Home

Awesome

WHALEVAULT :: Secure Graphene Cross-Chain Key Store Extension

git codebase will be uploaded soon. In the meantime, unzip latest release to inspect codebase.

For developers looking to integrate WhaleVault into their sites, the demo app should provide you with all you need: https://github.com/alexpmorris/crypto-playpen/tree/master/whalevault

A more detailed overview of WhaleVault may be found at: https://whaleshares.io/@alexpmorris/whalevault-secure-graphene-cross-chain-key-store-extension

Installation

Make sure you only install the extension directly from:

Or directly from the official github repo: https://github.com/alexpmorris/whalevault/releases

For your own safety and security, DO NOT INSTALL FROM ANYWHERE ELSE!

As an additional precaution, you should only allow "site access" to the WhaleVault extension in Chrome for those trusted websites that require it.


It's not safe or secure to use your private keys or master passwords directly on a website, even if operated by a trusted party, as it also incentivizes hackers to find site vulnerabilities and exploit them. Yet this is how many graphene-based sites and services still operate. This attack vector increases with the type of key required. Master passwords offer the greatest potential reward, granting an attacker complete control over the account.

On Ethereum, you never have to enter your private key into a website to use a dApp. You just use a browser extension like MetaMask, and dApp websites can interface with the extension to securely sign and broadcast transactions to the blockchain on its behalf.

WhaleVault aims to bring the security and ease-of-use of MetaMask to all graphene-based blockchains, accessible through a single unified extension.

WhaleVault, based on Steem Keychain, is a better, safer cross-chain way to access all your graphene accounts from both desktop and mobile browsers such as Chrome, Firefox, Brave, and Yandex. Graphene blockchains supported out-of-the-box include WhaleShares, BitShares, Eos, Steem, Hive, Blurt, Smoke, Telos, Worbli, Golos, Peerplays, Scorum, and Vice. WhaleVault is also the "key vault of choice" for ShareBits.

The extension injects the WhaleVault API into each website's javascript context, so that any website that you authorize can safely and securely request a signature or encrypt/decrypt a memo without ever having direct access to any of your private keys.

Because it adds functionality to the normal browser context, WhaleVault requires permission to read and write any web page that wishes to access the extension. You can always "view source" of WhaleVault the way you would any Chrome extension or Firefox Add-on, or from the official GitHub repo: https://github.com/alexpmorris/whalevault

For those not using Steem Keychain and/or Hive Keychain, WhaleVault will also act as a polyfill for Steem Keychain, Hive Keychain, and Blurt Keychain for seamlessly and securely transacting with any app or wallet that supports them. That includes Steem-Engine and Hive-Engine support, all from a single extension!

WhaleVault is a multi-chain fork by @alexpmorris of the Steem Keychain browser extension. Steem Keychain (repo at https://github.com/MattyIce/steem-keychain) was originally created by @yabapmatt, developed by @stoodkev, and funded by @aggroed. Many thanks to them for creating a great template upon which to build WhaleVault!

Features

The WhaleVault extension includes the following features:

Website Integration

Websites can currently request the WhaleVault extension to perform the following functions / broadcast operations:

Installation

Make sure you only install the extension directly from:

Or directly from the official github repo: https://github.com/alexpmorris/whalevault/releases

For your own safety and security, DO NOT INSTALL FROM ANYWHERE ELSE!

As an additional precaution, you should only allow "site access" to the WhaleVault extension in Chrome for those trusted websites that require it.

Libraries Used

jquery.js (v3.3.1), whale-1.0.0.js (v1.0.0 beta, maintained by author), and the eosjs-*.js libraries (v20.0.0), built directly from nodejs via webpack: https://github.com/EOSIO/eosjs/releases/tag/20.0.0

Example

An example of a web page that interacts with the extension is included in the "example" folder in the repo. You can test it by running a local HTTP server and going to http://localhost:1337/main.html in your browser.

cd example
node node_serve.js  //static server via nodejs
py3_serve  //static server via python3

NOTE: On localhost, it will only run on port 1337.

API Documentation

The WhaleVault extension will inject a "whalevault" JavaScript object into all web pages opened in the browser while the extension is running. You can therefore check if the current user has the extension installed using the following code:

if (window.whalevault) {
    // WhaleVault extension installed...
} else {
    // WhaleVault extension not installed...
}

Handshake

Additionally, you can request a "handshake" from the extension to further ensure it's installed and that your page is able to connect to it:

as callback:

window.whalevault.requestHandshake("appId", function(response) {
    console.log('whalevault: Handshake received!');
    console.log(response);
});

as promise:

var response = await window.whalevault.promiseHandshake("appId");

Signing Transactions

WhaleVault is generally embedded directly into libraries. For example, it works out-of-the-box with the latest wlsjs or smokejs libraries simply by setting the following:

However, WhaleVault can also attempt to transmit the tx without the need for additional chain libraries by setting the chain's url in the signing object. If the tx is accepted, instead of receiving a signature, you would receive the chain's response to the tx.

Here is an example of a transfer op for whaleshares:

var ops = [ 
  ['transfer', 
   { from: 'user', 
     to: 'recip', 
     amount: '5.000 WLS', 
     memo: 'sample xfer'
   }
  ]
];

whalevault.requestSignBuffer('demo', 'wls:user', 
                             { url: 'https://pubrpc.whaleshares.io', operations: ops }, 
                             'Active', 'transfer', 'tx', 
                             function(response) { console.log(response); });