
Research
/Security News
jscrambler npm Package Compromised in Supply Chain Attack
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.
@ducatuscore/wallet-service
Advanced tools
A Multisig HD Ducatuscore Wallet Service.
Ducatuscore Wallet Service facilitates multisig HD wallets creation and operation through a (hopefully) simple and intuitive REST API.
DWS can usually be installed within minutes and accommodates all the needed infrastructure for peers in a multisig wallet to communicate and operate – with minimum server trust.
See ducatuscore-wallet-client for the official client library that communicates to DWS and verifies its response. Also check ducatuscore-wallet for a simple CLI wallet implementation that relies on DWS.
DWS is been used in production enviroments for Ducatus Wallet.
cd ducatuscore-wallet-service
npm install
npm start
This will launch the DWS service (with default settings) at http://localhost:3232/dws/api.
DWS needs mongoDB. You can configure the connection at dws.config.js
DWS supports SSL and Clustering. For a detailed guide on installing DWS with extra features see Installing DWS.
DWS uses by default a Request Rate Limitation to CreateWallet endpoint. If you need to modify it, check defaults.js' Defaults.RateLimit
DWS can be used with PM2 with the provided app.js script:
pm2 start app.js --name "ducatuscore-wallet-service"
You can add your certificates at the dws.config.js using:
https: true,
privateKeyFile: 'private.pem',
certificateFile: 'cert.pem',
////// The following is only for certs which are not
////// trusted by nodejs 'https' by default
////// CAs like Verisign do not require this
// CAinter1: '', // ex. 'COMODORSADomainValidationSecureServerCA.crt'
// CAinter2: '', // ex. 'COMODORSAAddTrustCA.crt'
// CAroot: '', // ex. 'AddTrustExternalCARoot.crt'
Tx proposal need to be:
deleted also, after been published.The are plenty example creating and sending proposals in the /test/integration code.
ducatuscore.config.json
"regtest": {
"chainSource": "p2p",
"trustedPeers": [
{
"host": "127.0.0.1",
"port": 20020
}
],
"rpc": {
"host": "127.0.0.1",
"port": 20021,
"username": "bitpaytest",
"password": "local321"
}
}
ducatuscore-wallet-service/dws.config.js
blockchainExplorerOpts: {
btc: {
livenet: {
url: 'https://localhost:3000'
},
testnet: {
// set url to http://localhost:3000 here
url: 'http://localhost:3000',
// set regtestEnabled to true here
regtestEnabled: true
}
},
...
Note: all currency amounts are in units of satoshis (1/100,000,000 of a bitcoin).
In order to access a wallet, clients are required to send the headers:
x-identity
x-signature
Identity is the Peer-ID, this will identify the peer and its wallet. Signature is the current request signature, using requestSigningKey, the m/1/1 derivative of the Extended Private Key.
See Ducatuscore Wallet Client for implementation details.
/v1/wallets/: Get wallet informationReturns:
/v1/txhistory/: Get Wallet's transaction historyOptional Arguments:
Returns:
skip & limit params. Each item has the following fields:/v2/txproposals/: Get Wallet's pending transaction proposals and their statusReturns:
List of pending TX Proposals. (see fields on the source code)
Uses cashaddr without prefix for BCH
/v4/addresses/: Get Wallet's main addresses (does not include change addresses)Optional Arguments:
/v1/balance/: Get Wallet's balanceReturns:
/v1/txnotes/:txid: Get user notes associated to the specified transactionReturns:
txid as a string./v1/fiatrates/:code: Get the fiat rate for the specified ISO 4217 codeOptional Arguments:
Returns:
/v1/wallets/: Create a new WalletRequired Arguments:
Returns:
/v1/wallets/:id/copayers/: Join a Wallet in creationRequired Arguments:
Returns:
/v3/txproposals/: Add a new temporary transaction proposalRequired Arguments:
Returns:
.id is probably needed in this case./v2/txproposals/:id/publish: Publish the previously created temporary tx proposalReturns:
/v3/addresses/: Request a new main address from wallet . (creates an address on normal conditions)Returns:
path is returned so client can derive the address independently and check server's response./v1/txproposals/:id/signatures/: Sign a transaction proposalRequired Arguments:
Returns:
.status is probably needed in this case./v1/txproposals/:id/broadcast/: Broadcast a transaction proposalReturns:
.status is probably needed in this case./v1/txproposals/:id/rejections: Reject a transaction proposalReturns:
.status is probably needed in this case./v1/addresses/scan: Start an address scan process looking for activity.Optional Arguments:
/v1/txconfirmations/: Subscribe to receive push notifications when the specified transaction gets confirmedRequired Arguments:
/v1/txnotes/:txid/: Modify a note for a tx/v1/txproposals/:id/: Deletes a transaction proposal. Only the creator can delete a TX Proposal, and only if it has no other signatures or rejectionsReturns:
.id is probably needed in this case./v1/txconfirmations/:txid: Unsubscribe from transaction txid and no longer listen to its confirmationRecomended to complete config.js file:
/v1/pushnotifications/subscriptions/: Adds subscriptions for push notifications service at database/v2/pushnotifications/subscriptions/: Remove subscriptions for push notifications service from databaseFAQs
A service for Mutisig HD Bitcoin Wallets
The npm package @ducatuscore/wallet-service receives a total of 5 weekly downloads. As such, @ducatuscore/wallet-service popularity was classified as not popular.
We found that @ducatuscore/wallet-service demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
/Security News
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.

Research
/Security News
A malicious .NET package is typosquatting the Braintree SDK to steal live payment card data, merchant API keys, and host secrets from production apps.

Security News
/Research
Compromised Injective SDK npm version 1.20.21 exfiltrates wallet private keys and mnemonics through fake telemetry functionality.