Wallet Connection on rhino.fi
Wallet connection is fundamental to rhino.fi. The process we have put in place enables us to open up our platform to a huge audience, without surrendering the fundamental principles of self-custody.
Here, we explain the process in detail.
Self-custody and deposits
Our platform is totally self-custodial, which means we have no way of accessing user funds or initiating any transactions on their behalf. Instead of interacting directly with us, users interact with the smart contract built for our scalability engine, StarkEx, which has been fully audited.
Once users deposit into this smart contract, all state changes (in other words, changes to their balance) need to be signed with their personal StarkEx key, which is stored on their device. This key is used to sign transactions (such as swaps, transfers and withdrawals) directly on rhino.fi; users have sole access to this key.
We have on-boarded a significant number of wallets during the evolution of our project. In the early months, when we were called DeversiFi, we offered only two connection options: MetaMask, a software wallet (or hot wallet) typically accessed via a browser extension, and Ledger, a hardware wallet which resembles a USB wallet or pen drive. For Ledger, we built a native StarkEx integration so the StarkEx key essentially lives on the device.
Over recent months, we have on-boarded a number of different wallets and wallet-connection hubs to our platform. These include:
Rainbow
Coinbase
Trust Wallet
WalletConnect, an open-source protocol which allows over 100 different wallets to connect to decentralised applications, using only a QR code.
One notable point of difference for our technology is the use of a StarkEx key, stored on the users’ device.
As mentioned, the StarkEx key is used to perform balance changes (such as swaps, investments, or liquidity pools). So, if a malicious actor were to try to hack the users’ funds, they would need access to both the users’ wallet private key and their Starkex key. This is highly unlikely unless the users’ device is compromised.
The user’s view of the connection process
When the user first visits rhino.fi, they will see a ‘Connect Wallet’ button at the top of the screen, which is highlighted in the screenshot below.
Upon pressing this button, a full list of options will appear.
The connection method varies for each type of wallet. For example, to connect a MetaMask wallet to rhino.fi, users need to access the MetaMask wallet via their browser (or download the software if they haven’t already). For wallets supported by Wallet Connect, users have to scan a QR code.
User signatures
Authentication
For the authentication stage, users must sign a pre-defined message, which reads: "To protect your rhino.fi privacy we ask you to sign in with your wallet to see your data.
Signing in on Mon, 1 May 2023 09:47:38 GMT. For your safety, only sign this message on rhino.fi!"
We only use this message on our backend API to confirm that the user is actually the owner of this wallet, and so we can keep user information private. It’s safe to sign this message as it’s simply a confirmation of ownership, it doesn’t cost any gas and does not compromise the user’s wallet in any way.
StarkEx key generation / recovery
To generate the StarkEx key, users are asked to sign another pre-defined message:
rhino.fi
Action:
Access your rhino.fi account
OnlySignOn:
app.rhino.fi"
This creates a deterministic private key, which we use to encrypt the users’ Stark private key (which is randomly generated), so we can store it on our API for recovery purposes.
Again, this is a safe action, it doesn’t cost any gas and it doesn’t compromise the users’ wallet in any way (however, users should be wary of signing either of these messages on any other website if the text mentions rhino.fi).
Trusted elements
The process is fully self-custodial, everything is encrypted and rhino.fi never has any access to users’ keys.
User wallets only interact with the deposit contract. This is highly secure, as well as necessary.
Risks
As mentioned, other platforms may try to interpret rhino.fi for phishing purposes, so users should avoid signing any authentication message that mentions rhino.fi on any other platform.
If you would like to discuss our wallet connection process, or any other aspect of rhino.fi’s technology in more detail, please contact us via Twitter or Discord.
Here, we explain the process in detail.
Self-custody and deposits
Our platform is totally self-custodial, which means we have no way of accessing user funds or initiating any transactions on their behalf. Instead of interacting directly with us, users interact with the smart contract built for our scalability engine, StarkEx, which has been fully audited.
Once users deposit into this smart contract, all state changes (in other words, changes to their balance) need to be signed with their personal StarkEx key, which is stored on their device. This key is used to sign transactions (such as swaps, transfers and withdrawals) directly on rhino.fi; users have sole access to this key.
We have on-boarded a significant number of wallets during the evolution of our project. In the early months, when we were called DeversiFi, we offered only two connection options: MetaMask, a software wallet (or hot wallet) typically accessed via a browser extension, and Ledger, a hardware wallet which resembles a USB wallet or pen drive. For Ledger, we built a native StarkEx integration so the StarkEx key essentially lives on the device.
Over recent months, we have on-boarded a number of different wallets and wallet-connection hubs to our platform. These include:
Rainbow
Coinbase
Trust Wallet
WalletConnect, an open-source protocol which allows over 100 different wallets to connect to decentralised applications, using only a QR code.
One notable point of difference for our technology is the use of a StarkEx key, stored on the users’ device.
As mentioned, the StarkEx key is used to perform balance changes (such as swaps, investments, or liquidity pools). So, if a malicious actor were to try to hack the users’ funds, they would need access to both the users’ wallet private key and their Starkex key. This is highly unlikely unless the users’ device is compromised.
The user’s view of the connection process
When the user first visits rhino.fi, they will see a ‘Connect Wallet’ button at the top of the screen, which is highlighted in the screenshot below.
Upon pressing this button, a full list of options will appear.
The connection method varies for each type of wallet. For example, to connect a MetaMask wallet to rhino.fi, users need to access the MetaMask wallet via their browser (or download the software if they haven’t already). For wallets supported by Wallet Connect, users have to scan a QR code.
User signatures
Authentication
For the authentication stage, users must sign a pre-defined message, which reads: "To protect your rhino.fi privacy we ask you to sign in with your wallet to see your data.
Signing in on Mon, 1 May 2023 09:47:38 GMT. For your safety, only sign this message on rhino.fi!"
We only use this message on our backend API to confirm that the user is actually the owner of this wallet, and so we can keep user information private. It’s safe to sign this message as it’s simply a confirmation of ownership, it doesn’t cost any gas and does not compromise the user’s wallet in any way.
StarkEx key generation / recovery
To generate the StarkEx key, users are asked to sign another pre-defined message:
rhino.fi
Action:
Access your rhino.fi account
OnlySignOn:
app.rhino.fi"
This creates a deterministic private key, which we use to encrypt the users’ Stark private key (which is randomly generated), so we can store it on our API for recovery purposes.
Again, this is a safe action, it doesn’t cost any gas and it doesn’t compromise the users’ wallet in any way (however, users should be wary of signing either of these messages on any other website if the text mentions rhino.fi).
Trusted elements
The process is fully self-custodial, everything is encrypted and rhino.fi never has any access to users’ keys.
User wallets only interact with the deposit contract. This is highly secure, as well as necessary.
Risks
As mentioned, other platforms may try to interpret rhino.fi for phishing purposes, so users should avoid signing any authentication message that mentions rhino.fi on any other platform.
If you would like to discuss our wallet connection process, or any other aspect of rhino.fi’s technology in more detail, please contact us via Twitter or Discord.
Updated on: 29/05/2023
Thank you!