Whitepaper

Seedless, Disposable Crypto Wallet with 1-Click Gifting

1) Design Philosophy

mybucks.online is designed for speed, convenience, and decentralization. It does not require app installs, browser extensions, or seed phrases. It converts human-readable, traditional credentials into a wallet private key instantly using a one-way hash function in the browser.

mybucks.online is not intended to replace full-featured wallets such as MetaMask or Trust Wallet. mybucks.online targets micro-transactions and URL-based gifting, and aims to foster a lightweight, accessible gifting culture in Web3.

2) Security Architecture

In mybucks.online, the passphrase and PIN are the primary credentials. It derives a private key from your passphrase and PIN using Scrypt and Keccak256. To strengthen resistance to brute-force attacks, the Scrypt Key Derivation Function (KDF) was intentionally chosen, as it increases the computational cost of key derivation. Key derivation runs entirely in the browser with no storage and no third-party key-management APIs.

There is no server, no storage, and no database. The wallet is generated and erased instantly in the browser.

Below is a minimal illustration of generating the private key from passphrase and PIN entirely on the client (browser-side):

import { Buffer } from "buffer";
import { ethers } from "ethers";
import { scrypt } from "scrypt-js";

const HASH_OPTIONS = {
  N: 131072, // 2^17
  r: 8,
  p: 1,
  keyLen: 64,
};

const KDF_DOMAIN_SEPARATOR = "mybucks.online-core.generateHash.v2";

const abi = new ethers.AbiCoder();

export async function generatePrivateKey(passphrase, pin) {
  const passwordBuffer = Buffer.from(passphrase, "utf8");

  // Default mode: domain-separated salt derivation
  const encoded = abi.encode(
    ["string", "string", "string"],
    [KDF_DOMAIN_SEPARATOR, passphrase, pin]
  );
  const saltHash = ethers.keccak256(encoded);
  const saltBuffer = Buffer.from(saltHash.slice(2), "hex");

  // Memory-hard key derivation
  const hashBuffer = await scrypt(
    passwordBuffer,
    saltBuffer,
    HASH_OPTIONS.N,
    HASH_OPTIONS.r,
    HASH_OPTIONS.p,
    HASH_OPTIONS.keyLen
  );

  const hashHex = Buffer.from(hashBuffer).toString("hex");
  // Final wallet private key material
  return ethers.keccak256(abi.encode(["string"], [hashHex]));
}

Scrypt Parameters

Parameter

Value

2^17

keyLen

March 2026: hardened Default mode

Following an open wallet cracking challenge and expert reviews, mybucks.online improved resistance to specialized ASIC/GPU attacks:

Scrypt cost upgrade: N increased from 2^15 to 2^17 (memory-hardness ~32MB -> ~128MB)
Lower parallelization: p reduced from 5 to 1
Safer salt derivation: improved domain-separated salt generation that incorporates the full passphrase and PIN, preserving entropy without relying on stored random salts (aligned with the zero-storage philosophy)

N=2^17 was selected in line with OWASP minimum recommendation, while maintaining practical UX performance on mobile environments.

For backward compatibility, a Legacy mode exists for wallets created before March 2026.

3) 1-Click Gifting: Wallet via URL

With mybucks.online, you can send cryptocurrency and even the wallet itself via a URL.

The passphrase, PIN, and active network ID are encoded into a URL hash fragment and shared. On the recipient side, the payload is parsed and restored, key derivation runs automatically, and the wallet opens immediately.

There is no server-side link expiration: the derived on-chain address is fixed, and the same transfer link can reopen that wallet at any time. For as long as funds remain at that address, they are accessible to anyone who holds the link.

This enables one-time starter wallets for gifting without requesting wallet addresses, and supports bulk distribution and massive airdrops through shareable links.

Below is a minimal codebase to show how to encode credentials into URL format.

const TOKEN_VERSION_COMPACT = 0x02;

const passphraseBytes = Buffer.from(passphrase, "utf-8");
const pinBytes = Buffer.from(pin, "utf-8");
const networkBytes = Buffer.from(network, "utf-8");

const payloadBuffer = Buffer.concat([
  Buffer.from([TOKEN_VERSION_COMPACT]),
  Buffer.from([passphraseBytes.length]),
  passphraseBytes,
  Buffer.from([pinBytes.length]),
  pinBytes,
  Buffer.from([networkBytes.length]),
  networkBytes,
]);

// Convert Base64 to Base64URL so token remains safe in URL hash/query contexts.
const base64Encoded = payloadBuffer
  .toString("base64")
  .replace(/\+/g, "-")
  .replace(/\//g, "_")
  .replace(/=+$/g, "");

const padding = nanoid(12);
const token = padding.slice(0, 6) + base64Encoded + padding.slice(6);

console.log("https://app.mybucks.online/#wallet=" + token);

