[security] Stop initializing WalletConnect when it's not used in the dapp
talentlessguy opened this issue · comments
Is there an existing issue for this?
- I have searched the existing issues
RainbowKit Version
2.1.2
wagmi Version
2.9.8
Current Behavior
Even if you're not using WalletConnect anywhere in your app, it still gets initialized. When it's initialized, it makes a few requests to the relay, which is used in WalletConnect analytics service. Basically it's spyware imposed on anyone who uses RainbowKit in their app, even if they don't opt in to it. I think this is a huge security hole, because WalletConnect gathers users' data without consent without even using their wallet lib.
WalletConnect shouldn't initialize before connecting to WC. This is specific to RainbowKit, as wagmi doesn't do that.
Expected Behavior
WalletConnect not being enabled if not imported. Only enable it if you import it explicitly.
Steps To Reproduce
- Open https://stackblitz.com/edit/vitejs-vite-rbsdea?file=src%2Fconfig.ts
- Open Network tab in DevTools
- Observe connection to the relay without doing anything, not even clicking the connect wallet button
Link to Minimal Reproducible Example (CodeSandbox, StackBlitz, etc.)
https://stackblitz.com/edit/vitejs-vite-rbsdea?file=src%2Fconfig.ts
Anything else?
No response
@talentlessguy I'm also able to reproduce this with Wagmi (npm create wagmi@latest).
I don't think this is a RainbowKit specific issue. If this is a security concern, then it's better to raise a PR for Wagmi here.
@talentlessguy I'm also able to reproduce this with Wagmi (npm create wagmi@latest).
I don't think this is a RainbowKit specific issue. If this is a security concern, then it's better to raise a PR for Wagmi here.
From what I understand this happens only with a Rainbow connector in wagmi. Seems like that's where the issue is happening.
@talentlessguy I'll look at it again and report back 👍
This happens exclusively with rainbow connector because it initializes WC
Is there any solution for this? I don't want walletconnect and definitely don't want it opening up a websocket connection
@floticerus I think if you have an injected connector it won't initialize WC at all
@floticerus There isn't a way to do this unless you don't use wallets that use WC. Like @talentlessguy said you can use injected connector (injectedWallet) for now, but we're going to work on lazy loading the connectors soon.
@talentlessguy WalletConnect and Wagmi team just got back to me. We could try and lazy load the connectors, but there is a problem with that. During page refresh we won't know if the user should be connected to the dApp or not and Wagmi also manages the states for that. It's best to fix these connector issues upstream instead of relying on RainbowKit, but doesn't seem that the EthereumProvider (@walletconnect/ethereum-provider) will disable tracking in the near future.
Also WalletConnect team has mentioned that you could turn off Verify API, but that's more risky. Essentially it'll be an empty iframe that doesn't do anything.
@magiziz what do you mean by "fixing upsteam"? do you mean in WalletConnect? Can this be patched in wagmi somehow? But wagmi's WC connector doesn't initialize on page load, only when interacting with it.
@talentlessguy Yeah upstream in WalletConnect. I'm not sure if this can be patched in Wagmi since they wouldn't know if the user is already connected whenever the page is refreshed. They also use a setup function for WalletConnect which gets the provider on mount https://github.com/wevm/wagmi/blob/main/packages/connectors/src/walletConnect.ts#L113-L124
Going to close this issue for now since it's coming from walletConnect connector.