Two distinct scroll movements are required on mobile to reach the bottom of the page for an unknown reason.

CSP would add another layer of XSS protection

Related: #181

This is what Reclaim escrow transaction preview shows:

(Note that the 10,000.0 TEST amount is wrong since the value of shares increased in between when the share amount was approximated from the desired reclaim value of 10k, to the actual transaction submission.)

This is what transaction history shows:

This is what is shown under "Debonding delegations" tab:

Change Validator and To to Account to avoid misleading issues inside TransactionHistory

Send transaction:

Delegate transaction:

• I would suggest renaming the title to:
  • "Delegated 99,999.0 TEST"
• I would suggest renaming "Validator" to "To" and showing a validator's name instead of account address if the address is for a known validator with an entity in metadata registry. The validator's name could be a link to a page with more info about it (link to block explorer?) or to go under "Active delegation" tabs for that validator?
• Should the validator's avator also be shown somewhere?

Undelegate transaction:

• Same suggestions as for the Delegate transaction.

I have the following suggestions:

1. Type. Should the "nice" transaction type / name (something that is translatable) be shown first and the raw transaction's method name (e.g. Add escrow) be shown in parenthesis?
   Something like:

   • Type: Delegate (Add escrow)

   The full description (e.g. "Delegate your tokens to a validator and earn rewards") could be shown via a mouse-hoover tooltip?

2. Validator. Can this be renamed to "To"? In principle, one could make a delegation to a non-validator node. And this makes it consistent with the Oasis Node CLI which shows:

You are about to sign the following transaction:
  Method: staking.AddEscrow
  Body:
    To:     oasis1qqyrlc85h0mz4g00gj7r8pmxsas9yqc4nupaxy4a
    Amount: 20000.0 TEST
  Nonce:  0
  Fee:
    Amount: 0.0 TEST
    Gas limit: 272
    (gas price: 0.0 ROSE per gas unit)
Other info:
  Genesis document's hash: 425f8b31b5d511483c401fb480457c183c0eca7e78b8a6ed4ce88be6cfa9ab14

And with what the Oasis Ledger app will show in the upcoming version.

3. Balance. Do you think users will find this field useful? In principle, the Preview transaction is a dialog, so the Total balance of an account will be visible in the background. Moreover, I was a bit confused if the balance should be interpreted as the balance before executing this transaction or some "preview" balance that will be the effect of executing this transaction?
   I would consider removing it.

4. Gas. Can you rename this to "Gas limit" and change the units to so it is shown as 272? This will make it consistent with the Oasis Node CLI and what the Oasis Ledger app shows.

Otherwise reloading page changes the selection to mainnet

On systems like Fedora, the default Docker container registry is not docker.io but registry.fedoraproject.org.

Could you make image names in Docker / Docker Compose configurations fully namespaced (e.g. docker.io/library/golang:1.16 instead of golang:1.16) so their is no ambiguity about which image is required?

Move away from Grommet's default theme, and pick new fonts

These dependencies don't seem to be used:

• bip32
• bn.js
• @types/bn.js
• buffer
• cborg
• combinate
• elliptic
• grpc-web
• js-sha256
• js-sha512
• polished
• postinstall-postinstall
• react-number-format

As mentioned in #81 - we should display the validator name & icon if possible inside the transaction history

please mark all issues found during this audit as blocking this one. this issue will not be marked as complete until all blockers are resolved (fixed or deferred, etc).

Is the email address validated anywhere in the stack? Otherwise some mail clients are vulnerable to autoattaching files with mailto:?attach=..

(https://www.nds.ruhr-uni-bochum.de/media/nds/veroeffentlichungen/2020/08/15/mailto-paper.pdf)

Originally posted by @lukaw3d in #199 (comment)

Blocking #181

I would prefer if all text files would respect that.

This could be checked with editorconfig-checker.

Besides the primary account (described in ADR 0008), also allow opening additional accounts for non-zero key numbers, i.e. m/44'/474'/1', m/44'/474'/2', ...

• Staking (Adding / reclaiming escrow)
• Staking rewards and history
• Current debonding

It seems that balance sometimes gets out of sync between Testnet and Mainnet.

• open https://wallet.stg.oasisprotocol.org/account/oasis1qqs6ylpfurhf6gc9mw232fkmrt3d0673lyzc5xf2
• import account from private key
  • has 10000 TEST and 0 ROSE
• go to stake

switch to testnet	switch to mainnet
input validation says I don't have 111 TEST	transaction summary says I have 10000 ROSE
found balance = 0n in assertSufficientBalance with debugger

when you click the menu in the top right and switch networks, it takes a few seconds before the loading spinner modal appears

The wallet should include some form of a yield calculator, which would be based on the reward schedule, the current epoch, the validator delegating to, amount of tokens and for number of epochs that the tokens will be staked for

For example, when a user wants to reclaim (a part of) his delegation, he is also shown the corresponding amount of shares:

The amount that is presented in actually displayed in gigashares. The actual amount of shares in this case is 9997790262966873 and shares themselves are indivisible.

I agree that displaying the raw amount of shares would be even less clear to the user, so it is better to display it in gigashares. Just make sure to to suffix the amount with the unit. We would prefer using "gigashares".

