►
From YouTube: All Wallet Dev Meeting 9
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Here's
February's
all
while
the
dev
call.
We
have
a
pretty
light
agenda
today
as
usual,
but
it's
nice
to
see
everybody
coming
out.
I!
Guess:
let's
get
started
with
wallet
demos.
Does
anybody
have
anything
cool
they'd
like
to
show
off
that
they've
been
working
on
since
the
last
call.
B
Luxo
the
Universal
profile.
A
Perfect
just
for
meeting
minutes
cool,
so
that's
awesome.
We
all
need
encrypted
backups.
So
can't
complain
about
that.
C
We're
working
on
something
pretty
cool
at
dark,
florist,
I,
don't
know
if,
if
anybody
was
around
for
the
demo,
we
gave
it
was
last
month
about
how
dark
Forest
Interceptor
works,
but
we're
working
on
a
a
way
to
submit
bundles
for,
like
white
hat
recovery
of
compromised
wallets
but
exporting
that
functionality
to
the
user
using
dark
floors
to
kind
of
create
simulation
kind
of
like
stacks
of
simulation.
C
Exactly
so
use
the
recording
tag,
although
if
you're
the
the
technical
implementation
is
fairly
interesting
because
we
can't
get
metamask
to
do
it,
metamask
is
the
signer,
and
so
we
actually
have
to
bring
that
Json
representation
of
those
transactions
to
a
separate
dab
and
actually
put
the
private
keys
inside
of
this
dap.
For
these
compromised
accounts
in
order
to
create
the
the
actual
bundles,
because
you
can't
really
use
metamask
to
submit
it
right.
C
I
think
I'm
sure,
yeah,
okay,
but
yeah.
This
is
all
related
to
that
stuff,
right,
yeah
and
then
actually
it's
also
using
a
burner
wallet.
It's
creating
its
own
burner
wallet
inside
of
the
memory
of
the
DAP
in
order
to
fund
the
bundle.
So
when
you
do
need
to
send
it
some
assets,
it's
it's
doing
it
on
like
a
brand
new
pristine
account,
and
it
can,
you
know,
have
the
private
key
there
in
a
way.
That's
not
compromising
other
assets
that
are
held
by
the
user.
C
Yeah
yeah,
we
have,
we
have
like
a
demo.
We
have
this
like
actually
working.
It's
a
little
bit
rough
around
the
edges,
we're
going
to
start
getting
users
that
have
like
usually
like
nfts
or
other
assets.
They
want
to
rescue
from
compromises,
accounts
and
start
having
them
walk
themselves
through
it
and
watch
them.
B
C
Are
you
on?
Are
you
in
any
of
these
4337
discussions?
I'm
a
part
of
a
whole
bunch
of
those,
because
flashbots
is
also
kind
of
trying
to
to
to
be
a
big
part
of
like
pushing
four
three
three
seven
forward.
I
think
it's
going
to
be
a
big
Community
effort,
but
it's
gonna
be
really
important
to
get
that
done.
Yeah.
C
B
C
Yeah,
there's
a
really
active
telegram
Channel,
where
there's
like
hundreds
of
people
in
there
only
it's
dedicated
to
4337,
if
anybody's
interested
with
some
of
your
telegram
handle
I
could
I
could
try
to
add
you
to
this.
But
there's
like
a
a
community
of
people
there
they're
all
trying
to
push
for
4337.
A
Where's,
where
is
4337
at
right
now,
like
high
level.
C
D
I
can
I
can
talk
a
bit,
so
the
437
standard
is
undergoing
an
audit
right
now.
Hopefully
it
should
be
done
before
December.
If
everything
goes
well,
that's
the
plan
and
there's
a
lot
going
on
with
the
b2p
network
for
the
bunders
to
operate,
so
the
specs
are
being
written
for
that.
A
lot
of
maybe
there's
like
four
teams
that
are
building
a
bundle
software
so
that
you
can
operate
safely
in
the
P2P
Network
and
that's
the
yeah.
That's
the
progress
and
then
there's
other
few
teams
that
are
building
wallets.
A
E
No,
that's
great,
that's
great.
Luckily
I
was
near
my
disco
and
so
ap6384,
it's
all
about
human,
readable
offline
signatures
or
how
to
make
a
user
understand
what
they're
signing
on
when
they're
signing
eip712
is
I.
