PW-LOCK - Request for Auditing

Hi everyone,

We are Lay2 team and the maker of ckb.pw. After several weeks of Aggron running, we think it’s time to prepare deploying the pw-lock on Lina.

The biggest concern is, of course and always, the security issue. We forked the official system script repo and build pw-lock based on it, and have passed all tests same with the official lock. But there may still be issues that haven’t been covered. So we are posting the repo link here and asking for code auditing from the community and hope to get bug reports or improvement suggestions. This will last for one or two weeks, and then if nothing left to be changed, we will deploy pw-lock on Lina and make p-wallet available at the same time.

Thanks for your time! Let’s make Nervos greater together :mechanical_arm:

pw-lock repo: https://github.com/lay2dev/pw-lock

7 Likes

Amazing work! When will it be deployed on Lina? Seems 3 weeks have past.

Thanks for your attention!
I’m afraid there will be some more time before a mainnet launch, as we are still under discussion with the foundation about the third-party auditing and the deployment of pw-lock. We are and will be pushing this forward and make p-wallet usable on Lina ASAP.

3 Likes

To update, for security concern, we decided not to launch on main-net until the type_id is audited.

CKB scripts (i.e. contracts) can be updated through a mechanism called type_id. As p-wallet is still under heavy development, the pw-lock will definitely be upgraded now and then. The thing is that every time we upgrade the pw-lock, all p-wallet users will find their old ckb address disappeared, along with their assets. This is unacceptable, and that’s why we adapted type_id — to keep addresses constant.

With type_id, pw-lock can be upgraded smoothly when we find a bug or add more features, so we can deploy it on main-net with no worries about destroying everybody’s ckb and udt. However, this has a premise — the type_id must be secure and constant, or every script depends on it would be exposed to either security risks, or redeployment possibilities.

As far as I know, the foundation has been pushing forward code audition cooperation with several head security teams, and we believe it won’t be long before we can finally bring p-wallet to Lina.

1 Like

Is the audit underway?

1 Like

By far type_id has been audited, but pw-lock is still waiting in line. So we plan to launch p-wallet (now is called Portal Wallet) on Lina later this month.

Btw, we are not just waiting for the audit. There will be a breaking change for p-wallet in outside (a new set of front-end) as well as inside (completely refactored with pw-core), along with an independent Nervos DAO dApp looks like this:

https://twitter.com/i/status/1277611390652432384

Hope these are worth the long waiting :muscle:

1 Like

Good job :star_struck:

2 Likes

Portal Wallet :muscle:
I like it! :fire:

2 Likes