Careful when using Cross-Platform cryptocurrency code!

Using the same wallet on your all your devices sounds brilliant, doesn’t it? Not having to wonder how a software wallet differs from what you’re used to or if it’s safe and does what you want is a good way to simplify your life. Also converting a stranger to Bitcoin or other cryptocoins is much more likely to happen by showing off a mobile wallet than from sitting the person in front of a PC for minutes. Not only are you likely to have your phone on you when ranting about Bitcoin, but there’s also the convenience of always-synced SPV wallets that hides the terrible weight of downloading the blockchain when booting your core wallet. So should you work out a way to use the same wallet on your mobile and your PC?

The first problem is that there’s actually very few cross-platform wallets; because there are few cross-platform technologies that work well for this kind of software; any sort of middleware to make the user interface work on all platforms without re-coding anything probably doesn’t work well at all if you code to PC first and then try to cram the UI on a tiny smart phone screen.

So let’s assume you choose a wallet that was coded first for your mobile phone; then running it on Windows should at least get you a workable experience since since the screen and mouse can replace the touchscreen.  That means your wallet was coded with the few cross-platform technologies that are workable right now, for example Java, JavaScript or some other virtual-machine based system.

There are platforms like Meteor to do this, which basically wraps up and packages a web app inside a bundle compiled for the target platform.  It might work, but how much of the security model is respected while using something as kludgy as node.js and lots of glue on your cell phone?  How much of the same standard code is being reused on both machines? I don’t really know, but I think the only reason we don’t hear about hacks on this stuff is because they’re not yet practical enough to be in widespread use.

There are no guarantees a specific JavaScript engine will respect all the math functions a wallet requires. Unless the engine or the wallet itself have been thoroughly tested and certified to run flawlessly on both engines you’re using then a single difference in a floating-point operation could “corrupt” your wallet.  So although you CAN pick a cross-platform wallet and there are a few notables that have spent a lot of time and effort making sure they work correctly, it’s simpler to use a technology that has standard maths in the first place, for instance using the same standard Virtual Machine on both platforms or VM Containers to ensure there really is no difference in what code you are running. For all practical purposes, right now this comes down to either using Java technology or a Docker or similar Container.

After you’ve spent ours searching for options, gave up and decided to use an Android wallet in a virtual machine like BlueStacks with a Java Core that can be run in a standard Java VM for more serious server applications, you will probably want to export/import the private wallet key to all those platforms to have instant access to the same wallet on all your machines.  And guess what, it works!  But only if you’re using a certified VM/language and the wallets use HD ecdsa keys (Core 0.10+).  Otherwise when you generate a new receiving address on one of the wallets,  you won’t have it available on any other platforms.  Meaning you will lose money if it’s sent to an address you can’t reproduce.  You should test beforehand to see if you the public/private subkey generators work in the same way on all your machines and how well you can import/export them before using them for any amount of money. You’ll be glad you tried it before putting too much money on the line.


What happened to Worldcoin HD Android wallet

One problem when working with coins that are out of ICO is that it’s difficult to stay motivated and developing for very little reward or investing time and money without any kind of support from the community. TLDR; that’s what happened to the Worldcoin HD wallet.

In 2013 we released the first full Worldcoin wallet on Google’s Play store.  It was based off the very popular Bitcoin android wallet by Andreas Schildbach and associates, with the Scrypt hashing code reused from another Scrypt wallet. This was a major step forward for Worldcoin because there were few cryptocoin developers with Android experience at the time.

The app worked very well and we had very few problems with it. Meanwhile the Bitcoin wallet received important updates to security and features, including things like highly-deterministic addresses, support for multi-signature and pay-to-script-hash transactions and the serious denial-of-service bugs from versions previous to 0.8.3.  This all sounded like great ways to improve Worldcoin so a new wallet version was made that included all the updates and more.  Sadly because of an incompatibility between Java’s and Android’s keystore tools, the old wallet couldn’t be updated directly.  A new app was created instead called Worldcoin HD and the old wallet was labelled obsolete in the store.

The HD wallet had features that were not even officially supported by the Worldcoin Core yet. so we also updated Worldcoin Core to 0.10+ with all the DOS issues fixed, but that was never officially released.  While we were working on getting support for an official Core release, we discovered that new seed nodes lists were needed in all wallets and that a net split had gone unnoticed for a while. Updating the seed nodes should have been trivial but we discovered that the 0.10 Core wallet would no longer validate the whole blockchain after fork was resolved.

