hailin
6b85401d5c
## Problem MPC wallet addresses have no cryptographic relationship with recovery mnemonics, so address-based verification always failed for account recovery. ## Solution Changed mnemonic verification from address matching to hash-based verification: - Mnemonic acts as identity credential, verified by hash stored in blockchain-service - Uses accountSequence to lookup stored mnemonic hash for verification ## Changes ### blockchain-service - recovery-mnemonic.adapter.ts: - generateMnemonic() now async, uses bcrypt (rounds=12) for secure hashing - verifyMnemonic() now async, supports both bcrypt and legacy SHA256 hashes - Added backward compatibility for existing SHA256 hashed mnemonics - mnemonic-verification.service.ts: - await verifyMnemonic() for async bcrypt comparison - address-derivation.service.ts: - await generateMnemonic() for async bcrypt hashing - package.json: added bcrypt dependency ### identity-service - user-application.service.ts: - Changed recoverByMnemonic() to use verifyMnemonicByAccount (hash verification) - Added rate limiting: 5 failed attempts per hour per accountSequence - Uses Redis to track failed verification attempts - redis.service.ts: - Added incr() and expire() methods for rate limiting - Added updateKeygenStatusAtomic() with Lua script for atomic state transitions - mpc-keygen-completed.handler.ts: - Uses atomic Redis update to prevent race conditions - blockchain-wallet.handler.ts: - Uses atomic Redis update for completed status ## Security Improvements - bcrypt with 12 rounds for mnemonic hashing (anti-brute-force) - Rate limiting prevents brute force attacks on mnemonic recovery - Atomic Redis operations prevent race conditions in wallet creation flow 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| api | ||
| application | ||
| config | ||
| domain | ||
| infrastructure | ||
| shared | ||
| app.module.ts | ||
| main.ts | ||