Perhaps you’ve noticed that recently some $PP have been transferred to your address.
This is an interesting and fun experiment, except when coupled with Syrius’ autoreceive feature it could be used for tracking addresses owned by the same user.
What’s the problem?
When a transaction is sent to an address, that transaction remains unreceived until the recipient decides to receive it.
However, the recipient might not get a chance to make that decision. When syrius is opened, as soon as it connects to a synced node, it starts scanning all addresses in the wallet and starts receiving all the unreceived transactions, without giving the user any options.
Similar to how dust attacks work on Bitcoin, this situation could provide a way to track which addresses belong to the same user.
How do we fix this?
The solution is quite straightforward, however this doesn’t mean it’s just as easy to implement as it is to articulate it.
Syrius should provide the user with the option to disable autoreceiving and a way for the user to manually decide which transaction to be received.
Another major issue is that it makes holders vulnerable to auto receiving tainted coins. Problematic for institutional custody (for which Metaco and other custodians implement quarantene addresses for inbound txs, but it’s obviously not offering sufficient protection).
This dust attack was used on THORchain to send tainted / fake rune to holders and when the user tried to access them it stole the real rune in their wallet.
We’ve had this discussion before. Balances are scoped to the embedded. So the protocol would need to be broken in order for someone to take the tokens.
I’ve added a switch for the auto-receiver in Settings → Wallet Options where users can turn it on or off.
If the user turns off the auto-receiver, unreceived transactions will appear in Transfer → Pending Transactions widget (below the Latest Transactions) where users will be able to manually pick which transactions they want to receive.
If not already done, probably a better better UX to be able to selectively approve transfers to addresses rather than having to approve each tx manually vs allowing all of them
This feature gives maximal liberty and sovereignty to your finances.
Also, remember that time they tried blocking transactions/wallets that were tainted because they went through a frowned upon privacy protocol, so then the hacker started sending small amounts to random wallets to taint them as well? It’s just good on every level to have the ability to block unsolicited transactions.
Scrolling thru the entire transactions to get to pending transactions is tidious, esp if i chose to collect staking rewards daily. Is it possible to bring up the pending transaction widget above latest transactions or in a seperate easily accessible location?
I can confirm the release on Nov 18, 2023 has the auto-receiver and hard coded nodes. I think that was built from master, but I’m not 100% sure. Looks like some stuff was stripped from master too.
Thank you
definitely not human