Guess
most
of
you
know.
All
of
you
know
that,
like
there's
has
been
a
lot
of
rage
around
the
Open
Sea
offline
signatures
and
they're
being
exploited
in
the
wild
every
day.
By
the
way
we
are
building
some
cool
dashboard
based
on
Dune
analytics
to
quantify
the
size
of
this
problem
and
the
we
all
react.
E
They
found
under
consulted
conservative
assumptions
that
they
are
like
25
million
dollar
lost
in
debt.
I
know
we're
in
defy,
and
you
know
we
don't
get
excited
if
it's
not
the
alert
of
million,
but
but
this
is
really
really
important
and
offline
signatures
is
not
aip712
based
signatures,
it's
not
it's
really
a
trended.
You
know.
Big
projects
are
using
that
and
going
to
use
that
more.
If
you,
for
example,
units
walk,
a
permit
to
Cloud
swap
have
their
own
offline
signatures
and
really
it's
all
as
like.
E
I
think
the
main
attraction
for
protocols
is
since
this
is
if
EAP
712
is
fearless,
so
it
creates
a
kind
of
an
Amazon
kind
of
fillers
and
experience
or
just
in
time
fees
for
for
for
the
users
so
in
for
openc,
the
buyer
can
handle
all
the
fees
and
you
don't
need
both
sides
to
be
online
and
and
also
in
permit
it's
kind
of
solves,
approved
issues
and
so
on
and
so
forth.
E
But
the
problem
is
even
though
that
eip712
offers
like
a
nice
Json,
so
you
can
see
all
the
trees
so
to
speak,
but
you
don't
the
user
don't
get
the
forest,
it
doesn't
get
like.
You
know
you
get
the
big,
arrays
and
so
on
and
all
kind
of
data,
because
it
actually
was
meant
for
machines
for
smart
contracts
to
interpret
to
interpret,
and
it's
not
humanly
readable,
although
even
though
you
you
tell
like
EAP
712
is
certainly
better
than
a
personal
sign
that
we
had
before.
But
still
like
you
know,
this
is
an
address.
E
This
is
the
number
this
is
and
so
on
and
so
forth,
and
you
search
that-
and
it
doesn't
understand
that
maybe
is
approving
to
some
Rogue
address
or
putting
their
nfts
to
sell
in
a
very
low
price
and
what
we
are
suggesting
with
the
EIP
or
erc63
A4
is
to
it
as
EAP
712,
already
bounds
the
this
buffer
to
be
signed
to
a
contract
with
the
verifying
contract
parameter,
and
so
we
would
would
suggest
to
have
in
each
contract
that
supports
that
that
supports
AP,
712
handling
to
have
a
function.
E
So
so
the
idea
is
when
a
wallet
gets
that
erp712.
It
can
query
that
function,
hand
over
the
the
buffer
to
it,
and
this
is
a
view
only
function,
so
no
fees
and
no
gas
and
and
no
delays
and
so
on
and
get
the
interpretation
of
that
internet
buffer
and
then
show
it
to
the
user.
E
This
is
the
ID
in
high
level,
and
it's
also
I'm
not
going
to
go
into
the
exact
threat
model,
like
maybe
someone
who
is
better,
like
it's
better
by
the
fact
that
the
the
smart
contract
explains
the
the
buffer
to
the
user.
So
maybe
what
happens
if
this
smart
contract
is
logged
by
itself?
So
there's
a
detailed
analysis
of
that
issue
and
it's
really
not
the
issue
because
in
most
cases
let's
take
open
C
like
the
the
problem
is
the
the
interface
and
the
web
interface
is
wrong
and
gets
the
user
to
it's.
E
A
phishing
site
get
the
user
to
sign
on
openc,
let's
say
openc,
buffer
and
and
the
verifying
contract
is
the
good
openc
contract
must
be
the
good
openc
contract
or
otherwise
it
wouldn't
work.
So,
the
so
to
say
the
smart
contract
is
already
trusted
and
the
phone
can
be
used
as
a
source
of
tools
for
that.
E
For
sure
yeah,
that
seems
useful
yeah
so
like
there
could
be
all
kind
of
you
know
where's
it
like
talking
about
the,
and
this
is
like
the
talk
that
has
been
on
a
terror
magician.
