Zecwallet Lite is a set of desktop and mobile apps that implement the Zcash Lightclient protocol. They are light wallets that allow users to easily send and receive shielded transactions without needing to download the entire blockchain. Zecwallet Lite was originally released in early 2020, and is widely used in the Zcash ecosystem.
Zecwallet Lite uses the Zecwallet Lightclient SDK, an independent implementation of the Zecwallet Lightclient protocol that is used by the desktop and mobile Zecwallet Lite apps.
When Zecwallet launched, the Light client protocol was very new, and some features weren't implemented yet, so Zecwallet had to fork a couple of projects to add support for the full feature set. Since then, Zecwallet has upstreamed several changes, but we need to catchup and pay down some of the technical and security debt we have accumulated over the last year. This proposal outlines the 3 biggest shortcomings and proposes to address them over the next 7 weeks.
A big reason for doing this now is to prepare for the upcoming Pollard/Halo upgrade. Removing un-needed dependencies and relying on common implementations will make sure that future Pollard work will be doable without complicated customization, which might introduce further risks.
This project proposes doing 3 major tasks:
When Zecwallet Lite originally launched last year, we decided to support t address transactions as well in the lite client. This didn't have support in
librustzcash, so Zecwallet forked ECC's
librustzcash repository to add t-address support. Since then, we've been working to upstream the changes, and we've already submitted several PRs. Additionally, ECC has also added t-address support into
librustzcash. This task is to finish the final set of changes (which are largely on the Zecwallet SDK side) to completely remove the dependency on the Zecwallet's librustzcash fork, and depend directly on ECC's
When Zecwallet originally launched, it forked the stock LightwalletD and implemented two sets of changes in the fork:
Since then, ECC's LightwalletD has progressed considerably, and now also has support for t-addresses. Unfortunately, this is not API-compatible with Zecwallet's LightwalletD, and this task is to fix this by switching to the stock LightwalletD's API.
Once this is done, we'll have two way compatibility. i.e.,
This should go a long way in reducing the dependency on Zecwallet's LightwalletD server, and allow users to easily use any of the community-run LightwalletD servers.
One of the major outstanding items from last year is to complete a full security audit of the Zecwallet Lite SDK. As a reminder, Zecwallet Lite SDK is an independent implementation of the Lightclient Protocol, which is used in Zecwallet Lite apps and a few other community projects. It uses
librustzcash to access Zcash's cryptographic natives. While
librustzcash is maintained by the ECC and has regular security review, Zecwallet's Lightclient SDK has never been security audited.
Zecwallet solicited 3 proposals from external companies, and the most competitive proposal is from Least Authority. You can read the detailed proposal here
Zecwallet will also set aside three weeks of Developer time to address any issues that are uncovered by the Security Review.
(Because of the character limit, please see the forum post for Risks, Downsides, Evaluation Plan and Schedule)
Total: USD 112,500