Research
Security News
Threat Actor Exposes Playbook for Exploiting npm to Build Blockchain-Powered Botnets
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
@silencelaboratories/walletprovider-sdk
Advanced tools
The frontend library for Silent Network.
Under the demo directory we provide the sample webpage that shows example usage of the library. In order to run it execute the following:
bun install
bun run build
cd demo
npm install
npm run dev
The demo fetches configuration from the .env
file. We provided example .env
here.
The demo communicates with backend service. Run it before using the demo page.
The library is published on npmjs registry.
Install it in your project as usual:
npm i @silencelaboratories/walletprovider-sdk
The library communicates with backend service. The example implementation of such service is accessible here. Please refer to backend documentation in order to run the service.
Frontend uses WalletProviderServiceClient object in order to connect to the backend and send requests.
For description of classes, interfaces, types, please refer to documentation.
Users authenticate using an EOA wallet during key generation and register an ephemeral signing key pair and associates it with their identity.
Frontend can later use the ephemeral signing key pair to authorize signing requests for duration of the session without the need for repeated user interaction, providing a seamless and secure authentication mechanism.
We use EOAAuth to authenticate the user during keygen. The EOAAuth
object is created with the user's wallet address, ephemeral public key, and lifetime of the key in seconds.
We then use EphAuth to authenticate the user during signing. The EphAuth
object is created with the user's wallet address and ephemeral keypair.
The full working example is in the demo. The core object to use is the NetworkSigner.
It allows to generate keys and do signatures. In order to create, you need two other components. The WalletProviderServiceClient that connects to the Backend part of the SDK, and the authentication module. Currently we provide EOA authentication via EOAAuth.
Let's create the NetworkSigner
// Generate ephemeral secret key esk
const sk = ed.utils.randomPrivateKey();
ephSK = sk;
// Derive public part epk from esk
ephPK = await ed.getPublicKeyAsync(sk);
// Create a client that connects to the backend service
const wpClient = await createWalletProviderService(clusterConfig);
// Create EOA authenticator, signature will include epk
const eoaAuth = new EOAAuth(
accountsFromBrowserWallet[0],
new BrowserWallet(),
ephPK,
// Lifetime of one hour
60 * 60,
);
// Create a new signer instance
const sdk = new NetworkSigner(wpClient, threshold, partiesNumber, eoaAuth);
Now you can generate a key, using the authenticateAndCreateKey method. The method accepts optional permissions. No permissions means allow all operations.
const permissions = {
permissions: [
{
type: 'erc20',
method: 'approve',
to: '0x1234567890123456789012345678901234567890',
args: {
spender: '0x1234567890123456789012345678901234567890',
value: 10000,
eq: '<',
},
},
],
};
// Generate a new key
let resp: KeygenResponse = await sdk.authenticateAndCreateKey(JSON.stringify(permissions));
Calling this method will cause to the Browser Wallet window to pop up, requesting the User to sign the request. After execution KeygenResponse is returned.
The KeygenResponse contains keyId
and publicKey
. The publicKey
is the public part of the key generated by Silent Network. Use the keyId
in subsequent calls to sign.
The esk
key can be later used by the frontend in subsequent signgen requests for authenticating.
The full signing example is here.
Let's create NetworkSigner for signing. Note the EphAuth
is used to avoid user interaction when generating the signatures.
const authModule = new EphAuth(accountsFromBrowserWallet[0], ephSK!);
// Create a new signer instance
const sdk = new NetworkSigner(wpClient, threshold, partiesNumber, authModule);
Use the NetworkSigner.authenticateAndSign method in order to generate a signature.
let signMessage = JSON.stringify({
userOperation: {
sender: '0x8d4cb2540d993fe34c646299f1ab4af3012ff34c',
nonce: '0x7',
initCode: '',
callData: '0000189a...',
callGasLimit: '123130',
verificationGasLimit: '153427',
preVerificationGas: '66768',
maxFeePerGas: '',
maxPriorityFeePerGas: '',
paymasterAndData: '',
},
entryPointVersion: 'v0.6.0',
entryPointAddress: '0x5FF137D4b0FDCD49DcA30c7CF57E578a026d2789',
chainId: 80002,
});
let resp = await sdk.authenticateAndSign(selectedKeyId, signMessage);
The SignResponse contains the signature sign
and the recovery ID recid
.
Audience of this section are library developers.
Install bun from https://bun.sh
bun install
bun run build
The output will be in the dist
folder.
Create *.test.ts
files and run tests with:
bun run test
# or watch test
bun run test:watch
Please refer to README.md for instructions how to execute them.
bun run format
bun run docs
FAQs
Frontend SDK for Wallet Providers
The npm package @silencelaboratories/walletprovider-sdk receives a total of 918 weekly downloads. As such, @silencelaboratories/walletprovider-sdk popularity was classified as not popular.
We found that @silencelaboratories/walletprovider-sdk demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
Security News
NVD’s backlog surpasses 20,000 CVEs as analysis slows and NIST announces new system updates to address ongoing delays.
Security News
Research
A malicious npm package disguised as a WhatsApp client is exploiting authentication flows with a remote kill switch to exfiltrate data and destroy files.