FWIW, this is a design we have in mind for the next version of the oasis-node stake account info CLI command:

Balance:
  Total: 38,011,517.084506708 ROSE
  Available: 5,105,018.191459385 ROSE
  Active Delegations from this Account:
    Total: 32,906,498.893047323 ROSE
    Delegations:
      - Address: oasis1qrw82ag2sypeytse9x9k4uxym53l5lc5jyfs2sxv (self)
        Amount:  176,207.030432434 ROSE (169,146.962340923 gigashares, 0.56%)
      - Address: oasis1qrdx0n7lgheek24t24vejdks9uqmfldtmgdv7jzz
        Amount:  32,730,291.862614889 ROSE (31,418,889.047306104 gigashares, 76.34%)
  Debonding Delegations from this Account:
    Total: 0.0 ROSE

Nonce: 5
 
Active Delegations to this Account:
  Total: 31,407,044.571716172 ROSE (30,148,661.90284496 gigashares)
  Delegations:
    - Address: oasis1qrw82ag2sypeytse9x9k4uxym53l5lc5jyfs2sxv (self)
      Amount:  176,207.030432434 ROSE (169,146.962340923 gigashares, 0.56%)
    - Address: oasis1qq2xx4pgk0wa73363l287wy48lmaf3v8tymthyhv
      Amount:  20,814,851.680934195 ROSE (19,980,865.262676913 gigashares, 66.27%)
    - Address: oasis1qrn9c0k92vk5leh62m942nqeq2kl9tmkaqk6lzz4
      Amount:  10,415,485.860349543 ROSE (9,998,169.711273221 gigashares, 33.16%)
    - Address: oasis1qqzt9qamqdl2kau4avryz6pp2nq8rgxmzysz2492
      Amount:  500.0 ROSE (479.966553905 gigashares, <0.01%)

Display an error when this occurs

i run the code in develop , and change nothing . but show this error

Http response at 400 or 500 level
The above error occurred in task selectNetwork
created by takeEvery(network/selectNetwork, selectNetwork)
created by networkSaga
Tasks cancelled due to error:
takeEvery(network/selectNetwork, selectNetwork)

just a nit noticed while doing #181 auditing -- not obvious whether it has security impact in practice.

we use bech32 w/ oasis prefix, but isValidAddress

it would be better defense-in-depth if even UI code like PrettyAddress validated its preconditions about its arguments and threw an exception (which i think bech32.decode does), even though for error reporting / blame assignment the same check should be done as close to the source of the data as possible, so that the check in PrettyAddress is unreachable in normal execution.

• No device found
• Device locked (Triggers an unknown error)
• Transasction rejected

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• Update dependency @types/lodash to v4.14.200
• Update dependency bignumber.js to v9.1.2
• Update react dependencies (@types/react, @types/react-dom, react-router-dom)
• Update test dependencies (@types/jest, @types/jest-when)
• Update docker dependencies (docker.io/clickhouse/clickhouse-server, docker.io/envoyproxy/envoy, docker.io/library/alpine, docker.io/library/golang)
• Update parcel monorepo to v2.10.0 (@parcel/config-webextension, @parcel/packager-raw-url, @parcel/transformer-webmanifest, parcel)
• Update dependency react-redux to v8
• Update dependency styled-components to v6
• Update react dependencies (major) (@testing-library/react, @types/react, react-data-table-component)
• Click on this checkbox to rebase all open PRs at once

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

Support having multiple addresses open at the same time and switching between those, with different wallet types concurrently

I don't think this is high priority
Blocked by grommet/grommet#5537
Related to #181

For security of older browsers it is best practice to use target="_blank" with rel="noopener"
https://web.dev/external-anchors-use-rel-noopener/

This appears in ValidatorMediaInfo:

Some pages and components need to be adapted for mobile

For advanced users, it would be really helpful to be able to make a delegation to an arbitrary account (by entering the account's address).

some sites show a tooltip when you click a 'copy' button.

or more generally, buttons often have some kind of "down" appearance when you're clicking it

https://testnet.oasis-wallet.com/account/oasis1qz62v3qtgfz4uj27e2q9f8lwgjy7vxjtkyx9q436/stake

If validator has a website link validator.media.website_link = 'javascript:alert(1)' it executes when user middle-clicks the website link

Minimal code to reproduce:

<ValidatorMediaInfo mediaInfo={ { website_link: 'javascript:alert(1)' } } />

Blocking #181

Support opening wallets with ledger (with various accounts in the derivation paths), and signing transactions with ledger

Currently, when the link to the wallet is loaded in another app, it shows:

• "Oasis Wallet"
• "The official non-custodial web wallet for the Oasis Network."

Can we make this configurable, e.g. to set it differently for the staging site?

Steps to reproduce:

• Open two different accounts (I used 2 different mnemonics).
• Switch between them with the account switcher button in the top-right corner.
• Account details are not updated and after switching, the wrong account's details are displayed.

Example screenshot (the chosen account is oasis1qrs594jx6ytzgqp92uxqlr8n5qdcrpemv5xg4wn4 but they one displayed is oasis1qqdcs4gj5g0kykdcy9s32snh8a58swgkhyj6kzdy):

When a user creates a wallet using a generated mnemonic, have a flow to ensure that they saved the mnemonic (maybe confirm the order or have a few blanks that need to be filled)

We currently support opening wallets with the ED255159 PEM files, maybe make it more obvious that the whole envelope can be copy pasted, or add a file input to locally load the file from disk

From #236 (comment)

• remove google exceptions by downloading fonts #526
• remove 'unsafe-inline' style by precomputing theme hash
• add report-uri to gather errors if anything was missed

https://snyk.io/advisor/npm-package/portable-fetch

• open https://wallet.stg.oasisprotocol.org/account/oasis1qqekv2ymgzmd8j2s2u7g0hhc7e77e654kvwqtjwm/stake
• switch to Testnet
• search for oasis1qz2tg4hsatlxfaf8yut9gxgv8990ujaz4sldgmzx
• error Cannot read properties of undefined (reading 'sent')