Someone had used the net split to poison the blockchain with some of those DOS issues that were going to be fixed in the 0.10 Core.  Since only one pool was using the 0.10 Core with the stricter validation code, these DOS-causing transactions had made it through for weeks after the code update was available. For example one bad block has so many tx-out that even with a large amount of RAM and a SDD, the 0.10 Core takes forever to validate.  The old Worldcoin Core just ignores the problem and muddles on through.

With no one asking for the 0.10 update and a fork that couldn’t be rolled back, all work on 0.10 and HD wallets was simply abandoned.  The Worldcoin HD code probably still works and Core could be upgraded to 0.10+ with enough miner support in the future but we haven’t done any of the work or expenses necessary to even keep the app listed on the Play store. If anyone would like to simply add new seed nodes and upload the code to a new app entry on the Play store, the code is still available on the.Worldcoin github.

I think it’s safe to say that the real value of a cryptocoin isn’t in the technology or the economic wizardry, but in how strong a community can be built around it.

When is “OUR ICO is LEGAL!” a scam? When it’s not REALLY an ICO!

China might be “banning” Initial Coin Offerings (ICOs) but what they’re really doing is reminding people that there are rules to issuing securities.  Things are no different in North America; as long as you respect the rules, you can sell shares are get investments in your company and call it anything you like. For example in Québec the “Authorité des Marchés Financiers” (AMF) lets you create and sell shares of your company to anyone that understands what it is they’re buying and investing in.  These people are known as “qualified investors”; people who have proven that they have the experience and financial knowledge to understand the risks of investing in a startup.  One of the ways people usually demonstrate that they are qualified is, for example, by having a  personal fortune of a million dollars or more. You can have reasonable expectations that someone who built a fortune has the know-how to protect it.

That’s one of the main issues governments have with ICOs as they stand right now: anyone can invest without any real idea of the risks involved. There is no check on the competence of the investors AND those investors have no idea what responsibilities they are taking on.  Did you know that if you invest in something that isn’t a “limited liability company” (LLC) that does say, wearable computing and the products end up burning people alive, as a shareholder YOU could be sued for the damages?  But through an ICO how are you going to find the people responsible? There are far more risks involved in ICOs than just seeing the guy who stole all your Bitcoins or Ethereums run away and die in a hurricane sipping on Mai Tais on a tropical island.  It’s not hard to understand that the SEC or AMF are not fans of ICOs, but they don’t necessarily want to prevent legit jobs from being created.

Is there a compromise that would satisfy both the desire of the startup to issue shares through an ICO and the AMF’s requirement to have qualified investors?  Not really – not yet!  The AMF is currently running an experiment (a bad one, imho) where they are relaxing what it means to be a “qualified investors”.  Basically what they are letting the startup do is sell shares through an pseudo “ICO” AS LONG AS the company KEEPS CONTROL of the secondary market (as they must).  You won’t be able to trade your shares without going through them; without an IPO this is a legal requirement, there is no change here. This means ALL of the ICO token’s trading will be centralized.  And they control the market price/token issuance.

The end result?  This ICO is NOT AN ICO; there is NO NEED for a blockchain or token, they are basically replacing their shareholders database for a database stored on someone else’s blockchain.  THERE IS NO POINT OR VALUE to this.  And unfortunately, when that company starts going down, you won’t be able to sell your shares and save one bit of your money. AND ALL FUTURE local ICOs/Cryptocoins will SUFFER from this failure.  I appreciate that the government is trying to keep an open mind about new Fintech, but I believe this is the wrong approach; they shouldn’t relax the conditions for creating ICOs, they should enable and facilitate more “qualified trading” through Blockchain technology!

I would tell you “Caveat Emptor” – Buyer beware – but if you’re a “qualified investor” you already know this.  And if you invested in things like the “First legal ICO in country X” without understanding the white paper, qualified, you are not. It’s not, in itself, a scam – the approach IS legal apparently – but it is a MARKETING scam.  This is not an ICO. You should buy and hodl Bitcoin and encourage others to do the same and you would profit more than investing in this. The saying “A rising tide raises all boats” describes real Cryptocurrencies like Bitcoin perfectly.

As always, I’m not qualified in any of this, not a lawyer, not a financial adviser, so don’t take this as legal or investment advice.  All I did was read the white paper. It made my soul bleed a little.