))
• Added multi-call encoder

• Daily limit is superseded by "spending limit", a similar mechanism which allows the spending amount to be reset at arbitrary fixed time interval. This enables use cases such as:
  • Red Packet (see #116), which funds inside the wallet can be withdrawn every 30 seconds or so
  • Parental control by a monthly allowance
  • SaaS subscription
  • and many more
• Spending limit and interval can now be set to any value in expert mode
• The contract now supports executing multiple operations in one transaction. This means the user only need to type in the authenticator code once to authorize all the operations, instead of typing one code for each operations. Because of that, the user experience in some cases would be significantly improved after we implement corresponding code at the client side. For example, when the user swap some tokens into ONE (or others tokens) using "Swap", they no longer need to make separate authorizations (and wait twice as long) to "Approve SushiSwap to spend your token" then to "Confirm the swap". Now it can be done in one go.
  • This will be critical for use cases such as Red Packet (#116) since NFT, tokens, and funds need to be transferred simultaneously to the Red Packet 1wallet when the user creates a Red Packet.
• Many other improvements:
  • Delete button in address dropdown input box no longer cause the address to be selected and the dropdown menu collapsed (which sometimes results a messy, buggy UI)
  • Address input boxes are now displaying label and domain name of the address correctly after the address is selected
  • Removed erroneous, instant error message (e.g. wallet is outdated) after a new wallet is created or restored.
  • Relayer no longer applies overzealous rate limiting mechanism on errors
  • Fixed an issue on iOS Safari such that the background of the Upgrade screen is not displayed correctly (translucent blur background was not correctly applied)
• Internally:
  • A new library SpendingManager is created. Spending related contract code is moved to the library
  • Nonce related functionalities are moved to CommitManager
  • More abstractions and structures are created (e.g. CoreSettings), and related code refactored
  • Constructors of 1wallet and its usage in relayer and client are improved
  • Created some library and cache management scripts under relayer
  • See more in #135

• You can now swap between ONE and 100+ tokens on Harmony network including ETH, BTC, BUSD, DAI and many others, all inside 1wallet.
  • Swap requires wallet version at least 10.1. If your wallet is too old, you won't be able to see this tab.
  • Quotes are automatically obtained from SushiSwap based on latest state of the liquidity pools
  • You can set slippage tolerance and execution deadline, just like on SushiSwap
  • Swapped tokens are automatically tracked in UI
  • Swap obeys wallet daily limit. You cannot spend more ONEs than what daily limit allows (typically 1000 ONE per day, at this time), but you can spend as many tokens as you want
  • When you upgrade the wallet, swapped tokens are not automatically transferred to the new address, unless you spent (not swap) the token at least once. This will be improved in future versions
  • Any token that is not automatically transferred to the new address can be reclaimed later (in upcoming versions of client upgrade)
• Various improvements and bug fixes were made:
  • Fixed #128 #130
  • Full wallet address and utility tools (copy button, explorer, ETH format switcher) are now shown in the top bar
  • Added support for rendering video NFTs
  • Added support for rendering Harmony Punk
  • Added support for rendering daVinci NFTs
  • Improved UI for Send layout
• Single flow for new wallet creation. Double OTP is no longer an option provided by default.
• Expert mode
  • Activated by 0x1337 / expert OTP code during wallet creation.
  • Disabled by 0x0000 / normal
  • Enables the user to choose using double OTP for enhanced security
  • Enables the user to set a higher daily limit, during wallet creation
  • More features will come in later versions

• Optimized mobile experience for creating a wallet
  • On mobile, the QR code can be tapped to import the account to Google Authenticator
  • When the QR code is scanned, only Google Authenticator is prompted, instead of other unreliable authenticators
  • Mobile OS-specific installation link for Google Authenticator
• Optimized mobile view in every component
  • Navigation menu is moved to the top
  • Balances are displayed in simplified manner
  • Wallet tabs are aligned and positioned such that they occupy the least amount of space and do not require scrolling
  • Tokens are downsized and displayed as two per row
  • NFTs are displayed as one per row with automatically adjustable height
  • Authenticator codes are displayed and typed in two rows, with 3 digits per row, in larger boxes
  • The wallet and all its action components (Send, Swap, Recover, and others) occupy only 100% screen width on mobile, instead of requiring scrolling
  • Improved information display layout such that labels and texts are displayed in two rows when necessary, instead of being scrambled together
  • Multiple wallets are listed with consistent alignment at 100% width in wallet listing screen, and total balance is displayed to the right