Notes on security of your browser local storage

On this version, when you create an account, a mnemonic seed phrase is generated from the bip39 library and a public/private key pair is derived from this mnemonic phrase. Then, your wallet is encrypted with the password you provide and the encrypted version of your wallet is stored in the local storage of your browser. What does this mean?

If you create an account and a fund, then close your browser, next time you’ll come back to use melon.fund on this browser, you’ll have access to your fund again with no effort.

For each transaction you try to make, you will be asked to type your password so that your encrypted wallet can sign the transaction you want to make.

If you saved your mnemonic seed phrase, you can retrieve access to your fund from any browser as we included the recover from mnemonic functionnality.

as we included the recover from mnemonic functionnality. You can now have access and manage your Melon fund from any device, including your mobile. Just try it!

But it also means:

Your encrypted wallet is as secure as your computer/browser is secure . As with any other Ethereum wallet interface such as Metamask or MyEtherWallet, if your computer happened to be compromised, sensitive information could be stolen. This would also be the case if you store keys or an encrypted walled on your hard drive. This is always a good occasion to remind you to keep your computer safe, have an antivirus, make sure to upgrade your operating system often etc.

. As with any other Ethereum wallet interface such as Metamask or MyEtherWallet, if your computer happened to be compromised, sensitive information could be stolen. This would also be the case if you store keys or an encrypted walled on your hard drive. This is always a good occasion to remind you to keep your computer safe, have an antivirus, make sure to upgrade your operating system often etc. You cannot use melon.fund with a browser in incognito mode (we can’t use the local storage there).

(we can’t use the local storage there). As we deploy our codebase to IPFS, our local storage is currently bound to the IPFS domain name (not good ..), so potentially would be accessible to any other application deployed on IPFS.

The current lack of access restrictions of local storage to IPFS sites hinders our development. Therefore, this in-browser local storage strategy is not intended to be used on the mainnet, as it is not fully secure.

We’ll be using this in-browser local storage strategy only in the context of the testnet for now, which we think is fine as your encrypted wallet will only hold test tokens.

We see IPFS integration in major browser applications as a huge opportunity for decentralized applications; access restriction based on IPFS hash or IPFS name would solve the problem of having the encrypted wallet accessible to other IPFS application and would be a major step forward. There are ongoing discussions about this subject, you can read more here if you’re interested. It would be a great addition not just for Melon but for any project that would like to uphold the virtues of true decentralization.

Using an application deployed on IPFS means that you can verify the code base that was deployed with the IPFS hash; therefore, you can be sure that there is no hidden/malicious code. This feature goes quite well with key storage as you can be certain that the application doesn’t do anything malicious with your keys. It is a much more secure approach than using for example any iOS app where you have no way to know what the application really does with your keys.

Having a decentralized application powered by smart contracts and deployed to IPFS is the way forward for top level security.

As soon as browsing IPFS sites comes with local storage access restriction and independent security context, you can enjoy a fully secure and decentralized asset management experience from your mobile, just imagine how amazing that will be …

Until then, on the mainnet, we will enforce the use of a local Parity node for maximum security, and we will adapt our frontend application so that it can run with the Parity signer or in the Parity browser, which will provide a very high security level.

Am I safe ? Not safe?

This is the testnet so the concerns are different from the ones on the mainnet. The idea here is to lower barriers to entry as much as possible, to make it as easy as it gets to test the Melon protocol.

To be clear, this in-browser encrypted wallet storage strategy should only be used for testing purposes, exclusively on the testnet. This version of the frontend should not be used for mainnet purposes.

However, we will be running the Melon Manager Competition on the testnet. Those competitions will entail real money prizes for the winners, so we want to make sure everyone is aware of the security precautions to take in order to always be in control of your Melon fund:

As long as your browser is not compromised and as long as you don’t visit any untrusted IPFS applications, your testnet encrypted wallet is absolutely safe.