As it currently stands, there are quite a lot of web-based wallets using potentially insecure keys-processing scenarios. The ‘Medusa Wallet 2.0’ should fix this problem. Medusa ADA Wallet is essentially a free of charge community-driven project of a light wallet combining the best features of other existing wallets. It was the first ITN-compatible public wallet, which was released before ITN, Deadalus and ITN Yoroi. It reportedly worked more consistently during the ‘bloody ITN storms’, which will be remembered by many. As the team listens to their community, Medusa’s UX is more intuitive and simple than others. There is an old version, but this version is no longer under active development, with the main focus now being on a new re-designed version, based on cardano-db-sync and Emurgo’s serialization lib.
The new version of Medusa has a well researched and powerful security model. For some reason, most web developers ignore major security issues. Doing things like storing keys or sensitive data in public storage, such as local storage or indexed db. They do key-processing in the main browser thread, sometimes not even encrypting private keys, or caring about third party code injections in their code dependencies. These are just a few of the school boy errors made by most web developers, and is an unacceptable approach for finance software.
The Next Iteration of the Medusa Wallet
Medusa 2.0 has none of the above issues, even at MVP stage. So, what makes Medusa different?
- Security features that are already implemented:
- Medusa doesn’t store and operate keys within the main browser thread – unmanaged 3rd party code is not able to reach them;
- Medusa does not send or store any unhashed / unencrypted data;
- Medusa does not perform unnecessary loading of encrypted keys;
- Medusa uses its own network-security layer to transfer your data. So even if your https is compromised or you use some third party proxy server, or you are connected to an untrusted network, your data can’t be read by anyone else.
- Passwordless ‘2FA’ based login system designed in strict accordance with RFC 4226 requirements.
- There are no unmanaged code-dependencies;
- 100% anonymous — we do not collect any user-related data. No email, phone or password needed.
- There are no analytics scripts.
Here’s a list of the new security features the team wants to add, as well as new UX features.
- Sessions management
- Ledger integration
- OTP-keys re-generation
- Optional 2FA-based approving for transactions
- Smart tools like dust cleaning/utxo optimization
- Contact book
- API for 3rd party integrations
- User-friendly Daedalus-like UI, but only ‘like’, not the same
- It’s transaction builder has the best tokens support implementation with special alignment system which solves the floating min/max sum problem when you add tokens to your transaction
- There is a “send all” button for any asset with no headache related with ‘min ada held by tokens after bunch splitting’
- There are no errors like “I, machine, can’t build this transaction because you, the human, didn’t count lovelaces properly. Yes, I can solve it, but I won’t.” We value your time. If something can be automated – it will be.
- Medusa is compatible with desktop browsers as well as their mobile versions.
An Already Working Project
It should be stated that this is an already working product, so there is no launch date. In fact, you can already experiment with a working version of the wallet, running on the Cardano testnet network, you can get testnet tokens simply by clicking here. However, this is still in the development stage. The Medusa team is a small one, consisting of a main developer, artists and testers. For now, this is not their primary occupation, but with your support this could change. You can contact them on Twitter. All they need is adequate funding so that they can release the new version of the platform and extend it.
A Quick Breakdown of the Costs
The team has requested a total of $30,000USD to complete their project, which will be allocated as seen below
- $24k for the developer salary (2k per month for a year);
- Up to $3k for a security audit;
- $3k for 3rd party services like translations, art, and of course, server rental;
A Community Driven Project
It should be noted that this is a community-driven product, led by a team that listens to its users, they hear their requests and suggestions and make sure they implement them. The old version of Medusa has around 1000+ users, and the team is keen to provide them with a new product as quickly as possible.
For more information or if you have any questions/comments about the proposal click here.