# March 2026 Security Update

Following our successful month-long [Honeypot cracking challenge](https://hackenproof.com/programs/mybucks-dot-online-wallet-cracking-challenge) and expert reviews from **HackenProof** researchers, we have upgraded our wallet derivation architecture to provide higher resistance against specialized hardware (ASICs/GPUs) attacks. We maintain a "**Legacy**" mode to ensure backward compatibility for all wallets created before March 2026.

### What we upgraded?

#### Scrypt Parameters

<table><thead><tr><th width="350.98046875">Scrypt Parameters</th><th width="223.984375">Legacy (Pre-March 2026)</th><th>Default (Current)</th></tr></thead><tbody><tr><td>CPU/Memory Cost Parameter (N)</td><td>2^15</td><td>2^17</td></tr><tr><td>Parallelization Parameter (p)</td><td>5</td><td>1</td></tr><tr><td>Block Size Parameter (r)</td><td>8</td><td>8</td></tr><tr><td>keyLen</td><td>64</td><td>64</td></tr></tbody></table>

#### Salt Generation

* Legacy

```javascript
const salt = `${passphrase.slice(-4)}${pin}`;
saltBuffer = Buffer.from(legacySalt);
```

* Default

```javascript
const KDF_DOMAIN_SEPARATOR = "mybucks.online-core.generateHash.v2";
const encoded = abi.encode(
    ["string", "string", "string"],
    [KDF_DOMAIN_SEPARATOR, passphrase, pin],
);
const saltHash = ethers.keccak256(encoded);
saltBuffer = Buffer.from(saltHash.slice(2), "hex");
```

### Why we upgraded?

* **Hardened KDF Parameters**: Following OWASP recommendations, we recognize that memory-hardness (*N*) is a more critical defense against modern hardware attacks than parallelization (*p*). By increasing the cost factor *N* from 2^15 to 2^17 and reducing *p* from 5 to 1, we have increased the memory requirements fourfold—from **32MB** to **128MB**. This significantly raises the barrier for attackers while maintaining a similar **hashing time** on the user's browser.
* **Entropy Preservation in Salt Derivation**: Our legacy salt generation inadvertently discarded significant entropy by only utilizing the final 4 characters of the passphrase. This created a potential vulnerability where different passphrases with common endings could generate identical salts. The new mechanism now incorporates the **full passphrase** into the salt derivation, ensuring that every unique credential produces a unique, high-entropy salt.
* **Structured Encoding via abi.encode:** To prevent salt-collision vulnerabilities, we replaced simple string concatenation with `abi.encode`. This ensures that the boundary between the Passphrase and PIN is cryptographically preserved. By using fixed-length offsets and length-prefixing for each input, we eliminate the risk of "Canonicalization Attacks," where two different credential pairs could accidentally produce the same concatenated salt.
* **Domain Separation**: To prevent **cross-protocol attacks** and the unauthorized reuse of hash results, we have introduced a **Domain Separator** into the salt generation process. This ensures that the keys derived for mybucks.online are cryptographically isolated and cannot be used to compromise or spoof other services.

### User Action & Compatibility

For backward compatibility, we have added a new checkbox: '**This wallet was created before March 2026.**'

If you are creating a new wallet after **March 9, 2026**, you can ignore this checkbox. If you need to access a wallet created before the update, please ensure the box is checked.

### Deprecation of Legacy Mode

To maintain a streamlined and secure protocol, the "Legacy" checkbox is part of a temporary migration phase. We will support the Legacy derivation path for a sufficient period to allow all users to move their funds to the updated architecture.

After this migration window closes, the checkbox will be removed from the primary interface, and the **Default** mode will become the sole standard for mybucks.online.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.mybucks.online/concept/march-2026-security-update.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.