Some
of
the
participants
had
good
comments
about
localization
so
like
do
we
need
the
human,
understandable
description
in
all
in
all
languages.
Maybe
we
can
define
something
that
is
more
structured
and
then
the
wallet
can
do
something
with
it.
But
this
is
in
the
details.
We
really
want
to.
E
E
So,
just
to
share
some
initial
feedback.
We
got
from
other
wallet
projects
so
done.
Finlay
from
a
metamask
is
looking
into
it,
it's
a
kind
of
likely,
but
they
have
their
own
initiatives
in
that.
So
they
need
to
see
what
would
work
best
and
also
there's
a
hardware
wallet
that
really
supported
us
or
Twitter.
Like
really
said
that
they
are
going
to
to
actually
work
with
us
on
that
Gunner
lost
the
just
the
their
name,
just
to
say
the
Keystone
sword
Keystone
are
on
it.
E
I
shared
it
with
a
sister
there's,
someone
from
coinbase
wallet
in
this
talk,
so
I
shared
it
with
some
Compass
guys
and
that-
and
so
it's
really
initial-
we
just
published
it
a
week
or
something
ago,
and
we
really
hope
that
you,
the
community
you're
at
least
half
of
that
of
that
EIP
like
this
of
course,
needs
to
be
wallet,
side
and
support,
and
also
smart
contract
support,
so
really
like
to
get
your
feedback
and
I
shared
the
EIP
or
ESC
draft
link.
A
Awesome,
thank
you
so
much
see
if
anybody
has
any
feedback
leave
it
on
the
discussions
to
link,
if
you
have
any
like
immediate
concerns,
feel
free
to
talk
about
them
now
or
I.
Think
we're
pretty
much
done
for
today.
A
That's
the
end
of
you
know
the
officially
scheduled
business.
We
usually
chat
for
a
little
while,
after
so
feel,
free
to
hang
around
or
feel
free
to
take
off
thanks
for
coming.
Okay,.
D
I
I
just
wanted
to
maybe
discuss
and
ask
questions
about
mobile
wallets
implementation
and
how
they
handle
their
but
they're
built
on
both
iOS
and
and
the
Play
Store
I
don't
know
if
anyone
want
to
hang
out
a
bit
more.
B
Well,
we
happen
to
have
different,
build
infrastructure,
for
both
it's
like
the
iOS
stuff
is
a
native
app
and
then
we're
using
a
react
native
Android,
but
in
theory,
react
native
should
run
on
all
platforms.
D
Yes,
I
sorry,
I
didn't
clarify
so
I
wanted
to
ask
more
about
the
security
measures
that
mobile
wallets
take
so
that
they
can
like
publish
on
App
Store.
So,
as
you
know,
the
developer
account
is
really
basically
is
responsible
for
for
publishing
the
the
app
to
the
store
and
any
malicious
actor.
If
they
can
have
access
to
that
developer,
account
they
can.
D
They
can
modify
the
way
the
designer
is
in
and
maybe
can
copy
it
and
just
send
it
to
to
themselves,
and
they
can
just
like
correct
everyone.
So
this
is
a
quite
yeah,
so
DG
I
guess
you
can
speak.
Yeah
I
was
wondering
like
what
teams
are
doing
to
do
that
and
we
wanted
to
take
the
bus
like
security
measures
to
to
consider
it
when
we're
going
in
production.
B
B
But
just
make
sure
not
to
allow
you
know,
live
updates
of
those
applications.
So
if
they
were
based
on
on
JavaScript,
make
sure
that
your
packages
are
pre-built
and
part
of
the
executable
instead
of
downloaded
over
the
net.
D
D
But
what
I
mean?
Is
there
like
a
a
formal
security
measures
that
Mobile
Wallet
team
take
and
Legion?
You
wanted
to
speak.
F
Yeah
I
can
only
speak
for
the
Android
side
of
things,
but
for
the
Android
side
of
things
you
have
a
signing
key
to
sign
your
APK
and
I
have
that
on
an
offline
machine.
So
that's
airgapped.
This
machine
is
air
gapped,
so
the
key
is
not
exposed,
and
so
an
attacker
would
need
this
key
to
sign
an
update.
