# Whitepaper ### 1) Design Philosophy mybucks.online is designed for speed, convenience, and decentralization. It does not require app installs, browser extensions, or seed phrases. It converts human-readable, traditional credentials into a wallet private key instantly using a one-way hash function in the browser. mybucks.online is not intended to replace full-featured wallets such as MetaMask or Trust Wallet. mybucks.online targets micro-transactions and URL-based gifting, and aims to foster a lightweight, accessible gifting culture in Web3. *** ### 2) Security Architecture In mybucks.online, the **passphrase and PIN** are the primary credentials. It derives a private key from your passphrase and PIN using **Scrypt** and **Keccak256**. To strengthen resistance to brute-force attacks, the Scrypt Key Derivation Function (KDF) was intentionally chosen, as it increases the computational cost of key derivation. Key derivation runs **entirely in the browser** with no storage and no third-party key-management APIs. There is no server, no storage, and no database. The wallet is generated and erased instantly in the browser. Below is a minimal illustration of generating the private key from `passphrase` and `PIN` entirely on the client (browser-side): ```javascript import { Buffer } from "buffer"; import { ethers } from "ethers"; import { scrypt } from "scrypt-js"; const HASH_OPTIONS = { N: 131072, // 2^17 r: 8, p: 1, keyLen: 64, }; const KDF_DOMAIN_SEPARATOR = "mybucks.online-core.generateHash.v2"; const abi = new ethers.AbiCoder(); export async function generatePrivateKey(passphrase, pin) { const passwordBuffer = Buffer.from(passphrase, "utf8"); // Default mode: domain-separated salt derivation const encoded = abi.encode( ["string", "string", "string"], [KDF_DOMAIN_SEPARATOR, passphrase, pin] ); const saltHash = ethers.keccak256(encoded); const saltBuffer = Buffer.from(saltHash.slice(2), "hex"); // Memory-hard key derivation const hashBuffer = await scrypt( passwordBuffer, saltBuffer, HASH_OPTIONS.N, HASH_OPTIONS.r, HASH_OPTIONS.p, HASH_OPTIONS.keyLen ); const hashHex = Buffer.from(hashBuffer).toString("hex"); // Final wallet private key material return ethers.keccak256(abi.encode(["string"], [hashHex])); } ``` #### Scrypt Parameters | Parameter | Value | | --------- | ----- | | N | 2^17 | | r | 8 | | p | 1 | | keyLen | 64 | #### March 2026: hardened Default mode Following an open wallet cracking challenge and expert reviews, mybucks.online improved resistance to specialized **ASIC/GPU** attacks: * **Scrypt cost upgrade**: `N` increased from `2^15` to `2^17` (memory-hardness \~32MB -> \~128MB) * **Lower parallelization**: `p` reduced from `5` to `1` * **Safer salt derivation**: improved domain-separated salt generation that incorporates the full passphrase and PIN, preserving entropy without relying on stored random salts (aligned with the zero-storage philosophy) N=`2^17` was selected in line with OWASP minimum recommendation, while maintaining practical UX performance on mobile environments. For backward compatibility, a **Legacy** mode exists for wallets created before March 2026. *** ### 3) 1-Click Gifting: Wallet via URL With mybucks.online, you can send cryptocurrency and even the **wallet itself via a URL**. The passphrase, PIN, and active network ID are encoded into a URL hash fragment and shared. On the recipient side, the payload is parsed and restored, key derivation runs automatically, and the wallet opens immediately. There is no server-side link expiration: the derived on-chain address is fixed, and the same transfer link can reopen that wallet at any time. For as long as funds remain at that address, they are accessible to anyone who holds the link. This enables one-time starter wallets for gifting without requesting wallet addresses, and supports **bulk distribution** and **massive airdrops** through shareable links. Below is a minimal codebase to show how to encode credentials into URL format. ```javascript const TOKEN_VERSION_COMPACT = 0x02; const passphraseBytes = Buffer.from(passphrase, "utf-8"); const pinBytes = Buffer.from(pin, "utf-8"); const networkBytes = Buffer.from(network, "utf-8"); const payloadBuffer = Buffer.concat([ Buffer.from([TOKEN_VERSION_COMPACT]), Buffer.from([passphraseBytes.length]), passphraseBytes, Buffer.from([pinBytes.length]), pinBytes, Buffer.from([networkBytes.length]), networkBytes, ]); // Convert Base64 to Base64URL so token remains safe