1wallet | Modulo OTP Wallet - unconventional keyless, non-custodial wallet secured by Google Authenticator. EVM-compatible, smart contract operated, with composable security.
Date: Jan 13, 2024
Key updates:
You can now install the wallet app as a standalone app on macOS, iOS, and Android. This solves a major issue on iOS / macOS, that the browser sometimes automatically deletes all wallet data if you don't visit the site for 7 days. As standalone apps, the wallets are guaranteed to be permanently stored and won't be auto-deleted by the browser or the operating system.
To install the standalone apps, go to app.otpwallet.xyz (or 1wallet.crazy.one for Harmony special version), then
on macOS: (use Safari or Safari Technology Preview) click the share icon on the top right of the browser, then click "Add to Dock". After that, close the browser window. You can now launch the wallet app as a standalone app from the dock.
on iOS: (use Safari) click the share button in the buttom, swipe up (scroll down) on the share sheet, click "Add to Homescreen". After that, close the browser window. You can now launch the wallet app as a standalone app from the home screen, and you can find the app in search bar, just like any other app you installed from App Store.
Here is how the iOS app looks like on the home screen, after installation:
How the macOS app looks like:
How the iOS app looks like:
You can now configure your wallet name, lifespan, spending limit, and recovery address before you create the wallet. To do that, click "Customize" button at the bottom of wallet creation screen. Choose desired wallet name and lifespan before scanning the QR code using your authenticator. After you confirm your authenticator's verification code, you will be able to change spending limit and recovery address in the next screen.
You can now manage and label addresses in the "Contacts" page. You may click on any address to edit its label, or add new contact from the top of the page. If you have a large number of contacts and want to search for a particular address, you may use the address format switcher to make the search easier.
This tool is designed for victims whose wallet got drained by hackers and have a drain-bot attached to the wallet. The victim still has NFTs left in their wallet, which they want to move to other wallets. Victims are unable to do anything by themselves because when a drain bot is attached to the victim's wallet, any fund sent to that wallet will be quickly transferred to a hacker's wallet, causing victim's transactions to fail for unable to pay gas.
In other words, it makes you spam NFT transactions faster than the hacker who is draining your wallet. This tool will be made available for other networks in the future, such as on Ethereum.
Date: Jan 7, 2024
Key updates:
Now the wallet can be used at any dApp that supports WalletConnect (e.g. Multisig / Safe, Swap, .country, and others). To use a wallet for WalletConnect session, click the WalletConnect icon in your wallet, or go to "Tools" and find WalletConnect there. Past the session link or scan WalletConnect QR code to start a session.
Now you can use the built-in autofill feature from iOS / macOS to automatically fill in your 6-digit OTP code for any operation. To enable that, you need to signup for an account when you create the wallet, let your browser automatically save the account with password, then follow the instructions on the prompts to save the verification code to that account. After this is done, whenever you click the input box for entering OTP code, you will be able to see the option to let your browser automatically fill-in the 6-digit code
You can backup your recovery file under "Recover" tab - click "Cloud Backup" and login your account to proceed. If you do not have an account (signed-up at wallet creation), you can still create an account there, but the account would not have the OTP code autofill capability. You can find all your backups in "Backup" page in the sider menu.
This service is provided free-of-charge, but in the future a small subscription fee will be required.
When you sign up an account (either at wallet creation stage, or at "Recover" tab), it is recommended to let your browser automatically generate a password for you. This ensures the smoothest experience in macOS, iOS, Chrome, and Brave, especially if you want to use the OTP autofill feature on macOS or iOS.
New website (app.otpwallet.xyz) and documentation are work-in-progress. Soon, the wallet will be available on multiple blockchains such as Polygon, Base, Arbitrum, Avalanche
Future multi-chain deployments will be at app.otpwallet.xyz. The original 1wallet (i.e. Harmony deployment) that prioritize Harmony dApps and integrations will always be available at 1wallet.crazy.one. We may also deploy other versions that are optimized for other blockchains in the future.
All wallet transactions from now on, including those from the relayer and the client, will be conducted via modulo.so's validator network and private RPC nodes, which have much lower latency than the public RPC nodes provided by Harmony. This ensures smooth user experience and transactions even when the blockchain is in high usage.
This update (April 5, 2022) includes two security patches, the staking feature, the transaction viewer, several developer libraries, and better test coverage and utilities.
