search

rainbow-me / rainbowkit

The best way to connect a wallet 🌈 🧰
https://rainbowkit.com
MIT License
2.36k stars 617 forks source link

[security] Stop initializing WalletConnect when it's not used in the dapp #2029

Open talentlessguy opened 4 weeks ago

talentlessguy commented 4 weeks ago

Is there an existing issue for this?

RainbowKit Version

2.1.2

wagmi Version

2.9.8

Current Behavior

Even if you're not using WalletConnect anywhere in your app, it still gets initialized. When it's initialized, it makes a few requests to the relay, which is used in WalletConnect analytics service. Basically it's spyware imposed on anyone who uses RainbowKit in their app, even if they don't opt in to it. I think this is a huge security hole, because WalletConnect gathers users' data without consent without even using their wallet lib.

image

WalletConnect shouldn't initialize before connecting to WC. This is specific to RainbowKit, as wagmi doesn't do that.

Expected Behavior

WalletConnect not being enabled if not imported. Only enable it if you import it explicitly.

Steps To Reproduce

  1. Open https://stackblitz.com/edit/vitejs-vite-rbsdea?file=src%2Fconfig.ts
  2. Open Network tab in DevTools
  3. Observe connection to the relay without doing anything, not even clicking the connect wallet button

Link to Minimal Reproducible Example (CodeSandbox, StackBlitz, etc.)

https://stackblitz.com/edit/vitejs-vite-rbsdea?file=src%2Fconfig.ts

Anything else?

No response

magiziz commented 4 weeks ago

@talentlessguy I'm also able to reproduce this with Wagmi (npm create wagmi@latest).

image

I don't think this is a RainbowKit specific issue. If this is a security concern, then it's better to raise a PR for Wagmi here.

talentlessguy commented 4 weeks ago

@talentlessguy I'm also able to reproduce this with Wagmi (npm create wagmi@latest).

image

I don't think this is a RainbowKit specific issue. If this is a security concern, then it's better to raise a PR for Wagmi here.

From what I understand this happens only with a Rainbow connector in wagmi. Seems like that's where the issue is happening.

magiziz commented 4 weeks ago

@talentlessguy I'll look at it again and report back 👍

talentlessguy commented 4 weeks ago

This happens exclusively with rainbow connector because it initializes WC

floticerus commented 3 days ago

Is there any solution for this? I don't want walletconnect and definitely don't want it opening up a websocket connection

talentlessguy commented 3 days ago

@floticerus I think if you have an injected connector it won't initialize WC at all

magiziz commented 3 days ago

@floticerus There isn't a way to do this unless you don't use wallets that use WC. Like @talentlessguy said you can use injected connector (injectedWallet) for now, but we're going to work on lazy loading the connectors soon.