in URL hash/query contexts. const base64Encoded = payloadBuffer .toString("base64") .replace(/\+/g, "-") .replace(/\//g, "_") .replace(/=+$/g, ""); const padding = nanoid(12); const token = padding.slice(0, 6) + base64Encoded + padding.slice(6); console.log("https://app.mybucks.online/#wallet=" + token); ``` *** ### 4) Core Package Integration Core functions such as key derivation and URL parameter generation/parsing are published as an independent package, **@mybucks.online/core**, in the npm registry. {% embed url="" %} Below is a minimal codebase to generate temporary accounts for massive airdrops programmatically. ```javascript import { generateHash, getEvmWalletAddress, getTronWalletAddress, generateToken, randomPassphrase, randomPIN, } from "@mybucks.online/core"; const network = "polygon"; const passphrase = randomPassphrase(6); const pin = randomPIN(8); // Example passphrase: ZaeJU~-@T_PhV-.+tJ0'-EWC}6w // Example PIN: kzsh4ees const hash = await generateHash(passphrase, pin); // Example hash: b5a1d33cd5db14e97d6896d7845d9b49cefcac8e0ae6a9b8261f386f9dcd1c4cd3f409ee72e640dce05392af1766cb06c038eff01d04212e5e9a0ea6dcf18f35 const address = network === "tron" ? getTronWalletAddress(hash) : getEvmWalletAddress(hash); const walletToken = generateToken(passphrase, pin, network); const transferLink = "https://app.mybucks.online/#wallet=" + walletToken; console.log({ pin, address, network, walletToken, transferLink }); ``` *** ### 5) Browser-Level Hardening mybucks.online uses strict **Content Security Policy (CSP)** to reduce risks from XSS and unauthorized script injection by restricting where resources and connections can come from. For transfer links, credential data is encoded in a URL **hash fragment** (`#wallet=...`) so it stays browser-side and helps reduce exposure in typical server-side logs and upstream network logging paths. The `wallet` parameter is removed immediately after parsing, further reducing the risk of unexpected sharing through the Referer HTTP header. *** ### 6) Vulnerabilities and Mitigation Strategy This section summarizes ethical hackers' feedback on potential vulnerabilities and our mitigation approach. #### Major Vulnerabilities * The salt in key derivation is deterministically derived from passphrase/PIN instead of using a globally unique random salt. * Users can choose weak, compromised, or common passphrase/PIN combinations. * Anyone with a transfer link can extract passphrase/PIN because they are Base64-encoded for URL transport. #### Our Response * Added `zxcvbn` validation to actively block common, compromised, and dictionary-based patterns. * Instead of relying on a single long password, we use both a Passphrase and PIN, applying a password-chunking approach. * Users are strongly encouraged to choose long, unique credentials and use the auto-fill feature for high-entropy passphrase/PIN generation (approximately 130-bit entropy). * This product prioritizes convenience and accessibility, with explicit trade-offs relative to maximum-security wallet models. * Explicitly positioned mybucks.online for micro-gifting and convenience, not for long-term storage of high-value assets. *** ### 7) Networks & Token Display Supported networks include: * **EVM chains** (e.g., Ethereum, BNB Chain, Polygon, Arbitrum, Avalanche C-Chain, Optimism, Base) * **TRON** Token display is filtered against **@uniswap/default-token-list** to help reduce scam/fake token visibility. *** ### 8) Trust & Verification Security documentation and verification resources provided in the project: * [**Secure3 security audit**:](https://docs.mybucks.online/security-audits#secure3) published findings (links available in the docs) * [**HackenProof wallet cracking challenge**](https://docs.mybucks.online/security-audits#hackenproof): community stress-testing and follow-up security improvements *** ### ⚠️ Disclaimers & User Responsibility Important: * mybucks.online is intended for **micro-transactions and gifting**, not long-term storage of high-value assets. * There is **no reset/recovery** for the **passphrase + PIN**. If lost, funds will be permanently inaccessible. * To withdraw funds from a gifting wallet, the recipient needs a small amount of the chain’s native token to pay network gas; the gift giver is encouraged to deposit that together with the gift. *** ### References * [https://mybucks.online](https://mybucks.online/) * [https://app.mybucks.online](https://app.mybucks.online/) * * *