Security

EIP-6963: Possible Solutions To Multi-wallet Conflicts

Current issues

An alternative discovery approach for EIP-1193 providers to window.ethereum enables finding multiple injected wallet providers on a web page using Javascript’s window events.

Today, wallet providers who provide browser extensions must inject their Ethereum providers (EIP-1193) into the same window object window.ethereum; however, this causes conflicts for consumers who may install many browser extensions.

Browser extensions are loaded in an unexpected and unstable sequence on the web page, resulting in a race scenario in which the user has no influence over which wallet provider is chosen to expose the Ethereum interface under the window.ethereum object. In most cases, the last wallet to load wins.

This not only degrades the user experience but also raises the barrier to entry for new browser extensions since users are only allowed to install one browser extension at a time.

Several browser extensions try to mitigate this issue by waiting for their injection to overwrite the same window.ethereum object, resulting in unfair competition and a lack of interoperability for wallet providers.

What is the EIP-6963 solution?

The proposal specifies a standardized vendor information interface (EIP 6963 ProviderInfo), which is required for wallet selection pop-ups to be populated. The standard also underlines the significance of disclosing the provider interface (EIP 6963 Provider Detail), although the EIP-1193 provider interface remains unchanged for compatibility.

The following are key characteristics of the vendor information interface:

  • walletId: The wallet provider’s globally unique identification (e.g. io.dopewallet.extension or awesomewallet).
  • uuid: A locally unique identifier for a wallet provider that supports UUID v 4.0.
  • name: The wallet provider’s human-readable name (e.g. DopeWalletExtension or Awesome).
  • icon: A URI to an image that must be square and have a minimum resolution of 96 × 96 px. PNG and WebP image formats, as well as vector image formats such as SVG, are suggested. The suggested team strongly advises against using lossy formats like JPG/JPEG.

Both the Ethereum library and the wallet provider employ the window.dispatchEvent method to emit events and the window.addEventListener function to watch events when it comes to trigger events. When the Ethereum library is initialized, it broadcasts the “eip6963:requestProvider” event, and the wallet provider emits the “eip6963:announceProvider” event, along with interface and provider information.

How effective is EIP-6963?

Adoption and implementation of EIP-6963 might take three to six months, according to reliable estimations. This breakthrough may result in a new wallet narrative later this year, possibly shattering the stranglehold of top wallet providers like Metamask and establishing a more competitive environment among providers.

This feature is intended to aid wallets such as Coinbase Wallet, Trust Wallet, Phantom, Taho, Rabby, Frame, XDEFI, Rainbow, Zerion, Spot, Coin 98 Wallet, Frontier, MEW, Dawn Wallet, Blockwallet, Bitski, SafePal, BitKeep, and MathWallet. Readers may join the EIP-6963 debate with Ethereum developers here.

Pros and Cons

Pros

There is no single point of failure since developers enable various wallet providers. This is advantageous in terms of security since it implies that if a wallet provider is hacked or fails, consumers have other options.

Decreased reliance on a single vendor: At the moment, the Ethereum community is highly reliant on one wallet provider, MetaMask. This is dangerous because if MetaMask is hacked, the majority of Ethereum users will be impacted. The EIP-6963 mitigates risk by enabling numerous wallets.

Additional User Controls: The option to choose several wallet providers provides consumers with more security control. Users may choose a wallet provider according to their particular security requirements and trust level.

Cons

Expanded Attack Surface: Deploying EIP-6963 broadens the attack surface. This is because the number of wallet providers that may be hacked by hostile actors is growing. To reduce this danger, every wallet provider must follow to strict security requirements.

Risks of SVG image mining: EIP-6963 advises utilizing SVG pictures as wallet provider icons. SVG pictures, on the other hand, may include JavaScript code, which might constitute a cross-site scripting (XSS) danger. Although the EIP recommends that SVG pictures be presented using tags to avoid JavaScript execution, this recommendation can only be confirmed by third parties or implementation inspectors.

Effect of changing window.ethereum: Although replacing window.ethereum does not immediately damage current apps, it does advocate doing so after a user picks a wallet. This proposal can only be confirmed by a third party or an auditor in each implementation.

Conclusion

EIP-6963 seeks to promote interoperability across wallet providers, decrease the barrier to entry for new providers, and enhance user experience on the Ethereum network. At the same time, the implications for security are complicated.

Ethereum users, wallet providers, and developers must follow best practices at all times to keep the Ethereum ecosystem safe.

By putting this suggestion into action, the Ethereum ecosystem may grow into a more competitive and user-friendly environment, which would benefit both wallet providers and their users.

DISCLAIMER: The information on this website is provided as general market commentary and does not constitute investment advice. We encourage you to do your own research before investing.

   

Source

Click to rate this post!
[Total: 0 Average: 0]
Показать больше

Добавить комментарий