This "crypto"-currency is using cleartext in its proprietary wallet

I recently became aware of the cryptocurrency Cortex from cortexlabs.ai. I'm not linking it because I don't intend to endorse it in any way. They purport to provide some AI inference on-chain. Never mind why you'd want that or how they do it. That's not my point today.

My point is that this project provides their own proprietary wallet, and that is very bad.


Well right below that there is a "MetaMask wallet using custom RPC" section that provides what you would need to connect using another wallet. The problem is that it is both out of date and does not work.


Surely, I thought, they've just moved their RPC server and if I can figure out what it is, I can still connect with my own wallet. I just need to download their wallet and take a look. So I took the plunge, downloaded the Chrome extension, and searched the source for things that looked like URLs. What I learned there is that their wallet is just an old forked version of MetaMask. But no obvious RPC URL. Next I fired it up with the Chrome dev tools and captured network traffic. There it is!

But what's this? "http://web3.cortexlabs.ai:30089"? Oh no. Not that I trust your server not to forward my requests to your friendly neighborhood spy agency, but I can read articles from dying local newspapers with more security than your cryptocurrency endpoint. OK, deep breaths. If I just assume that my every request is posted on the front page of Google, it'll be fine. I can probably at least use this in MetaMask, right?

Ha ha ha. No.

But why? It's because they've re-prefixed the RPC methods with "ctxc"!


Reviewing the public forums for this project, it actually looks pretty dead despite being one of the better GPU mining options. But in summary, this is a case where there was a perfectly good, interoperable protocol, and this project decided that they needed to break compatibility in trivial ways. They actually had to go to considerable effort just to make things worse. It's less interoperable, trustworthy, secure, and convenient for users, and judging from the lack of community enthusiasm, ultimately self defeating.

Comments

Post a Comment

Popular posts from this blog

A non-orthogonal feature of Golang and how it broke my transpiler

I just ran into a problem that illustrates a couple of strategies for implementing compilers, so let's dig into it and see what we can learn. I'm working on a Go transpiler, that is, a compiler that transforms Go code into different Go code.  One of the properties of this compiler is that we need to reify functions as objects, so function types also need to be translated to interfaces to capture their signatures. For our purposes, let's say we translate: type IntHasProperty func(int) bool into: type  IntHasProperty  interface {      Call(int) bool } This captures the essential input and output types of the function, and we can imagine extending it with generics if we need to. There is one fundamental problem. Suppose in our source code, we write: func (p  IntHasProperty ) IsNot(n int) bool {     return !p(n) } If we try to compile this method, we'd expect to transform the function call site: func (p  IntHasProperty ) IsNot(n int) bool { ...
Read more