Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
rn-bitcoinjs-lib
Advanced tools
####Note: Great news! This library is no longer required for bitcoinjs-lib versions 5.1 and up. Please use this Gist instead to get your RN project up and running.
This is a React Native compatible version of bitcoinjs-lib, a javascript Bitcoin library for node.js and browsers. Written in TypeScript, but committing the JS files to verify.
Released under the terms of the MIT LICENSE.
If you are thinking of using the master branch of this library in production, stop. Master is not stable; it is our development branch, and only tagged releases may be classified as stable.
Don't trust. Verify.
You shouldn't trust or rely on this repo for anything other than testing. To setup bitcoinjs-lib (5.0.5) in your RN project, please follow the how-to below: RN BitcoinJS-Lib (5.0.5) Setup
If you have any difficulty with the setup instructions below and need a repo for reference, feel free to clone, review and experiment with the pre-built RN repo here: RNBitcoinJS
We recommend every user of this library and the bitcoinjs ecosystem audit and verify any underlying code for its validity and suitability.
Mistakes and bugs happen, but with your help in resolving and reporting issues, together we can produce open source software that is:
Buffer
's throughout, andPresently, we do not have any formal documentation other than our examples, please ask for help if our examples aren't enough to guide you.
yarn add rn-bitcoinjs-lib
Typically we support the Node Maintenance LTS version. If in doubt, see the .travis.yml for what versions are used by our continuous integration tests.
WARNING: We presently don't provide any tooling to verify that the release on npm
matches GitHub. As such, you should verify anything downloaded by npm
against your own verified copy.
Install the following dependencies:
yarn add buffer-reverse react-native-randombytes crypto buffer@5
yarn add --dev rn-nodeify
react-native link react-native-randombytes
Add the following to your script in package.json:
"postinstall": "rn-nodeify --install buffer,stream,assert,events,crypto,vm --hack && cd node_modules/bs58 && yarn add base-x@3.0.4 && cd ../../"
Install any remaining dependencies and run postinstall.
NOTE: (If you receive an error about "shim.js" not existing just run yarn install
again):
yarn install
Add the following to shim.js:
if (typeof Buffer.prototype.reverse === 'undefined') {
var bufferReverse = require('buffer-reverse');
Buffer.prototype.reverse = function () {
return bufferReverse(this);
};
}
Add/Uncomment "require('crypto')" at the bottom of shim.js:
require('crypto')
Finally:
yarn install
Usage
import "./shim";
const bitcoin = require("rn-bitcoinjs-lib");
const keyPair = bitcoin.ECPair.makeRandom();
const { address } = bitcoin.payments.p2pkh({ pubkey: keyPair.publicKey });
console.log(address);
Crypto is hard.
When working with private keys, the random number generator is fundamentally one of the most important parts of any software you write.
For random number generation, we default to the randombytes
module, which uses window.crypto.getRandomValues
in the browser, or Node js' crypto.randomBytes
, depending on your build system.
Although this default is ~OK, there is no simple way to detect if the underlying RNG provided is good enough, or if it is catastrophically bad.
You should always verify this yourself to your own standards.
This library uses tiny-secp256k1, which uses RFC6979 to help prevent k
re-use and exploitation.
Unfortunately, this isn't a silver bullet.
Often, Javascript itself is working against us by bypassing these counter-measures.
Problems in Buffer (UInt8Array)
, for example, can trivially result in catastrophic fund loss without any warning.
It can do this through undermining your random number generation, accidentally producing a duplicate k
value, sending Bitcoin to a malformed output script, or any of a million different ways.
Running tests in your target environment is important and a recommended step to verify continuously.
Finally, adhere to best practice. We are not an authorative source of best practice, but, at the very least:
Math.random
- in any way - don't.Use bitcoinjs-lib
Use bitcoinjs-lib
Type declarations for Typescript are included in this library. Normal installation should include all the needed type information.
The below examples are implemented as integration tests, they should be very easy to understand. Otherwise, pull requests are appreciated. Some examples interact (via HTTPS) with a 3rd Party Blockchain Provider (3PBP).
If you have a use case that you feel could be listed here, please ask for it!
See CONTRIBUTING.md.
npm test
npm run-script coverage
FAQs
Client-side Bitcoin JavaScript library
The npm package rn-bitcoinjs-lib receives a total of 3 weekly downloads. As such, rn-bitcoinjs-lib popularity was classified as not popular.
We found that rn-bitcoinjs-lib demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.