Related issues:
Staking and Earn Rewards: Staking enables you to earn reward in ONE over time using funds in your wallet. You can now delegate your funds to any validator on Harmony network. A "Staking" button is added to the main UI of the wallet. To stake, you need to find a validator to delegate your funds to. You can get a list of validators from Harmony Staking Dashboard.
Transaction Viewer: You can now view historical transactions of your wallet using the "History" tab.
More Reliable Transactions: In prior versions, users sometimes experience transaction failures during peak usage times. In extreme cases, all subsequent transactions become stuck after some transactions fail to execute. Although there were many reasons behind the failure (such as congestions in the underlying RPC nodes, or the blockchain itself), we improved the relayer so that:
These improvements allow the relayer to scale horizontally to handle arbitrary amount of peak-time usage, and user experience will be significantly improved as a result.
v16 fixed two issues.
The first is that some v15 wallets users may be able to execute some operations using only a single auth code (6-digits) instead of six auth codes (6x6-digits) if they wrap the operation (that would otherwise require six auth codes) inside a BATCH operation. The BATCH operation allows arbitrary number of operations to be wrapped inside, but it only requires a single auth code to execute. See issue 276 for more details. V16 fixed this issue by limiting the operations BATCH is allowed to wrap around.
The second issue is reveal-authentication parameters may be reused across upgraded wallets and its prior versions (which allow same authentication parameters to execute a transaction). This is documented in issue #253 and #278. V16 fixed this issue by preventing wallets of prior versions (with a minimum version of v16) to execute any transaction by itself. It can only perform operations when it is commanded by the latest upgraded wallet (which wallets of prior versions point to). Note that this patch does not affect the behavior of wallets prior to v15, because their smart contract code remains immutable.
For most users, this issue poses little risk because all assets are already migrated out from their wallets of prior versions. For users who use wallets of prior versions in an app (such as Harmony Multisig) and actively use the upgraded wallet (i.e. storing assets or performing transactions), this would pose significant risk because an attacker could read the EOTP submitted to the blockchain in one version, and re-use the EOTP in the other version, therefore:
In either case, the attacker could potentially cause significant harm to the user by executing arbitrary, unintended operations. Therefore, it is highly recommended that any user who uses wallets of prior versions in an app should:
v16 made significant technical improvements, which may be of interest to developers who are building tools for the wallet, are using it as wallet infrastructure, or considering to integerate the wallet into their app.
Events can now be parsed from transaction receipts (obtained from standard eth_getTransactionReceipt
RPC calls or web3 libraries) using this library, which is located at code/lib/parser.js
. See code/client/src/pages/Show/TransactionViewer.jsx
for usage examples, and issue #277 for the purpose of this library.
When COMMAND operation was introduced in v9, it was rarely used. With the introduction of the security patch in v16 (see above, "Authentication Parameter Reuse"), COMMAND will become a frequently used operation. However, converting an operation into a COMMAND operation is non-trivial. The parameters in the reveal operation must be transformed completely, and the wallet address which the transaction is originally issued to must also be changed. The challenges and solutions are documented in detail at issue #278. The library introduced in v16 can be found at code/lib/api/command.js
. The transformations and usage examples can be found in code/lib/api/flow.js:L447
(SecureFlowsV16), and tests in code/test/command.js
A slew of test utilities are introduced in v16, followed by a new testing framework, thanks mostly to the work of @johnwhitton. Based on this framework, we now have complete test coverage for token related operations. See the README notes in testing framework.
v16 will be fully compatible with v15. There is no change in relayer parameters or smart contract interfaces.
This update provides substantially enhanced security, usability, and functionalities.
Movie Wood 21-12-24 16:27 [one1397exhkl6t55z2w5ff6z9np0pw6vmydhy8uzd0]
[word1] [word2] [YY-MM-DD HH:mm] [one1... address]
. Time is local..1wallet
files) are redesigned to make cross-device synchronization easy and seamless./create
API calls (to create new 1wallets) for v15 compatibility, or (2) switch endpoints to a v14 URL.
v14relayer.onewallet.hiddenstate.xyz
./commit
and /reveal
without any change, provided that (1) they use 1wallet core library (Javascript) for REST requests, or (2) already use appropriate headers (X-MAJOR-VERSION
and X-MINOR-VERSION
) or body parameters (majorVersion
and minorVersion
) if they use custom implementations.In the minor updates of this major version (v15), we will add integration with built-in authenticator provided since iOS 15, macOS Monterey, and Safari 15. We will also add email/password as an option to the user, for cross-device (even cross-app) wallet synchronization, email alerts, recovery-file storage, and more. We will also provide storage services (for recovery files) and potentially 1-click synchronization with iCloud, Google Drive, and Dropbox.
