ava-labs / avalanche-wallet Goto Github PK

When I host the wallet locally - it cannot connect to https://explorerapi.avax.network/ because of a CORS error

Access to XMLHttpRequest at 'https://explorerapi.avax.network/....` from origin
'http://my.avalanchego.avado.dnp.dappnode.eth' has been blocked by CORS policy: 
No 'Access-Control-Allow-Origin' header is present on the requested resource.

Is there any chance to remove CORS checking on that host from your side so that we can connect to it ?

Verify before allowing people to put valid mnemonic phrases into the memo field or NFT payload.

if(isValidMnemonic(memo.trim()) === true) {
confirm("Are you suuuureee you wanna put a mnemonic phrase in this?");
}

That behavior but prettier.

The delegation fee field under /wallet/earn is restricted to at least 2, but the code doesn't allow you to enter 1 as the first digit, which prevents values like 10% from being directly entered.

Description:
Instead of giving a copy-paste response, I will add the link
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client_Side_Testing/09-Testing_for_Clickjacking

Impact:
An attacker can iframe the website and gain unwanted clicks over. With level of creativity can allow an attacker to create an iframe change the transparency of the iframe to gain clicks on the website and make a transaction.

Suggested Fix:
Add x-frame-option header and set it to deny or the same origin

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

When using the wallet with the Fuji testnet, transactions listed are incorrectly directed to the mainnet explorer rather than the testnet explorer.

Feature request: Give users option to export HD addresses (Internal, External, Platform) from the lists given from Manage Keys; HD Addresses pop-up screen. Ideally to CSV and/or JSON. This is a pain to cut and paste, and will be very cumbersome when the address list grows very large from high activity.

Creating a cross chain transfer from C chain only allows transfer to X chain. I wanted to go to P chain so tried to do it in 2 steps instead but the cross-chain functionality becomes fixed with showing the previous transfer. I had to logout the wallet and re-login to re-enable the ability to get my funds over to the P chain.

After writing this I realise that this isn't a bug and the wording of the 'confirm' button after success changes to 'start again' - Could I suggest a less subtle change. Maybe a second button or colour change.

Steps to reproduce:

1. Have a wallet with a balance of an ERC20 token on the c-chain
2. Add the ERC20 contract manually via contract address using "Add Token" button
3. Add a token list which includes the same ERC20 token using "Add Token List" button

Expected Result:
The wallet will show one entry with the balance of the ERC20 token

Actual Result:
The wallet shows two duplicate entries for the same token, each with a balance.

This behavior is not desired, especially because there is no UI flow to remove the token that was previously added via contract address. Users are stuck with two entries if they do not remove the entire token list. Showing two entries makes it look like you have a balance of two different tokens, when in reality it is only one token.

The proposed solution is to simply filter out the duplicates in the UI by not displaying an ERC20 contract address more than once. Thanks.

Is it possible to encode a valid address starting from a 12 words mnemonic instead of 24?

Any AVAX wallet out there supporting 12 words?

After reaching more than 1024 UTXO, the wallet balance is not working correctly and NFT is not displayed.
This is related to this issue: ava-labs/avalanchego#524

Steps to reproduce:

1. Mint an NFT
2. Click the "back to studio" button
3. Try to mint a second NFT under the same collection

Expected behavior:

The second NFT will be minted

Actual behavior:

The wallet gets stuck and hangs indefinitely. It will not mint the new NFT until you log out and log back in and start the process over.

It will be nice to have a flexible system to manage icons for created assets. A simple map of 'asset_id' to 'icon_url'. These icons will reside on the repo.

It is almost impossible to track staking rewards currently with info displayed in the wallet transaction list, or the explorer. Please add a section to the wallet that displays all staking rewards received by the wallet. The transaction list should be exportable to csv, json. Should include date reward received and amount.

