Join GitHub today
GitHub is home to over 20 million developers working together to host and review code, manage projects, and build software together.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
Already on GitHub? Sign in to your account
Added Coin.Space wallet #1285
Conversation
|
I have reviewed Coin.Space from CoinSpace based on the current wallet requirements criteria and my evaluation is below. Last year this wallet was reviewed and I recommended another review after several bugs could be corrected and more usage could be identified. The summary is that the wallet passes on security and overall design. Coin.Space is heavily based on the popular Hive wallet which was listed until it was discontinued last year. During testing, numerous bugs, mostly in the area of UI and user interaction, were reported and fixed. While these bugs never resulted in loss of funds, they did present confusing balance and transaction information to users. For this reason I recommend more testing and QA in the future. The wallet provides two optional convenience features for discovering addresses, OpenAlias and Mecto, which I strongly recommend against using. The OpenAlias implementation provides a static wallet address which is available to the public via a DNS lookup, encouraging address re-use and discouraging privacy. The Mecto feature allows searching for other Coin.Space users within a certain geographic range. When enabled it exposes the exact geolocation and Bitcoin address of a transaction recipient to unauthenticated attackers. As an aside, while it has been discussed, we have have not kept wallet requirements up to date with changing fee requirements and thus we have no fee related requirements. It should be noted that Coin.Space offers no user control over the fee used when creating transactions. This should be addressed in the future. I recommend Coin.Space for listing and I concur with the current scoring in the pull request. Coin.Spacev2.1.3Review Version 2016060501The wallet list is based on the personal evaluation of the maintainer(s) and regular contributors of this site, according to the criteria detailed below. These requirements are meant to be updated and strengthened over time. Innovative wallets are exciting and encouraged, so if your wallet has a good reason for not following some of the rules below, please submit it anyway and we'll consider updating the rules. NOTE The Mecto feature (searching for other Coin.Space users based on geographic location) was exercised, and bugs were reported related to inconsistent search results CONCERN The Mecto API allows unauthenticated attackers to determine the exact geolocation, Bitcoin address, and Coin.Space id of any Mecto enabled users in an attacker chosen ~1km radius. NOTE The wallet user has no control over the transaction fee NOTE The OpenAlias feature advertises static Bitcoin addresses via DNS leading to address reuse Basic requirements:
NOTE Coin.Space was released over a year ago NOTE Coin.Space is based on the popular Hive Wallet which has since been discontinued NOTE CoinSpace claims over 40,000 accounts created https://www.coin.space NOTE Google Play 1000-5000 downloads NOTE CoinSpace claims over 1000 iOS downloads/month PASS Sufficient usage was found
PASS No indication found using standard web searches using Google and Bing
NOTE There was previously a bug bounty at https://hackerone.com/coinspace, but it is no longer active PASS No indication found
PASS Uses BitcoinJS, CryptoJS, and secure-random
PASS No indication found NOTE Because of the type of bugs that were found during review, more wallet testing and QA is recommended
PASS Android 28-Mar-2015 https://www.coin.space/blog/android-client PASS Windows Phone 22-Apr-2015 https://www.coin.space/blog/windows-phone-app
PASS Previous concerning bugs have been corrected
PASS http://www.coin.space which links to downloads redirects correctly PASS http://coin.space web wallet redirects correctly
PASS https://www.coin.space (links to downloads): A+ rating (with Cloudflare) PASS https://coin.space (wallet): A+ rating (with Cloudflare)
PASS https://www.coin.space 180 days PASS https://coin.space 180 days
PASS Link to Crunchbase on https://www.coin.space/features.html
NOTE An encryption key is stored online that is used to decrypt local wallet storage.
PASS Aggressive lockout: Account is deleted after five failed PINs. NOTE No filter for common PINs. NOTE Lost PIN recovery process is full restore from BIP39 phrase.
N/A
PASS Wallet backup is BIP39 phrase
PASS Wallet was restored from BIP39 phrase. Wallet was also restored to MultiBit HD using BIP39 phrase.
PASS https://github.com/CoinSpace
N/A
N/A
Optional criteria (some could become requirements):
NOTE No audit
PASS Uses a new change address for each transaction
PASS Displays an unused address for each receive NOTE A receive address may be re-displayed if it has not yet received a transaction CONCERN When using OpenAlias, the same Bitcoin address is always used
PASS Does not show received from addresses
PASS A transaction created by the wallet was re-signed using custom code compatible with RFC 6979 and the signatures matched.
PASS A contact form is provided https://www.coin.space/contact.html NOTE There is also a support request button on the settings frame in the wallet
N/A
PASS Supports BIP32 using standard m/0'/c/i path
PASS Provides BIP39 phrase on setup and encourages users to write it down NOTE Wallet seed is never available to end users after setup
PASS KDF is not used. The server returns a strong key when the correct PIN is supplied. NOTE This requires the server to be available to access the wallet in any way
PASS Local wallet storage is encrypted by default
N/A |
jspeigner
commented
Jun 12, 2016
|
Thank you for the review, we look forward to providing another Bitcoin Wallet to the community. |
|
Merged here 23d06b4. Great work on this wallet. |
nikashitsa commentedApr 22, 2016
•
edited
Coin.Space HD Wallet is a free online bitcoin wallet, which you can use to make worldwide payments for free. It makes paying with bitcoins easy and secure available anywhere on your phone or desktop.
Previous attempt #963.
Removed sending BIP39 phrases over SMS, added ios app. Tagged as v2.1.3.