Users can now buy ONE using fiat currencies with bank accounts and credit or debit cards. The payment is processed by Harmony's partner, Transak. 1wallet does not charge any fees for fiat purchases. Transak may charge some card processing fees.
The list of supported fiat currencies are shown in the currency selector pop-up modal. USD is not yet among the list. According to Transak, support for USD will become available in the coming months (pending legal clearance).
This features addresses the issues https://github.com/polymorpher/one-wallet/issues/171 and https://github.com/polymorpher/one-wallet/issues/179. When a wallet is renewed, its expiry time will extend. During renewal, the user has two options: (1) add another authenticator code to the wallet, so that both the old and new code can be used for authorizing transactions; (2) use their old authenticator code, in which case the need to export the QR code in authenticator and scan it with a camera (like what they do in Restore procedure).
If a wallet is used in multiple devices, the renewal does not automatically extend to other devices. For example, assume a wallet is used on both device A and B and has a life of 1 year from Jan 1, 2021. After 6 months (in July 1, 2021), the user renewed the wallet on device A. Now the user can use the wallet on device A until July 1, 2022. On device B, the user can continue to use the wallet until Jan 1, 2022. If the user wants to continue using the wallet until July 1, 20222 on device B, the user would need to either (1) delete the wallet on device B and use Restore procedure (scan authenticator QR code by camera) to restore the wallet on device B, or (2) renew the wallet on device B.
By default, users can now renew their wallet when their wallet is to expire in less than 6 months. Users may activate developer mode by visiting /dev
once (twice to disable), after which they would be able to renew the wallet at any time.
Users can create wallets with higher spending limit following a link after they create a standard wallet. The default spending limit is also now promptly shown to the user so they don't miss it and become confused later.
This addresses https://github.com/polymorpher/one-wallet/issues/175. 1wallet smart contract now supports batch operations. We will use them in 1wallet client to improve the user experience in many scenarios (e.g. Upgrade) in the next few versions.
This addresses issue https://github.com/polymorpher/one-wallet/issues/183. The upgrade instructions are simplified and made easy to understand. Prior to upgrading a high value wallet, the user is required to set up a recovery address if they have not done so. Users are also allowed to skip this version entirely.
Users are alerted if their wallet is about to expire, or their wallet is renewed on other devices, or their wallet is already expired, or when the wallet's local storage is corrupted. Instructions are provided for each scenario.
This addresses issue https://github.com/polymorpher/one-wallet/issues/166. After recovery (not "Restore), wallets are now marked as "deprecated" with clear instructions to the user on what's going on and what they can do / should do with the wallet from now on.
A few tools are added which can be accessed under "Tools" page:
https://1wallet.crazy.one/tools/metamask-add
Accessible in developer mode, for developers to debug and study the wallet.
Notifications are now much larger and more visible on all screen sizes.
Call and Sign features are now accessible in developer mode and for wallets created using expert mode
PR: #160 Resolves: #156 #150 #134 #133 #132 #122
Authenticator code remains valid for 30 more seconds after they expire on Google Authenticator - this will substantially improve user experience and reduce "time mismatch" error.
Simplified OTP Confirmation - removed confirmation button. Typing 6 digits (or 12) automatically triggers confirmation. This change is applicable to every place where OTP input is asked for.
Allowing users to inspect old wallet and control them after an upgrade: Inspect: you can temporarily use the old wallet, track tokens, and transfer assets out if needed Reclaim: you can reclaim domain and tracked assets (NFTs / tokens) in one go. It may still miss some assets, especially ERC-20 tokens that you have never sent out, or non-standard NFTs that are not tracked. Use Inspect to transfer these assets to your wallet ad-hoc.
The user experience is still not ideal. In future versions I will simplify this flow and transfer some popular ERC-20 by default, and/or have most assets transferred along with the upgrade in one-go, instead of having to do this ad-hoc transfer / reclaim.
Various other client side updates:
Wallet creation, main screen
Wallet creation, deployment screen (step 2)
Wallet creation, post-creation
Miscellaneous
.replaceAll
not supported by older Chrome browser versions)temp
flag_merge
field in the payload. They are ideal for use cases which multiple parts of a wallet may be loaded asynchronously.call("")
)0x1337
/ expert
OTP code during wallet creation.0x0000
/ normal