Hello team,

Transfer of AVAX balance to X Chain address shows on explorer but not in wallet. I copy pasted the receiving address, sent the AVAX, which was a successful transaction in the avax blockchain explorer, but has never shown up in my wallet.avax.network/wallet . Now the X chain receiving address has changed, and there is no record in my wallet of the previous one or any transactions related to it. Any clues to how I can solve this? Is there a way of seeing the previous reeeing addresses for that wallet, that I would then be able to see the transactions for?

Thanks for any help!

Jusitn

Description

When opening a wallet from a mnemonic phrase and then trying to export the wallet to a keyfile
( Manage -> export keys ) throws a JavaScript error in the console:

Uncaught (in promise) TypeError: Cannot read property 'importKey' of undefined
    at t.<anonymous> (Crypto.ts:40)
    at u (tslib.es6.js:100)
    at Object.next (tslib.es6.js:81)
    at tslib.es6.js:74
    at new Promise (<anonymous>)
    at o (tslib.es6.js:70)
    at t._keyMaterial (app~21833f8f.0185275a.js:1)
    at t.<anonymous> (Crypto.ts:142)
    at u (tslib.es6.js:100)
    at Object.next (tslib.es6.js:81)

Steps to reproduce

• open wallet home screen
• select "Access Wallet"
• select "Mnemonic Key Phrase"
• paste your mnemonic
• click "access wallet"
• on the wallet home screen select Manage->Export Keys
• type any password
• press the "Export Wallet" button

After having set all parameters for the staking period, I got an error because the Start Date and Time field was invalid. That's probably because I carefully reviewed the transaction before hitting the Confirm button… and the set time was already in the past. I had to redo everything with time set to a few minutes later, and everything went fine.

Would it be possible to have an [ASAP] option in order to improve the UX?

Also, I've been told of at least 2 (maybe related) strange issues on the Avalanche-Francophone Telegram. These times, the transactions gave a green light and a txid for a validator and a delegator respectively - but nothing appeared on the explorer or vscout, and the funds were still available. Redoing the transactions worked ok. This didn't happen to me, but I can get more info if needed.

It's currently possible to mint NFT with webm media file, trades and transfers are working fine, but the media isn't displayed on wallet.

Feature request: Give users an option to export the transactions list (right side of screen) into CSV or JSON.

I did a crosschain transfer from P TO X using ledger hardware wallet.
An error occurred (which unfortunately I didn't write down).
Now the 35 AVAX of the transaction disappeared. But if I check in avax explorer with the x-address I see 2 identical address, one with 0 AVAX and the other with the 35 AVAX missing. If I click on the address it loads forever (in the explorer). No transactions shown.

The only transaction I see on the wallet is this (some data hidden for privacy):
Transaction Details
ID So1Q6cUm8aXUZuafDQ21nLRjXXXX
Status Success
Timestamp 23 minutes ago (2/8/2021, 6:20:45 PM)
Value 38.805515662 AVAX
Type PVM Export
Transaction Fee 0.001 AVAX
Text hex 00000000 UTF-8
Asset Type Fixed Cap
Input UTXOs
Tx
pFMRwHSDi1SzogMfxrf9h2v2akRntpSFWxxxxx
Lock Time 0
Threshold 1
From X-avax15uhmn7gyynjhw32XXXX
Type Transferable
Amount 37.288400000 AVAX

226uvuVeuam59CezCZkLvxxxxxxxxxxxx
Lock Time 0
Threshold 0
1.518115662 AVAX

Output UTXOs
Tx -
Lock Time 0
Threshold 1
To X-avax1gx5vlnkhudu9dxxxxxx
Type Transferable
Amount 3.804515662 AVAX

To X-avax1wsl2ms797zrfkvxxxxxx
Type Transferable
Amount 35.001000000 AVAX

Sorry for the bad formatting.
Why are there weird amounts? 38, 3.8, 1.5?

What is going on here and why everything is so complex with AVAX? It's definitely not user friendly.

