Grant Idea - Thorough Audits of Zcash Wallets

This topic is intended for discussions on creating a grant for audit of the Zecwallet, Nighthawk, and Zwallet. For context:

Also this might be used as benchmark for other projects in Zcash. For example, to be featured on the z.cash website, a wallet have to go through a security review which can be funded by ZOMG. This way we free the engineering resource of ECC and at the same time have an objective filter of what to feature on z.cash.

7 Likes

Am I understanding it correctly, ZecWallet and NightHawk havent had a code audit? But Zwallet needs an audit to get on the z.cash website? How does that make sense? Why are ZecWallet and NightHawk recommended on the Zcash website?

There have been reviews I believe, maybe not external ones for Zecwallet or Nighthawk. However, what I want to happen is for ZOMG to fund audits for all three wallets. Then, we can have an objective benchmark of what to feature on z.cash and recommend users.

Also, there have been discussions on having a performance bench-marking. Anecdotally, Zwallet is the fastest-syncing wallet in my experience. Zecwallet is a close second while Nighthawk and other wallets are last. I personally want to know if there’s any trade-off made by Zwallet to achieve its performance. If none, we should upstream the feature to the sdk wallet for everyone to use.

I recently tested Edge Wallet, but it takes hours to sync a new wallet. Similar to my experience with Nighthawk and Unstoppable. For comparison, syncing an old wallet takes ~3 mins with Zwallet and ~5 mins with Zecwallet.

4 Likes

Someone from ECC, ZF, ZecWallet or NH would have to answer that.

Yes that would be a great idea to get all wallets audited. I would go further and suggest all software grants should be audited. Perhaps auditing should be baked into the grant process. Funded by ZOMG or ZF as a minimum standard. Don’t Trust, Verify.

IF all the other wallets (list of all wallets on z.cash Wallets - Zcash) have not been audited I think its highly unfair to gatekeep Zwallet from being recommended and added on the official website until it gets audited.

We should be more open to outside independent development that benefits Zcash and the wider Zcash eco-system.

No, but actually ZecWallet has a trade-off. It first syncs your account balance then your received notes (in reverse order). Therefore after 5 minutes, your wallet is not yet ready for spending but it shows the correct balance.

Hope it helps,
–h

2 Likes

This was exactly my experience. After 70 minutes or so the sync hadn’t completed, so I ended up exporting the spend key from edge (because I had already sent myself a ZEC to edge)… I imported the key to Zwallet, rescanned Zwallet, and sent funds from Zwallet in like 3 minutes …. while edge still hadn’t gotten to syncing the compact blocks containing my deposit.

True story.

I’d be in favor of a grant that reviews Zwallet. It seems to be the best horse in the lite mobile wallet race by a wide margin so far. So, if a stamp of approval is required to get more folks onboard and using it, great.

Zwallet (now WarpWallet) and YWallet (Ycash) are a pleasure to use. Thanks @hanh

4 Likes

@hanh - Can you please stop spreading nonsense about Zecwallet? If Zecwallet says it is 100% synced, it is obviously ready to spend funds.

I know you are trying to get more adoption for your project, but spreading nonsense about Zecwallet is not the way to go, and makes you seem untrustworthy. Please focus on your wallet and improving it, instead of putting down other projects.

3 Likes

Every time I visit the forum I see some discourse involving similar actors against community builders who keep delivering (Nighthawk, ZecWallet, etc…), I hope our small community can rally together moving forward. ASAP.

2 Likes

How exactly is Zecwallet able to sync shielded transactions so quickly? Is there a written explanation somewhere?

I got this information from here:

And there is a discussion below where we talk about the pros/cons of synching backwards.

When I ran the tool from the command line, it showed separate progress for syncing balance and witnesses:

id: 1, blocks: 1%, decryptions: 2%, witnesses: 1%, tx_scan: 0%

However, I admit I could have misunderstood the meaning of 100% sync in the lightwallet.

I apologize from that. It is not my intent to spread misinformation.

But may I know why you suddenly decide to clarify? I have said this a few times already and even asked you for confirmation but you never replied until now.

Adoption is a good ego boost for sure. But besides that I don’t really make anything out of ZWallet.

Did you not charge ZOMG $115k for CP that will never be delivered?

I also see that several questions that were asked by the community were ignored by you. While you continue to attack other projects.

I think ZOMG has afforded you a lot of grace in your grants, I think you should do the same for others especially the projects which are widely used by the Zcash Community. Upwards and Onwards :slight_smile:

No I didn’t. The project is paid in tranches and it was not completed.

I answered the questions that I could. I don’t have answers to everything. Please, let me know which ones you refer to.

I don’t think I attacked zecwallet by saying it has a trade off.

I went back and checked its behavior on a test wallet. I think It behaves like I said. I will make a detailed post about it. In any case, it is just a trade off. OP was asking about trade offs so I mentioned it.

1 Like

Reminder that this grant has not been paid as CP pull out altogether from their planned project. Worse, CP reached out about their plan but then they are the ones who cancelled it too. In this case, I don’t see why @hanh integrity should be questioned.

I think this is why I believe review/audit by independent party would settle the matter when it comes to security and speed of wallet syncs. Without that, people will keep questioning what/who to believe.

I think this is partially true. For security, yes agreed. But for syncing, you just need to use the wallets yourself to experience the UX, speed, variability, and features.

My experience has been ZWallet always syncs quickly. ZecWallet-mobile is sporadically fast; last night, syncs varied from 3 minutes to 15 minutes for me. Edge initial sync takes a while (> 1 hr for me).

Some of the shade thrown at @hanh is uncalled for imho; he is one of few people who have actually looked at the various mobile wallet codebases AND has run multiple tests comparing performance. If I recall, some of the benchmarks were even recorded and posted on YouTube.

My point is we shouldn’t ostracize the devs who are actually reviewing codebases, running their own tests, and improving performance for users. And in the context of this thread, if an audit is required for Zwallet, then it should also be performed for other wallets (which in my anecdotal experience are not as fast or comprehensive as Zwallet).

3 Likes

Thanks @z.yodler and @tokidoki,

For the record, I made a video recording of my experience with importing my test seed in ZecWallet and ZWallet.

There are chapter marks to facilitate navigation. In short, sync % shows goes up but then resets several times. At ~1h, it disappears for good and the wallet balance doesn’t change anymore.
I am taking this as the end of synchronization since the word “Syncing %” does not show anymore.

However, when I go to the send page “Spendable Balance” is at 0 and stays at 0 until the ~2h mark.
The page also displays “Some funds still confirming”.

Based on this experience and what I read about Blazesync, I can only conclude what I said earlier.

I appreciate the work that @adityapk00 has done on ZecWallet and I have learned a lot from reading his code but when someone compares synchronization times between wallets I think it is only fair to point out that when "sync % disappears, ZecWallet balance is not yet spendable. (or at least not always)

With ZWallet, ZWallet sync test - YouTube

The behavior is pretty much constant. In the best conditions (top of line phone and local deployment of lightwalletd), it can sync in less than 1 mn but the more realistic result is ~3 mn. The “size” of the wallet doesn’t matter too much (1 or 1000 of notes, empty or 1000 of tx). @tokidoki, this is what I meant by there is no trade-off.

@tokidoki I made a video about lightwallet synching. It was made prior to this but is still relevant IMO.

Almost 500 ZEC were sent to you for CP per the ZOMG transparency report. ZOMG Public Dashboard - Google Sheets

Additionally, I found that the updated BTC Pay server proposal amount was increased 50% from 80k to 120k ZF Grants - Payment Gateway

I’m sure your integrity is sound and I did not mean to discount it as we can see with your supporters (but I do not support Zcash funding going to Ycash projects…). Let’s put this topic behind us as you have been afforded grace and we are in a time where the Zcash community needs to attract and incubate strong teams within the ecosystem.

I’d love to leave it behind but you keep making disparaging statements about me and then ask to stop here.

Fine, but let me say that your statements are not telling the whole picture.

As an aside to the syncing debate, I want to say that @hanh is in good standing regarding all ZOMG grants afaik. There already was discussion about all the things @rekodi alluded to and I am pretty sure everything was resolved satisfactorily and ethically.

@hanh may prickle some feathers of other wallet developers with blunt statements, which I don’t claim to have the knowledge to comment on, but I think it is good to nip any discussions of unethical behavior in the bud.

4 Likes

Can anyone tell me again why Zwallet (WarpWallet) isnt on the zcash official website? I dont think it has been answered.

Have we established if the other wallets have already gone thru an audit?

I’m wondering if we could get any answers?

2 Likes

The discussion about that was around here somewhere…

But I would also like to point out that hanh also made a cold wallet (different than paper wallet), so we should include that in efforts to get audits and put on z.cash website. Maybe we can get a group discount :wink:

Does anyone have ideas of who we should solicit to apply for a grant to do wallet audits?

2 Likes