It is challenging to accomplish the dilemma between maximizing user experience and ensuring the highest standard of security for an on-platform Ethereum wallet!
Today we will look at one example among the current live or in-beta DApps to analyse their solution: HEROcoin (PLAY) was designed as a cryptocurrency for peer-to-peer online betting. With herosphere.gg the first use case is in closed beta now. One of the major development challenges was the on-platform wallet for PLAY, that any user needs in order to participate in match predictions and fantasy.
“At the current technological state, there are no similar use cases that have published a working & user friendly solution that we could have gotten inspired by, so we have come up with our own and unique way of an on-platform wallet handling.”, says Philip Peinsold, CTO!
The goal must be to ensure that every user has a valid Ethereum address in order to be able to transfer PLAY and ETH with maximal security. All in all, an infrastructure that allows users to buy in into contests on herosphere.gg was needed and successfully created.
Meaning, the process consists of the following four major requirements:
- User has an on-platform wallet address
- User can transfer funds to his on-platform wallet from his/her original HEROcoin wallet
- Private key is secure
- User can buy in into a contest and gets paid if he/she wins
How do they now provide maximum security for the private key?
Philip Peinsold explains his interesting approach: “Our highest priority is the security of the private key of the platform wallet in every possible aspect. The best way to ensure that, is to never actually store the private key Therefore, we use 2 independent sources to build the private key:””:
→Password on the user side
→Server salt on our side
Through the wallet creation process the user is required to enter a strong password — a personally chosen password just like on other platforms. This password is created by the user and lives in the users browser. It is never transferred over the internet or stored anywhere else. The importance here is to understand, that the password is only accessible on the user side.
In addition to that, they provide a so called “server salt”. Server salt is randomly generated data, that is used as an additional input and hashes data, which is stored in their database. In comparison to the password generated by the user, the server salt is created on the server and transferred through the internet. In the users browser, the server salt is then combined with the user password.
What does it mean and what is the actual effect?
herosphere.gg stores only one part of the private key, thus attacks on the database are obsolete, making possible gathered information useless for malicious third parties. Above all, every user is in full control of the private key, no one else but the user can generate the private key again. This security comes with a price though. The user-created-password can’t be restored, meaning that forgetting the password is fatal. There is no chance for herosphere.gg to restore it. This is a huge achievement in private key security for on-platform wallets, which opens the door for further development to improve a potential password loss by the user
How do they enable a user to buy into the contest?
Each buy-in is a transaction on the blockchain, coming with transaction costs and confirmation time. No one wants to use a platform where one has to pay for transaction costs and wait until the transaction is confirmed just to participate in a contest. This is not the user experience future sites should offer. In general there are two possible ways to handle transactions:
→User performs and pays the transaction
→herosphere.gg performs and pays the transaction
Contest participants pay the transaction costs themselves. Crypto users are used to pay for transactions but not everyone has dealt heavily with crypto before. Besides having HEROcoin (PLAY) on the wallet, a user also needs to have a tiny amount of Ethereum, so one can pay the transaction fees as gas. Furthermore, users have to enter the password every time they buy in into a contest. By entering the password the private key signs the transaction. In our opinion this is not a very user-friendly scenario. So let’s see what Case 2 looks like:
Alternatively, the user gives an allowance to the provider (in this case herosphere.gg) to transfer funds from their wallet to the contest contract. This means that herosphere.gg buys the user into the contest (if the user decides so in the herosphere front-end). We are talking about an ERC20 allowance function, which is handled by a “Controller Smart Contract”. The main advantage is that herosphere.gg can trigger the buy-in transfer and thanks to the allowance the platform doesn’t need a private key to sign a transaction. Users don’t need to enter the password every time they want to enter a contest and herosphere.gg pays the transaction costs, resulting in a better user experience.
At the moment HEROcoin is in closed BETA phase on herosphere.gg. They decided to go with the case 2 solution but are continuously learning with the user feedback, trying to understand the needs and preferences of every single person.
The controller contract on Ethereum
Every user wallet on herosphere.gg communicates with a controller contract, resulting in a smart contract which has an allowance to take funds from the user wallet and transfer them into a contest contract. When the user buys in via the front end, the controller contract takes funds from the users balance to the contest contract. All of it happening in the background so the user is not confused or has to worry about this. After the contests are handled and the results are known, funds are paid out to the users wallet automatically.
As a result, buy-ins and payouts are recorded on the ethereum blockchain. This is an important step closer to the vision of transparency in gaming: Making betting more transparent, secure and resistant to manipulation.
If you have questions or would like to discuss this, please get in touch with us or the HERO team, which is active on any of those channels:
FB HERO: https://www.facebook.com/HEROcoinio/
FB Herosphere: https://www.facebook.com/herosphere.gg/
Original Press Release From HEROcoin