My general process when delegating through the web wallet is just to scroll down the list until I find a validator that has high uptime and the minimum fee.

If validators are listed in descending or of total staked, this means I usually end up delegating to a validator with a very high stake.

Assuming others do the same thing I do, doesn't this hinder the decentralization of the system?

Would it be better to order validators by total staked, but with ascending order? (so that those with the smallest stake have the highest chance of being picked!)

Hello. I observe anomaly with CrossChain transaction - not MetaMask, not web wallet display balance on C-Chain.
I hope it is not another client bug.

https://explorer.avax.network/tx/7ebRaY1FK2DzWbo2jxRQDvdKC5YrRddT8JETBgigEJeEb5D6P

Currently the wallet's tx_history_row only creates explorer urls which point to the mainnet explorer.

Dynamically create urls based on the environment. For mainnet txs then link to the mainnet explorer. For fuji txs then link to the fuji explorer

Here's the location in the code:

Hello there,

Because of http/https domains enforces nft holders to trust centralized systems, I would like to suggest for viewing nft assets by using ipfs:// links.
Link example : ipfs://QmeS6ora4CP5ZJYUC45332a3vcp9wNXdcSQXApR7FjVwY4

To do this properly, js-ipfs library can be used. This basically initiates an Ipfs node on the client side and allows programmer to make Ipfs cat/stat calls directly to the network.
I believe that trusting an Ipfs gateway is also an bad option. However for performance and user experience considerations this could be used.

Thank you !

The amount to send is 0 by default on the send page for X chain. When you click the amount field and type your amount, say 1, the input becomes 10 instead of 1 replacing 0. That can make people transfer wrong amounts, causing loss of funds. This can be fixed by making the input field have the existing amount selected when focused. Currently the cursor is placed on the left of initial 0.

The problem doesn't exist on C chain's amount input, only on X chain's input.

As for title, currently the wallet support only the generation of paper wallets for the Chain X, but it doesn't support the generation of paper wallet on Chain C.
Same issue for the importing feature, it supports only Chain X currently.

I must admit that I'm very new to avalance, so it might be correct, but to me it seemed weird.
I logged in the wallet using ledger hardware wallet. I was presented an X and a P address, let's call it X-ABC and P-DEF.
Next time I logged in, they were switched, i.e. it was X-DEF and P-ABC.
Is it correct?

https://github.com/ava-labs/ava-wallet/blob/master/src/store/modules/assets/assets.ts

Request

POST /ext/bc/avm HTTP/1.1
Host: bootstrap.ava.network:21000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:76.0) Gecko/20100101 Firefox/76.0
Accept: application/json, text/plain, */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=UTF-8
Content-Length: 193
Origin: https://wallet.ava.network
Connection: close
Referer: https://wallet.ava.network/wallet/send

{"id":3,"method":"avm.getUTXOs","params":{"addresses":["X-ABmnPvGQBd81cHyWFeJfzuoFz7rGwAqPR",
"X-AJPWXendnHJJoapqs81GMvJNDcYLVSngv",
"X-AJPWXendnHJJoapqs81GMvJNDcYLVSngv"
]},"jsonrpc":"2.0"

Response

HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Content-Type: application/json; charset=utf-8
Vary: Origin
X-Content-Type-Options: nosniff
Date: Tue, 26 May 2020 16:56:21 GMT
Content-Length: 213
Connection: close

{"jsonrpc":"2.0","result":{"utxos":["9mJg6mV6XKTtZSjbMxP7TWVBvDpqAYTbXsUnhwScQt5u8aN1cup4AbgPgVT5jVPqoXJJwuWDfn9DJ9y9JiE1uGvd4m1brS4hrimV2voHb6JPYVnBVHa14Sm5UKmbgDwgYLPNo441hxwSXJECWBGq8cEe4m4LGBVtwaZx"]},"id":3}

The wallet checks for UTXO and the addresses are passed via an array. The array has no restrictions on how many addresses can be passed. If tens of thousands of addresses are passed through the wallet service, it can cause stress on the node.

