On security and sovereignty

"Expect to self-rescue"

As with Urbit, and the rest of 'crypto', %fund is a tool for sovereignty. Not only does this mean you can have the relationships you want, it also means you have the responsibility for managing your own security.

Privacy on the internet

When you first open %fund you will encounter an option to share usage data with us. Sharing this data helps us understand if you are using the off-chain elements of the application. Choosing not to share this usage data will not impact the functionality of your application, but we find it worthwhile to note that your on-chain activity is still publicly visible (due to the nature of the Ethereum blockchain), even if you opt-out of our data sharing request.

Wallet Support

Due to the current affordances of Urbit on security, resilience, and recoverability, we have chosen offload wallet security to 3rd party wallets for the time being, so the security of your funds is dependent on your overarching security practices. Currently %fund supports MetaMask wallet connections for all message signing and transaction execution. A tangential benefit of this is being able to support legacy (non-urbit) ethereum wallet users with a unified user experience.

As Urbit matures, we expect to use some of it's unique benefits to improve the %fund user experience with things like storing private keys in your urbit and making transaction signing an integrated function of actions and state changes occurring on the Urbit network.

Security Warning

The current release uses the Gnosis Safe Contracts which are heavily audited and the industry standard for multisigs. That said, our interfaces are beta software and we make no warranty as to their security properties.

More importantly, though, an Urbit security audit has not been conducted. This includes both the implementation of Urbit OS (aka %arvo) and the runtime (aka %vere). It is possible that a malicious actor could hack your urbit and change the contract address contained in the %fund desk code, tricking you or your users into interacting with a malicious contract. While not perfect solutions, we recommend 2 things to reduce this risk:

  1. Regularly check the desk hash against a known credible source. We publish the most current hash, as well as a history of published hashes, here on the documentation site. If you hash is different from one provided here, please proceed with extreme caution.

    • The current desk hash from +vats %fundfor v0.2.2 is: 27b8t

    • The previous desk hash from +vats %fundfor v0.2.1 was: lnqm1

    • The previous desk hash from +vats %fund for v0.2.0 was: cljia

  2. When signing transactions in MetaMask, double check the contract address with which you are interacting! This is something you should do anyways, but we strongly encourage you don't skip this step: remember, crypto is a bearer asset!

Last updated