
Decentralized token swap/payment widget on any websites - tmlee
https://developer.kyber.network/docs/WidgetGenerator/
======
xrd
This is cool but only works with metamask installed. Means 99% of your users
can't use it, and doesn't work on mobile.

~~~
xur17
Yeah, I had the same response. As a retailer, allowing users to pay in
whatever they want but receiving Dai is pretty desirable, but forcing users to
pay with Metamask isn't going to work. I'm hoping this is something they plan
to fix.

~~~
tmlee
It is also possible to use the widget with hardware wallets like Trezor and
Ledger. Experiencing is quite seamless with signing done on the hardware.

There is going to be barrier to entry, but this gives the option for end users
the option to safeguard their own private keys to swap tokens. Which in some
occasion or cases more desirable than depositing into an exchange.

~~~
xrd
I noticed the option to paste in a private key and have it sign for you. If
that goes to a server, that seems really dangerous. And, copy and paste on
Android is really dangerous as well. Is that not an issue somehow with Trezor?
Is there a way to use a hardware wallet and avoid sharing your private key
while still getting the benefits of solutions like Kyber?

~~~
tmlee
Copy paste private key is probably the lowest common denominator and not the
most ideal option in most cases.

As for Trezor case the private key does not leave the device. I would imagine
that the integration would be like most cases where the data gets sent to the
hardware wallet to be sent. Signed in the wallet and it spits out the payload
to be broadcasted.

As such by using hardware wallets, you shouldn't be exposing private keys
outside of ththe device at all.

~~~
xrd
I don't get it, but don't have a hardware wallet.

One of the parent comments said signing happens client side. Another comment
said private key never leaves the device.

Which is it? Are both possible?

I really think the option to paste in the private key should be removed. It's
dangerous to ask for that when there are so many Android apps that by default
get access to paste buffer and can grab that key easily. If I were writing
malware that would be my number one focus.

~~~
tmlee
My understanding are as the follows.

If you have a hardware wallet. You will pass the intent message (sending
money, swap, etc) to Trezor. Trezor holds your private key. Signs the message
with your private key. Hands the payload back to the client to be broadcasted
to the network. This way your private key stays in the hardware wallet, and
protected from a compromised computer.

If you use metamask instead. The private key here resides in the browser or
your computer rather. I am unsure exactly where the signing happens but it
will have to happen within the domain of your computer (at metamask or js)
because that is where the key is. Gets back payload to be broadcasted.

Copy pasting private key (totally not recommended) is for cases where say you
dont have a metamask or a hardware wallet. The signing is done probably using
the js library included by the widget to obtain payload for broadcast.

Nothing should be passed on to a server. Only the signed message needs
broadcasting into the ethereum network for the transaction to be included into
a block.

~~~
xrd
The intent message is the pre-signed JSON of the transaction details, I'm
assuming?

How do you get that into the Trezor? Using USB OTG? I only see two buttons
there.

~~~
tmlee
USB and Trezor has a software called Trezor Connect
([https://github.com/trezor/connect](https://github.com/trezor/connect)) for
3rd party application integration.

The hardware buttons act like the ultimate OK/Cancel button. You can review
the transaction address, id, etc on the hardware screen to confirm that you
are not getting phished and such. (vs. on the software)