This is a potential security issue.
Let me know what everyone thinks.

Some people having trouble with accessing wallet. Because they're creating a wallet when using the translate extension in their browser. This extension translating also mnemonic key phrases. But there is a cool feature for disabling translation for a specific section. You should add "notranslation" class to "mnemonic_display" class. It prevents translation of that element.

I transferred one cryptoseals NFT from my metamask wallet to my Contract Chain address in avax.wallet. When I try to add the token to the token list via contract 0x0540E4EE0C5CdBA347C2f0E011ACF8651bB70Eb9 address is displayed as invalid. It's not possible to see (and transfer) an ERC721 token from avax wallet Contract Chain addresses??

Enable keystore export by key. Currently it is all keys only.

Use shadow address to create contacts in your wallet. This bridges the gap for regular humans vs crytpo people.

I'm trying to to a cross chain transfer from X or P chains to C-Chain.
In the Cross chain tab the only options I see are from P to X and vice versa. No options for C chain.
I followed the documentation here https://docs.avax.network/build/tutorials/platform/transfer-avax-between-x-chain-and-c-chain without success.

Suggestion: Invalid private key message if Accessing Wallet using an invalid key

Checked on Browser: Firefox, Chrome

Explanation
Wallet site allows login using either key file or private key. This issue is related to accessing wallet using private key.
If an invalid private key is used, there is no message or notification regarding invalid key. There should be an "Invalid Key message" if the key used is invalid.
Example: This is similar to how the faucet shows an error message if using an invalid public key.

Currently, I am unable to add additional HD wallet paths in the "Manage" screen. It would be useful for me to do this if the appropriate keys are already loaded into memory.

This allows me to manage all keys in my HD path simultaneously, especially if I am an advanced user and use non-standard paths.

In the wallet, in Manage Keys, we can display Key Phrase without entering any password. the problem is someone malicious is around my PC and I have some inattention during 10 secondor more, he can take photo of my private key and act later.

Warning Messages
Logging using a Private key on the Wallet site shows the following warnings on Developer Console.

Deprecated API usage: PDFDocumentLoadingTask.then method, use the `promise` getter instead
Deprecated API usage: RenderTask.then method, use the `promise` getter instead.

Information
This issue is related to accessing the wallet using the private keys.

My node is running with these settings and is bootstrapped - so I assume it is connected to the mainnet:

avalanchego --http-host=0.0.0.0 --http-tls-enabled=true --http-tls-cert-file=/etc/nginx/certs/server.crt --http-tls-key-file=/etc/nginx/certs/server.key --plugin-dir=/usr/local/app/plugins

However - when I use this endpoint from the wallet - it gives me warnings that I am not connected to the mainnet

...and at the bottom of the screen it shows a red bar and reads:

Which I believe is wrong..

Am I doing something wrong here - or is this a UI bug ?

The README.md file lists Node v12.14.1 as a requirement but the package.json file requires >=15.6.0.

The avalanchejs and avalanche-faucet repos both require 12.14.1 but I know that the wallet is worked on more than those. I was if the README simply needs updating or not.

Currently when you send multiple assets from the transfer page the wallet actually send one transaction for each asset. These should be grouped into a single transaction.

All the endpoints to connect to are added in https://github.com/ava-labs/avalanche-wallet/blob/master/src/store/modules/network/network.ts#L139

It would be nice to have some way to add another default endpoint through a config file override, before compiling the wallet - without having to modify (patch) the repo.

We're building a custom solution (AVADO) that runs a node on your own device - which comes with its own endpoint. We embed the UI in the package, so we currently need to patch the repo to add our endpoint.

If you could add a config file with an array of endpoints that gets added before the current list - that would be very helpful.

Your wallet looks and works great !