F
F
You
should
never
actually
opt
into
that,
and
we
should
also
like,
as
a
wallet
Community,
resist
to
that
because,
as
soon
as
we
give
the
control
over
this
key
out
of
the
hand,
we
have
a
huge
problem
but
I
think
that
should
be
standard
practice
to
assign
your
builds.
That
fall
out
of
your
pipeline.
After
checking
on
an
agate
machine,
got.
D
It
yeah
this
is
what
we
are
also
going
to
do
like
designing,
for,
especially
for
Android.
It's
a
it's
going
to
be
always
offline.
It's
going
to
always
be
signed
and
I
think
that's
the
right
approach.
How
about
for
for
Apple.
B
I
mean
it's
very
similar
that
the
Apple
package
files
they're
very
similar
to
the
APK
package
files
they
do
have.
They
do
have
multiple
signatures.
So
it's
not
it's
not
really
that
much
different.
But
if
you
have
I
mean
it's
the
same
issue
right
like
like
on
Apple,
if
you
have
access
to
that
developer,
account
conceivably,
you
can
add
a
new
signing
key
and
then
sign
with
that
new
key
and
then
have
it
approved.
But
I
mean
the
approval.
B
Process
is
not
like
just
a
simple
thing
where
you
can
hack
in
I
mean
you
would
notice
that
you
will
get
notifications
that
a
new
app
has
been
submitted.
I
I'm
I'm,
not
sure
if
that's
the
most
insecure
attack,
Vector
that
I
I
think
if
somebody
really
wanted
to
hack
the
thing
they
would
have
to
somehow
in
yeah
I'm,
not
sure.
D
F
On
on,
Android
is
actually
not
possible
because
the
signature
is
checked
on
the
device,
so
you
cannot
just
add
a
signing
key
on
your
developer
account
and
then
interview
so
because
the
device
is
checking
the
chain
of
signatures.
F
So
and
if
you
have
like
a
new
signature
on
the
new
APK
different
than
the
old
signature
on
the
old
APK
you
have
installed,
then
you
cannot
just
because
the
edit
factor
is
actually
like,
create
a
new
update.
That
basically
extracts
your
key
right
so
and
that's
then
not
possible
I,
don't
know,
don't
know
how
it
is
on
iOS
button
on
Android.
That's
not
really
a
concern.
There.
F
B
F
Yeah
that's
correct
if
you're
not
using
a
bundles,
basically,
if
you're
not
hand
over
the
key
to
to
Google,
then
Google
is
doing
after
sending
it
even
there.
Basically,
you
have
a
a
signing
key
in
between,
so
you
also
need
the
signing
key.
So
then
it's
basically
an
upload
signing
key
versus
a
deploy
assignment,
key
signing
key.
B
F
Any
question
is
also
a
little
bit
like
where's
the
check.
Basically,
is
it
checked
on
the
device,
because
kind
of
one
attack
Vector
could
also
be
speaking
like?
Could
Google
infiltrate
or
apple
in
this
case
steal
all
wallets
right
as
an
exit,
scam
or
something
like
that
and
in
the
Android
case
it
wouldn't
be
the
case
because
they
never
have
your
signing
and
the
device
is
rejected.
F
That's
more
problematic
but
possible.
It's
called
reproducible
builds.
So
basically
what
you
kind
of
want
to
do
is
create.
Reproducible
builds
it's
now
easier
with
Android.
It
was
a
bit
painful
in
the
beginning.
It
got
easier
because
a
problem
there
usually
is.
You
cannot
just
compare
like
the
hash
of
like
apka
and
APK
being
usually
because
there
are
some
time
stamps
in
there,
usually
like
an
APK.
It's
just
like
glorified,
zip
container
with
stuff.
F
So
but
now
Google
pushed
it
a
bit
because
basically
they
just
wanted
to
save
bandwidth,
so
they
also
reduce,
like
all
the
timestamps
and
it's
about
the
ordering
in
the
zip
and
stuff.
So
it's
gotten
a
bit
easier,
but
it's
still
some
work,
but
it's
very
encouraged
that
you
basically
try
to
get
your
builds.
Reproducible.
D
B
B
F
But
signatures
really
don't
help
you
there,
because
what
you
basically
want
to
do
that
the
user
basically
can
create
the
same
executable
as
you
to
verify
that
you
want
to
go
because
signature
centralizes
again
right.
So
if
it's
just
a
signature,
you
have
to
trust
them.
