HERO accomplished the challenge between maximizing user experience and ensuring the highest standard of security for an on-platform ERC20 wallet!

HEROcoin (PLAY) was designed as a cryptocurrency for peer-to-peer online betting. With herosphere.gg the first use case is in closed beta now. One of the major development challenges was the on-platform wallet for PLAY, that any user needs in order to participate in match predictions and fantasy.

At the current technological state, there are no similar use cases that have published a working & user friendly solution that we could have gotten inspired by, so we have come up with our own and unique way of an on-platform wallet handling.

Our goal was to ensure that every user has a valid Ethereum address in order to be able to transfer PLAY and ETH with maximal security. All in all, an infrastructure that allows users to buy in into contests on herosphere.gg was needed and successfully created.

Meaning, the process consists of the following four major requirements:

User has an on-platform wallet address User can transfer funds to his on-platform wallet from his/her original PLAY wallet Private key is secure User can buy in into a contest and gets paid if he/she wins

How do we provide maximum security for the private key?

Our highest priority is the security of the private key of the platform wallet in every possible aspect. The best way to ensure that, is to never actually store the private key. Our security derives from two separate sources:

→Password on the user side

→Server salt on our side

Through the wallet creation process we require the user to enter a strong password — a personally chosen password just like on other platforms. This password is created by the user and lives in the users browser. It is never transferred over the internet or stored anywhere else. The importance here is to understand, that the password is only accessible on the user side.

In addition to that, we provide a so called “server salt”. Server salt is randomly generated data, that is used as an additional input and hashes data, which is stored in our database. In comparison to the password generated by the user, the server salt is created on our server and transferred through the internet. In the users browser, the server salt is then combined with the user password.

What does it mean and what is the actual effect?

herosphere.gg stores only one part of the private key, thus attacks on our database are obsolete, making possible gathered information useless for malicious third parties. Above all, every user is in full control of the private key, no one else but the user can generate the private key again. This security comes with a price though. The user-created-password can’t be restored, meaning that forgetting the password is fatal. There is no chance for us (herosphere.gg) to restore it. This is a huge achievement in private key security for on-platform wallets, which opens the door for further development to improve a potential password loss by the user

How do we enable a user to buy into the contest?

Each buy-in is a transaction on the blockchain, coming with transaction costs and confirmation time. No one wants to use a platform where one has to pay for transaction costs and wait until the transaction is confirmed just to participate in a contest. This is not the user experience we want to offer. In general there are two possible ways to handle transactions:

→User performs and pays the transaction

→herosphere.gg performs and pays the transaction

Case 1

Contest participants pay the transaction costs themselves. Crypto users are used to pay for transactions but not everyone has dealt heavily with crypto before. Besides having HEROcoin (PLAY) on the wallet, a user also needs to have a tiny amount of Ethereum, so one can pay the transaction fees as gas. Furthermore, users have to enter the password every time they buy in into a contest. By entering the password the private key signs the transaction. In our opinion this is not a very user-friendly scenario. So let’s see what Case 2 looks like:

Case 2

Alternatively, the user gives an allowance to herosphere.gg to transfer funds from their wallet to the contest contract. This means that herosphere.gg buys the user into the contest (if the user decides so in the herosphere front-end). We are talking about an ERC20 allowance function, which is handled by a “Controller Smart Contract”. The main advantage is that herosphere.gg can trigger the buy-in transfer and thanks to the allowance we don’t need a private key to sign a transaction. Users don’t need to enter the password every time they want to enter a contest and herosphere.gg pays the transaction costs, resulting in a better user experience.

At the moment our BETA phase is live with the case 2 solution but we are continuously learning with our community, trying to understand the needs and preferences of every single person. Together we are figuring out which way to go.

In the end:

Every user wallet on herosphere.gg communicates with a controller contract, resulting in a smart contract which has an allowance to take funds from the user wallet and transfer them into a contest contract. When the user buys in via the front end, the controller contract takes funds from the users balance to the contest contract. All of it happening in the background so the user is not confused or has to worry about this. After the contests are handled and the results are known, funds are paid out to the users wallet automatically.

As a result, buy-ins and payouts are recorded on the ethereum blockchain. This is an important step closer to our vision: Making betting more transparent, secure and resistant to manipulation.

If you have questions or would like to discuss this, pls get in touch. We are active on any of those channels:

Telegram: https://t.me/joinchat/FsEwOwtrCZMWwHokEj70Gw

Bitcointalk: https://bitcointalk.org/index.php?topic=2116864.0

Reddit: https://www.reddit.com/r/HEROcoin/

FB HERO: https://www.facebook.com/HEROcoinio/

FB Herosphere: https://www.facebook.com/herosphere.gg/

Twitter: https://twitter.com/HEROcoinio

Youtube:https://www.youtube.com/channel/UCi6gLMu21XsrnWcdS0VOwdw