Wallet address X-avax12830awx6dnkcq6m95qn2veryt0kqfrakylhqml with Binance Txs is non existent

Transaction Details Not Found
A record for this transaction ID was not found in the Avalanche Explorer

AcHrhZQFHnAkbp5U4LmbpjjUnSFAZqnDcLwNr54NYJo8WAbjU

Here there are other wordlists avalilable in other languages for the key phrase.

https://github.com/bitcoin/bips/tree/master/bip-0039

User might want to use different derivation path to have multiple accounts. It would be interesting to be able to choose the path.

I logged in the wallet (from windows) using ledger hardware wallet.
I withdrew some money from binance. I saw the transaction on the avax explorer, but the balance didn't update. I had to log out and login again to see the updated balance. I know it's not a big deal, but it just didn't seem right or it seemed very slow.

I have encountered an issue with my wallet in which the market AVAX/USD rate is displaying as $0.
I'm not sure if this is an internal issue, or one pertaining to a price feed API.
Perhaps this is due to a unique case as all my funds are currently delegated.
Here is a screenshot. Hope this helps the developers and the community!

Expected behavior

1- I Create a family in studio, I expect to be able to create multiple nft in it and to be able to choose a family previously minted.
2- Studio display all my nft

Bug
1- In Studio, when in create an nft with inside a new family, the family disapear and cannot be slected again.
2- Studio doesn't display my nft

Proof
The previously created family :
https://explorer.avax.network/address/avax1fl5t7ca074ms59pk6a3j5c9h3sz87klt702dux

Only the last created family (empty from any nft) appears, but as indicated on the top, I have 3 collections :

No nft in studio:

Another bug is sometimes I got invalid UTXO when I try to mint a new family, but I cannot reproduce it when I want to

HD wallet implementation only checks history up to first unused index. There is a possibility that if existing UTXOs are spent the first unused index will be lower than what it was before, because the previous internal/external derived keys won't have any UTXOs anymore. This will cause missing transactions in the history

SOLUTION 1 (Better for longterm)
Instead of calculating the first available index by counting current UTXOs, check if an index had a UTXO at any given time?

SOLUTION 2 (Quick fix)
Instead of scanning transaction history up to first unused index, scan up to (first unusedIndex + SCAN_SIZE) instead.

I'd like use specific output on transaction creation. This would be a great feature to improve privacy management.

With Brave browser and Brave shields up, https://wallet.avax.network/ shows an address that starts with X-cascade1 instead of X-avax1. Very weird.

I created assets and nfts from the wallet at my nod,now i cannot see them when i try get all balances::
curl -X POST --data '{
"jsonrpc":"2.0",
"id" : 1,
"method" :"avm.getAllBalances",
"params" :{
"address":"X-avax1n9fvwa976dqjz9ypytw7hpvqywc8ue8x6dzjls"
}
}' -H 'content-type:application/json;' 127.0.0.1:9650/ext/bc/X
{"jsonrpc":"2.0","result":{"balances":[{"asset":"2Kry7Gn8AJTmbMeWuQdGLUwdhzj3g8VCG6KLMB7eg4AbNVHXN2","balance":"19051905"},{"asset":"64hgTXXSDNaaeQFsjZZWXWmVNKJmJHTMrhSZgoATyGhwsupDc","balance":"19029990"}]},"id":1}

but from explorer i can see them there are 16 assets: https://explorer.avax.network/address/X-avax1n9fvwa976dqjz9ypytw7hpvqywc8ue8x6dzjls

and also at the last situation i sent 1 avax to this wallet minted 2 nfts from node balance is 0 but from explorer 0.002 fee is burned and there is 5.8 avax https://explorer.avax.network/address/X-avax1n9fvwa976dqjz9ypytw7hpvqywc8ue8x6dzjls
my node version is avalanche/1.0.4 [network=mainnet, database=v1.0.0, commit=032a79a3dcb928f7bc0fcac7f30ed13ab6e7aae6]