Security Deep Dive

Threat: The salt used in the key derivation process is derived from the user's password/passcode rather than being a globally unique, randomly generated value. This effectively makes it a "longer password" rather than a true cryptographic salt, potentially making the wallet vulnerable to various attacks.

Architectural Response: We acknowledge that by strict definition, a cryptographic salt should be a unique, random value stored alongside the hash. However, Mybucks.online operates under a Zero-Storage philosophy. Since we do not have a database to store and serve unique salts to users, we must derive the key deterministically from the user’s own credentials.

To mitigate the lack of a traditional random salt, we use the Scrypt Key Derivation Function (KDF) with high-cost parameters. Scrypt is a "memory-hard" algorithm specifically designed to make brute-force and hardware-accelerated (ASIC/GPU) attacks extremely expensive. By requiring the user to provide both a Password and a Passcode, we create a high-entropy input that serves as a self-contained "salt."

This design keeps your wallet secure without needing a central database, as long as you use unique credentials. This trade-off is what makes the wallet fully decentralized, private, and easy to use.

Threat: Anyone who has the Transfer Link can extract the wallet's password and passcode because they are encoded in Base64 format.

Architectural Response: This architecture is a deliberate choice to support our 1-click gifting mechanism and our commitment to a zero-server infrastructure. Anyone with the URL can extract the password and passcode, as Base64 is an encoding format used for URL compatibility rather than a layer of encryption.

Mybucks.online operates without any databases or storage, meaning the wallet is fully decentralized and exists only through the credentials provided in the link. This allows recipients to take ownership of a wallet instantly without registration or app installs. The convenience of a 1-click gift, allowing a wallet to be sent as easily as a chat link, is the primary value proposition of this feature.

Risk and Usage: However, using standard URLs can expose credentials to being logged by ISPs, corporate firewalls, or third-party servers via referrer headers. To minimize this, we utilize hash fragments (#) to keep data in the browser and away from server logs.

Users should not store high-value assets on these links, as instant convenience is the primary trade-off for this specific feature.