Basically,
you
want
to
be
able
to
not
trust
them.
You.
F
F
Also,
a
problem
to
get
to
reproducible
builds
what
is
also
a
good
method.
There
is
to
also
like
hash
all
the
artifacts
on
Android.
There
was
a
great
witness
now.
Gradle
has
also
built-in
functions
for
that
to
track
down
also
like
supply
chain
attacks.
If
somebody
tries
to
like
get
you
change
like
basically
dependencies
and
externality
keys
with
that
yeah.
F
Yeah
exactly
that
in
the
end,
you
should
hash
them
like
pinning
them.
It's
like
one
step,
but
in
the
end,
you
should
also
like
have
hashes
of
them.
If
they
change,
because
pinning
them
then
maybe
like
the
supply
chain
of
those
or
the
Publishers
of
the
artifacts,
could
just
replace
a
version.
That's
often
possible
and.
A
B
B
You
w
w
e
y
e
w
my
spelling,
correct,
I'm.
Sorry.
B
Yeah
it
feels
like
you're
writing
react
code,
but
you
know
you
have
to
worry
about
all
the
reference
stuff
in
Rust,
but
it's
pretty
cool
because
you
end
up
with
web
code,
that's
written
in
in
Watson,
so
it's
fast
and
once
you
get
it
right
chances
are,
you
probably
don't
have
to
change
it.
A
A
Yeah
I
played
around
with
one
called
Deoxys.
It's
like
a
similar
kind
of
deal
very
react
like
from
what
I
understand,
although
I've
never
really
written
react
code,
so.
B
A
Yeah,
it's
kind
of
neat
the
the
caching
dependencies
are
weird
like
I,
don't
know
if
it's
the
same
in
react,
but
where,
like
things,
are
recomputed
inside
of
like
callback
functions
and
then
cached,
which
is
kind
of
a
weird
paradigm.
B
A
A
C
A
Like
the
gold
standard
right
now
for
like
packaging,
a
web
app
because,
like
I've
used,
what's
it
called,
it's
been
a
while
anyways
I
used
was
impact
in
Rust
and
it
uses
one
in
the
back
end
and
it
seems
to
screw
up
half
the
time.
So
what
is
like?
What
does
everybody
actually
use
for
packaging
projects?
These
days.
A
If
you
take
like
for
for
the
web
so
like,
if
I
want
to
like,
have
a
bunch
of
dependencies
in
like
a
package.json
and
I,
just
want
to
put
them
in
an
HTML
file
and
have
it
work.
What.
B
Is
that
yeah
I
mean
we
are
still
using
webpack
for
some
of
those
things
White
we're
we're
trying
to
switch
a
lot
of
things
to
White,
which
seems
to
be
better
I've
used,
es
build,
which
is
a
lot
better,
but
it
doesn't
support
older
browsers.
So,
okay,
there's
an
swc
is
pretty
good
roll
up.
That's
right!
So
they
they
each
have
like
they're,
good
and
bad.
B
B
Esm
then
it
doesn't
really
matter
because
then
you
can
do
Import
in
the
browser
and
it
just
pulls
it
in
then
you
don't
have
to
pre-package
everything.
But
right
now
you
know
using
webpack
is
great
but
webpack
for
packaging
and
then
running
it
in
node
doesn't
work
anymore
for
anything,
that's
esm.
So
it's
kind
of
a
bit
hackneyed.
A
B
B
Targeting,
if
you're
targeting
really
new
browsers
I
would
I
would
look
either
I
mean
like.
Are
you
using
like
Hugo
or
something
to
put
things
together
or.
B
But
it's
like
a
static
website
building,
but
it
does
all
the
packaging
and
everything
everything
okay,
okay
or
you
could
use
like
next-
that
uses
white,
which
is
really
fast.
B
You
can
you
can
launch
next
or
next
on
cloudflare
workers,
but
you
have
to
have
the
latest
version,
so
the
latest
version
of
next
you
can.
You
can
run
on
the
edge
on
cloudflare
workers,
but
if
you
don't
have
any
SSR,
then
then,
then
you
don't
you
don't
even
need
the
back
end.
Then
you
can
just
statically
extract
the
whole
site
and
host
it.
A
Great
well
I'm,
going
to
take
off
thanks
everybody
for
coming
out,
we'll
see
you
next
month.