Hacker News new | past | comments | ask | show | jobs | submit login
Baron is a Bitcoin payment processor that anyone can deploy (github.com)
69 points by amacneil on Nov 12, 2014 | hide | past | web | favorite | 14 comments

https://bitcointalk.org/index.php?topic=309785.0 BitcoinTalk.org includes Baron in its security bounty program because it intends on using it within its own infrastructure. If you find a way to break it you can earn some serious money.

I'm the CEO of Slickage. This was released a few months ago and I'm personally sorry for the downtime of demo. I hope people like it!

I'd love to see a review of this code

it's OSS...

Does this use extended public keys?

As best I can tell, it does not do any key management. No reference to terms like "Key" or "HierarchicalKey" at all. My guess is that you have to give it the addresses you own, and it detects if payment has been made to them. Since it does not use "HierarchicalKey", bitcore's term for BIP32 extended keys, it probably requires that you constantly refill the address pool so it doesn't run out. Or it reuses them.

edit: I also just realized it depends on "bitcoin". It may rely on a running bitcoin core full node to handle the private keys.

Based on the fact that it has a "Bitcoind RPC port" option, I think it is safe to say that it just relies on a running Bitcoin Core node.

That means it does not support deterministic keys. Users will need to be careful to back up their wallet.dat file on a periodic basis.

That's correct. Currently it requires private keys on the Baron server, which means the wallet must be encrypted and backed up often. Encrypted means the keypool must be refilled periodically.

If there is sufficient demand it would be theoretically possible to include watch-only support so the Baron server need not have private keys online. Ideally this would work with a Hierarchical Deterministic wallet where the server does not need to be periodically refilled with unused addresses.

Hypothetically this could be done today with a javascript library that generates the public addresses as needed. I am not sure if such a library exists at the moment?

I'm more concerned about the private keys being stolen by hackers.

Javascript as a language for handling serious amounts of money? I don't know...

NodeJS is very stable. Since JavaScript is asynchronous by design, NodeJS's performance is excellent.

Stable, performant. Secure?

better than COBOL

live demo 502

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact