I maintain ethereum-cryptography, which was created to combine all ethereum deps in one package. The work was funded by EF in 2021. You are already using it through some of your deps.
Kraken depends on a bunch of unnecessary cryptographic libraries. For example, for secp256k1, you use at least 4 libraries: secp256k1, tiny-secp256k1, elliptic and @noble/curves. Instead of it, one library can be used. Sometimes you are using outdated dependencies, that have not been maintained for years.
A dependency can get an update and add malware to your bundle. This can be combatted:
by manually checking every dependency upgrade diff
by utilizing lavamoat sandbox (like metamask does)
It can be assumed that you did not personally audit every line of dependency. Neither did your auditor, because that would be too long and expensive.
You are already using audited noble-hashes and noble-curves through @solana/web3.js, bip32, bip39, ethers and others. I suggest to do following steps:
ripemd160 can be replaced by noble-hashes
secp256k1 can be replaced by noble-curves
slip39 can be replaced by ed25519-keygen, which depends on noble-curves
tiny-secp256k1 can be replaced by noble-curves
web3 v1.10 can be upgraded to v4 which depends on noble-curves
ethereumjs-wallet v1 can be upgraded to v2, which depends on noble-curves and noble-hashes
ed25519-hd-key: see 3, is unnecessary
crypto-browserify should be removed (last update 6 years ago, unmaintained, lots of deps) and replaced by noble-hashes
ecpair can be replaced by noble-curves or scure-btc-signer
electrum-mnemonic can be replaced by scure-bip39 (todo: research if feature-parity is achieved)
bignumber.js is not needed, can be replaced by native BigInt
@metamask/eth-sig-util can be upgraded from v4 to v7, which depends on noble-curves
I maintain ethereum-cryptography, which was created to combine all ethereum deps in one package. The work was funded by EF in 2021. You are already using it through some of your deps.
Kraken depends on a bunch of unnecessary cryptographic libraries. For example, for secp256k1, you use at least 4 libraries:
secp256k1
,tiny-secp256k1
,elliptic
and@noble/curves
. Instead of it, one library can be used. Sometimes you are using outdated dependencies, that have not been maintained for years.A dependency can get an update and add malware to your bundle. This can be combatted:
It can be assumed that you did not personally audit every line of dependency. Neither did your auditor, because that would be too long and expensive.
You are already using audited noble-hashes and noble-curves through
@solana/web3.js
,bip32
,bip39
,ethers
and others. I suggest to do following steps:ripemd160
can be replaced by noble-hashessecp256k1
can be replaced by noble-curvesslip39
can be replaced by ed25519-keygen, which depends on noble-curvestiny-secp256k1
can be replaced by noble-curvesweb3
v1.10 can be upgraded to v4 which depends on noble-curvesethereumjs-wallet
v1 can be upgraded to v2, which depends on noble-curves and noble-hashesed25519-hd-key
: see 3, is unnecessarycrypto-browserify
should be removed (last update 6 years ago, unmaintained, lots of deps) and replaced by noble-hashesecpair
can be replaced by noble-curves or scure-btc-signerelectrum-mnemonic
can be replaced by scure-bip39 (todo: research if feature-parity is achieved)bignumber.js
is not needed, can be replaced by native BigInt@metamask/eth-sig-util
can be upgraded from v4 to v7, which depends on noble-curves