Improve security and dependency situation

[paulmillr]

I maintain ethereum-cryptography, which was created to combine all ethereum deps in one package. The work was funded by EF in 2021. You are already using it through some of your deps.

Kraken depends on a bunch of unnecessary cryptographic libraries. For example, for secp256k1, you use at least 4 libraries: secp256k1, tiny-secp256k1, elliptic and @noble/curves. Instead of it, one library can be used. Sometimes you are using outdated dependencies, that have not been maintained for years.

A dependency can get an update and add malware to your bundle. This can be combatted:

• by manually checking every dependency upgrade diff
• by utilizing lavamoat sandbox (like metamask does)

It can be assumed that you did not personally audit every line of dependency. Neither did your auditor, because that would be too long and expensive.

You are already using audited noble-hashes and noble-curves through @solana/web3.js, bip32, bip39, ethers and others. I suggest to do following steps:

1. ripemd160 can be replaced by noble-hashes
2. secp256k1 can be replaced by noble-curves
3. slip39 can be replaced by ed25519-keygen, which depends on noble-curves
4. tiny-secp256k1 can be replaced by noble-curves
5. web3 v1.10 can be upgraded to v4 which depends on noble-curves
6. ethereumjs-wallet v1 can be upgraded to v2, which depends on noble-curves and noble-hashes
7. ed25519-hd-key: see 3, is unnecessary
8. crypto-browserify should be removed (last update 6 years ago, unmaintained, lots of deps) and replaced by noble-hashes
9. ecpair can be replaced by noble-curves or scure-btc-signer
10. electrum-mnemonic can be replaced by scure-bip39 (todo: research if feature-parity is achieved)
11. bignumber.js is not needed, can be replaced by native BigInt
12. @metamask/eth-sig-util can be upgraded from v4 to v7, which depends on noble-curves

[erickuhn19]

Thanks @paulmillr going to review this list with the team.