Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
@compound-finance/ethereumjs-wallet
Advanced tools
A lightweight wallet implementation. At the moment it supports key creation and conversion between various formats.
It is complemented by the following packages:
Motivations are:
ethereumjs-util
and ethereumjs-tx
)Features not supported:
Constructors:
generate([icap])
- create an instance based on a new random key (setting icap
to true will generate an address suitable for the ICAP Direct mode
)generateVanityAddress(pattern)
- create an instance where the address is valid against the supplied pattern (this will be very slow)fromPrivateKey(input)
- create an instance based on a raw private keyfromExtendedPrivateKey(input)
- create an instance based on a BIP32 extended private key (xprv)fromPublicKey(input, [nonStrict])
- create an instance based on a public key (certain methods will not be available)fromExtendedPublicKey(input)
- create an instance based on a BIP32 extended public key (xpub)fromV1(input, password)
- import a wallet (Version 1 of the Ethereum wallet format)fromV3(input, password, [nonStrict])
- import a wallet (Version 3 of the Ethereum wallet format). Set nonStrict
true to accept files with mixed-caps.fromEthSale(input, password)
- import an Ethereum Pre Sale walletFor the V1, V3 and EthSale formats the input is a JSON serialized string. All these formats require a password.
Note: fromPublicKey()
only accepts uncompressed Ethereum-style public keys, unless the nonStrict
flag is set to true.
Instance methods:
getPrivateKey()
- return the private keygetPublicKey()
- return the public keygetAddress()
- return the addressgetChecksumAddressString()
- return the address with checksumgetV3Filename([timestamp])
- return the suggested filename for V3 keystorestoV3(password, [options])
- return the wallet as a JSON string (Version 3 of the Ethereum wallet format)All of the above instance methods return a Buffer or JSON. Use the String
suffixed versions for a string output, such as getPrivateKeyString()
.
Note: getPublicKey()
only returns uncompressed Ethereum-style public keys.
Importing various third party wallets is possible through the thirdparty
submodule:
var thirdparty = require('ethereumjs-wallet/thirdparty')
Constructors:
fromEtherCamp(passphrase)
- import a brain wallet used by Ether.CampfromEtherWallet(input, password)
- import a wallet generated by EtherWalletfromKryptoKit(seed)
- import a wallet from a KryptoKit seedfromQuorumWallet(passphrase, userid)
- import a brain wallet used by Quorum WalletTo use BIP32 HD wallets, first include the hdkey
submodule:
var hdkey = require('ethereumjs-wallet/hdkey')
Constructors:
fromMasterSeed(seed)
- create an instance based on a seedfromExtendedKey(key)
- create an instance based on a BIP32 extended private or public keyFor the seed we suggest to use bip39 to create one from a BIP39 mnemonic.
Instance methods:
privateExtendedKey()
- return a BIP32 extended private key (xprv)publicExtendedKey()
- return a BIP32 extended public key (xpub)derivePath(path)
- derive a node based on a path (e.g. m/44'/0'/0/1)deriveChild(index)
- derive a node based on a child indexgetWallet()
- return a Wallet
instance as seen aboveThe Wallet can be easily plugged into provider-engine to provide signing:
const WalletSubprovider = require('ethereumjs-wallet/provider-engine')
<engine>.addProvider(new WalletSubprovider(<wallet instance>))
Note it only supports the basic wallet. With a HD Wallet, call getWallet()
first.
toV3
The options
is an optional object hash, where all the serialization parameters can be fine tuned:
kdf
. Size must match the requirements of the KDF (key derivation function). Random number generated via crypto.getRandomBytes
if nothing is supplied.cipher
. Size must match the requirements of the cipher. Random number generated via crypto.getRandomBytes
if nothing is supplied.cipher
settings, this must match the block sizes of those.OpenSSL
, e.g. aes-128-ctr
or aes-128-cbc
.Depending on the kdf
selected, the following options are available too.
For pbkdf2
:
c
- Number of iterations. Defaults to 262144.prf
- The only supported (and default) value is hmac-sha256
. So no point changing it.For scrypt
:
n
- Iteration count. Defaults to 262144.r
- Block size for the underlying hash. Defaults to 8.p
- Parallelization factor. Defaults to 1.The following settings are favoured by the Go Ethereum implementation and we default to the same:
kdf
: scrypt
dklen
: 32
n
: 262144
r
: 8
p
: 1
cipher
: aes-128-ctr
See our organizational documentation for an introduction to EthereumJS
as well as information on current standards and best practices.
If you want to join for work or do improvements on the libraries have a look at our contribution guidelines.
MIT License
Copyright (C) 2016 Alex Beregszaszi
[0.6.3] - 2018-12-19
crypto.randomBytes
and use randombytes
package instead, PR #63fromV3
, PR #62decipherBuffer
usage, PR #77scrypt.js
, which should resolve more installation issues, PR #78FAQs
Utilities for handling Ethereum keys
The npm package @compound-finance/ethereumjs-wallet receives a total of 3 weekly downloads. As such, @compound-finance/ethereumjs-wallet popularity was classified as not popular.
We found that @compound-finance/ethereumjs-wallet demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.