GIP-73: Should GnosisDAO give a grant to Pluser?
- Let’s do this!
- Make no changes
GIP: 73
title: Should GnosisDAO give a grant to Pluser?
author: Pluser Team
status: phase 2
type: Funding
created: 2022-12-01
Website: https://www.pluser.io/
Summary
We would like to receive a grant from Gnosis DAO to create Pluser wallet. Pluser is the safest and simplest cryptocurrency wallet for the retail market on Gnosis Chain. Our wallet is built on top of Gnosis Safe contracts, chainlink oracles, and the Torus network.
Introduction
The collapse of FTX showed that we can’t trust a centralized exchange. But currently, there is no simple and safe non-custodial alternative for keeping crypto, investing, and using web3. We want to show you our solution to the problems of cryptocurrency wallets.
Problems
We see several problems with current non-custodial wallets.
Non-custodial means that you have sole control of your wallet. No one has access to your wallet.
Seed phrase
When you create a non-custodial wallet, you need to save your seed phrase. This seed phrase serves as access to your wallet. You need to keep it in the safest place. If you lose your seed phrase, you lose access to your wallet. Let’s look at statistics from web2 about password storing.
Users do not store their passwords very safely. That’s why services use additional security methods for your account.
Instead of helping the user to securely access their funds, web3 shifts the responsibility for storage onto the user. This slows down mass adoption and increases the risk of being hacked or losing access.
One seed for a wallet
If you want to use your wallet on several devices, you need to write your seed phrase on new devices. This increases the risk of compromising your seed phrase. And you can’t revoke access from your device if you lose the device. For example, if you lost your smartphone, you would want to revoke smartphone access through your laptop. For current wallets, the only thing you can do is transfer all your money to a new wallet as soon as possible.
Only one protection factor
If your wallet is stolen, you will find out too late that your funds have been stolen. Wallets don’t have a second protection factor and can’t notify you of suspicious activity.
Complicated for web2 users
Wallets have a lot of problems with user experience. For example, you need to have ETH in your wallet to pay fees; wallets have a lot of crypto terms, etc. They are very important indeed, but the security issues come first.
Our principles
Our philosophy is based on several beliefs.
- Protection from access loss
A user must be protected from losing access to his wallet. - Simplicity
Wallets should be easy to use, like a Google/Apple/Facebook account. - Hackers never sleep
Hackers will always try to rob wallets. The wallet must have a high level of security so that the user is not afraid of being hacked. - Non-custodial as a fundamental human right
No one should have access to or influence over the user’s wallet other than the wallet’s owner.
Solution
We have been thinking about these problems for a long time and we have studied various options for how to solve them. The solution we developed consists of 4 elements.
Login and recover via email
We provide the ability to log into the wallet using email. At the same time, the wallet is non-custodial i.e. we don’t have access to it. We achieve this using a combination of several technologies.
Keys management
You can log in on different devices. For each device, a new private key which will have access to your wallet will be created. Then this private key is added to the wallet’s smart contract. If your device is lost, then you can simply revoke access to your wallet for this private key.
Decentralized 2FA
If your wallet is stolen, our decentralized second factor will not let hackers empty your wallet. You can make your email or a one-time code the second factor. To decentralize such a solution, we use chainlink oracles.
Ease of use
This problem is solved quite simply via integration of different services. For example, we can use the Ethereum Gas Station Network to pay the fees, add flashbots to prioritize the transaction, add a chart from the trading view, etc. We wanted to point out this problem, but we want you not to take it into account as much as the previous points. So let’s keep this problem in mind, but focus on security.
How Pluser manages private keys
To create Pluser, we use a combination of technologies: Gnosis Safe contracts, Torus, and Chainlink.
For each wallet, we create an authorization key and a Gnosis Safe wallet. The authorization key is encrypted using a master password. The encrypted key is sent to the Torus network and stored there. Access to this key can be obtained with email and password.
When you log in for the first time on a device, we create a device key and use the authorization key to add it to the Gnosis wallet.
Any transaction sent from your wallet must be signed by one of the device keys and chainlink oracles as 2FA providers.
There may be a situation when you want to log in from a new device. For example, you have a wallet on your smartphone, and now you want to log in from the web. To do this, you need to have access to your email, the master password, and one of the authorized devices. In our example, this is a smartphone. Technically speaking, we need the signature of the authorization key and the device key.
What happens if I lose access?
Let’s look at different situations of loss of access and how we solve them.
Lost access to the only authorized device
If you lose access to a single device, you can send a transaction to the contract by specifying a new device and signing it using the authorization key. Your wallet will be blocked for 24 hours for security reasons. To get an authorization key, you need to have access to the email and remember the password to decrypt your key.
Forgotten password
You can go through 2FA with chainlink oracles and send a request to restore access to the contract. In this case, your wallet will be blocked for 14 days. If you manage to remember your password, you will be able to unlock your wallet and cancel the recovery request.
Potential attacks
Hackers never sleep, so there is always a risk of a targeted attack. Let’s break down the types of potential attacks and the defenses we create to protect you.
If your email is hacked
If someone gets access to your email, they will be able to apply for a change of authorization key. You will have 14 days to cancel it. As you will be notified about this, you can change your password by email and cancel the application by attaching a signature with the device key and the authorization key and passing the 2FA verification using chainlink oracles.
If your password and email are hacked
In this case, attackers will be able to access the authorization key. They will be able to add a new device. You will have 24 hours to cancel the request to add a new device, change the password by email, and send a request to the contract to replace the authorization key.
If the private key is stolen from your device
The attacker will not have access to email and will not be able to pass 2FA with oracles, which is required to send a transaction.
If both one of your devices and email are hacked
In this case, your funds are at risk. To protect against this situation, you can add multiple 2FAs to your wallet. Then the hacker will have to gain access to your device and all the 2FAs.
If the oracles begin to censor me
You can submit a disconnect request to the smart contract and turn your wallet into a normal Gnosis wallet. Following the application, your wallet will be blocked for 14 days.
What we can’t protect you from
Unfortunately, we can’t protect you from a virus attack where all your devices are infected with some kind of virus. Such viruses can gain access to your email and authorized devices. If there is a risk of infection in your devices, then I advise you to use U2F devices for 2FA or to purchase a hardware wallet.
Team experience with grants
Our team has experience in developing cryptocurrency wallets. We received a grant for Fractapp from the web3 foundation (link). We have fulfilled it completely. But unfortunately, we later closed the project due to a lack of traction.
Implementation
We need $50,000 for 6 months. For this amount, we will be able to develop an MVP, which will include:
create a wallet via email; recovery wallet; decentralized 2FA via email; connect a wallet to a website with walletconnect; Android, and IOS applications.
GnosisDAO Snapshot
*Phase 2 Proposals: Please ignore this section, and leave as is. It is used for Phase 3 proposals.
Phase 3 Proposals: Snapshot