Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
@substrate/discovery
Advanced tools
This package implements the discovery protocol that browsers use to find compliant browser extensions. It introduces a set of window CustomEvent
s to provide a two-way communication protocol between Polkadot Wallet Provider libraries and injected scripts provided by browser extensions.
The main export is a function called getProviders
. This function dispatches an event on the window object that compliant browser extensions (or similar) may respond to by providing back an interface of the correct shape. An array of all such interfaces that we get back will be given back to the caller of getProviders
.
The discovery protocol is quite simple and can be implemented in these steps:
substrateDiscovery:requestProvider
event.onProvider
callback from the event payload synchronously.substrateDiscovery:announceProvider
event with the provider details when the script is loaded.Refer to src/index.ts
in this package for an implementation of this protocol.
import { getProviders } from "@substrate/discovery"
const providers = getProviders()
const firstProvider = providers.length > 0 ? providers[0].provider : null
console.log(firstProvider)
This example demonstrates how to filter providers based on a specific rDNS value. This approach is useful when you need to target specific extensions rather than all extensions matching a certain interface.
import { getProviders } from "@substrate/discovery"
const provider = getProviders()
.filter((detail) =>
detail.info.rdns.startsWith("io.github.paritytech.SubstrateConnect"),
)
.map((detail) => detail.provider)[0]
console.log(provider)
import React, { useEffect, useState } from "react"
import { getProviders } from "@substrate/discovery"
const SmoldotProviderComponent = () => {
const [provider, setProvider] = useState(null)
useEffect(() => {
const providers = getProviders()
if (providers.length > 0) {
setProvider(providers[0].provider)
}
}, [])
return (
<div>
{provider ? <p>Provider: {provider}</p> : <p>Loading provider...</p>}
</div>
)
}
export default SmoldotProviderComponent
import { getLightClientProvider } from "@substrate/light-client-extension-helpers/web-page"
const rpc = createRpc(
(msg: any) =>
window.postMessage({ msg, origin: "substrate-wallet-template/web" }),
handlers,
).withClient<BackgroundRpcSpec>()
window.addEventListener("message", ({ data }) => {
if (data?.origin !== "substrate-wallet-template/extension") return
rpc.handle(data.msg, undefined)
})
const provider = await getLightClientProvider(CHANNEL_ID).then(
(lightClientProvider) => ({
...lightClientProvider,
async getAccounts(chainId: string) {
return rpc.client.getAccounts(chainId)
},
async createTx(chainId: string, from: string, callData: string) {
return rpc.client.createTx(chainId, from, callData)
},
}),
)
window.addEventListener(
"substrateDiscovery:requestProvider",
({ detail: { onProvider } }) => onProvider(detail),
)
window.dispatchEvent(
new CustomEvent("substrateDiscovery:announceProvider", {
detail,
}),
)
detail.provider
can be a promise, depending on the library implementation which allows announcing provider details while the provider is being initialized.substrateDiscovery:requestProvider
event payload uses an onProvider
callback to respond with the provider details synchronously to the DApp, allowing to get all the providers without needing to wait for any macrotasks (e.g., setTimeout
), microtasks, or any arbitrary time to listen to an event (e.g., substrateDiscovery:announceProvider
).FAQs
Unknown package
We found that @substrate/discovery demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.