4) Core Package Integration

Core functions such as key derivation and URL parameter generation/parsing are published as an independent package, @mybucks.online/core, in the npm registry.

https://www.npmjs.com/package/@mybucks.online/corewww.npmjs.com

Below is a minimal codebase to generate temporary accounts for massive airdrops programmatically.

import {
  generateHash,
  getEvmPrivateKey,
  getEvmWalletAddress,
  getTronWalletAddress,
  generateToken,
  randomPassphrase,
  randomPIN,
} from "@mybucks.online/core";

const network = "polygon";
const passphrase = randomPassphrase(6);
const pin = randomPIN(8);

// Example passphrase: ZaeJU~-@T_PhV-.+tJ0'-EWC}6w
// Example PIN: kzsh4ees

const hash = await generateHash(passphrase, pin);
// Example hash: b5a1d33cd5db14e97d6896d7845d9b49cefcac8e0ae6a9b8261f386f9dcd1c4cd3f409ee72e640dce05392af1766cb06c038eff01d04212e5e9a0ea6dcf18f35

const privateKey = getEvmPrivateKey(hash);
const address =
  network === "tron" ? getTronWalletAddress(hash) : getEvmWalletAddress(hash);

const walletToken = generateToken(passphrase, pin, network);
const giftingLink = "https://app.mybucks.online/#wallet=" + walletToken;

console.log({ passphrase, pin, privateKey, address, network, walletToken, giftingLink });

5) Browser-Level Hardening

mybucks.online uses strict Content Security Policy (CSP) to reduce risks from XSS and unauthorized script injection by restricting where resources and connections can come from.

For transfer links, credential data is encoded in a URL hash fragment (#wallet=...) so it stays browser-side and helps reduce exposure in typical server-side logs and upstream network logging paths. The wallet parameter is removed immediately after parsing, further reducing the risk of unexpected sharing through the Referer HTTP header.

6) Vulnerabilities and Mitigation Strategy

This section summarizes ethical hackers' feedback on potential vulnerabilities and our mitigation approach.

Major Vulnerabilities

The salt in key derivation is deterministically derived from passphrase/PIN instead of using a globally unique random salt.
Users can choose weak, compromised, or common passphrase/PIN combinations.
Anyone with a transfer link can extract passphrase/PIN because they are Base64-encoded for URL transport.

Our Response

Added zxcvbn validation to actively block common, compromised, and dictionary-based patterns.
Instead of relying on a single long password, we use both a Passphrase and PIN, applying a password-chunking approach.
Users are strongly encouraged to choose long, unique credentials and use the auto-fill feature for high-entropy passphrase/PIN generation (approximately 130-bit entropy).
This product prioritizes convenience and accessibility, with explicit trade-offs relative to maximum-security wallet models.
Explicitly positioned mybucks.online for micro-gifting and convenience, not for long-term storage of high-value assets.

7) Networks & Token Display

Supported networks include:

EVM chains (e.g., Ethereum, BNB Chain, Polygon, Arbitrum, Avalanche C-Chain, Optimism, Base)
TRON

Token display is filtered against @uniswap/default-token-list to help reduce scam/fake token visibility.

8) Trust & Verification

Security documentation and verification resources provided in the project:

Secure3 security audit: published findings (links available in the docs)
HackenProof wallet cracking challenge: community stress-testing and follow-up security improvements

⚠️ Disclaimers & User Responsibility

Important:

mybucks.online is intended for micro-transactions and gifting, not long-term storage of high-value assets.
There is no reset/recovery for the passphrase + PIN. If lost, funds will be permanently inaccessible.
To withdraw funds from a gifting wallet, the recipient needs a small amount of the chain’s native token to pay network gas; the gift giver is encouraged to deposit that together with the gift.

References

https://mybucks.online
https://app.mybucks.online
https://docs.mybucks.online/
https://github.com/mybucks-online/app
https://www.npmjs.com/package/@mybucks.online/core

PreviousSecurity notice NextSecurity Audits

Last updated 25 days ago

hashtag1) Design Philosophy

hashtag2) Security Architecture

hashtagScrypt Parameters

hashtagMarch 2026: hardened Default mode

hashtag3) 1-Click Gifting: Wallet via URL

hashtag4) Core Package Integration

hashtag5) Browser-Level Hardening

hashtag6) Vulnerabilities and Mitigation Strategy

hashtagMajor Vulnerabilities

hashtagOur Response

hashtag7) Networks & Token Display

hashtag8) Trust & Verification

hashtag⚠️ Disclaimers & User Responsibility

hashtagReferences