UNPKG

@bsv/sdk

Version:

BSV Blockchain Software Development Kit

github.com/bsv-blockchain/ts-sdk

bsv-blockchain/ts-sdk

140 lines (98 loc) 3.4 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
# Trust Model Understanding the security assumptions and trust relationships in BSV TypeScript SDK applications. ## Core Trust Principles The SDK is designed around minimizing trust requirements: ### Trustless Verification - **Cryptographic Proofs**: Verify transactions mathematically - **SPV Security**: Validate without trusting third parties - **Self-Sovereign**: Users control their own keys and data ### Minimized Dependencies - **Zero External Dependencies**: Reduces attack surface - **Self-Contained**: All cryptographic operations built-in - **Auditable**: Open source and transparent implementation ## Trust Relationships ### User Trust Users must trust: - **The SDK Code**: Open source and auditable - **Their Wallet**: Manages private keys securely - **Their Device**: Secure execution environment ### Network Trust Applications rely on: - **Bitcoin Network**: Honest majority of miners - **Chain Trackers**: Provide accurate blockchain data - **SPV Assumptions**: Valid merkle proofs and headers ### Service Trust Optional trust relationships: - **Wallet Providers**: If using hosted wallets - **ARC Services**: For transaction broadcasting - **Overlay Services**: For additional functionality ## Security Assumptions ### Cryptographic Security - **secp256k1**: Elliptic curve is secure - **SHA-256**: Hash function is collision-resistant - **ECDSA**: Digital signature scheme is unforgeable - **Random Number Generation**: Entropy source is secure ### Network Security - **Proof of Work**: Mining provides security - **Longest Chain**: Honest chain has most work - **Block Finality**: Deep confirmations prevent reorganization - **Network Connectivity**: Access to honest nodes ## Risk Mitigation ### Key Management ```typescript // Minimize private key exposure const wallet = new WalletClient() // Keys stay in wallet // Avoid direct key handling // const privateKey = PrivateKey.fromString() // Higher risk ``` ### Transaction Verification ```typescript // Always verify important transactions const isValid = await transaction.verify(chainTracker, { merkleProof: proof, blockHeader: header }) ``` ### Multiple Sources ```typescript // Use multiple chain trackers const config = { chainTracker: { primary: 'WhatsOnChain', fallbacks: ['GorillaPool', 'TAAL'] } } ``` ## Threat Model ### Attacks to Consider - **Private Key Compromise**: Secure key storage - **Man-in-the-Middle**: Use HTTPS and verify certificates - **Service Downtime**: Implement fallback mechanisms - **Double Spending**: Wait for confirmations - **Replay Attacks**: Use unique transaction IDs ## Application Design ### Security-First Design ```typescript // Validate all inputs function processTransaction(txHex: string) { if (!isValidHex(txHex)) { throw new Error('Invalid transaction hex') } const tx = Transaction.fromHex(txHex) // Process verified transaction } ``` ### Error Handling ```typescript // Handle trust failures gracefully try { const result = await chainTracker.getTransaction(txid) } catch (error) { // Fallback to alternative source const backup = await fallbackTracker.getTransaction(txid) } ``` ## Next Steps - Review [Key Management](./key-management.md) security practices - Understand [SPV Verification](./spv-verification.md) assumptions - Learn about [Wallet Integration](./wallet-integration.md) trust models