A secure cryptocurrency wallet browser extension for the Nexus blockchain, similar to MetaMask but specifically designed for Nexus.io.
π₯ Why Q-Wallet? See our comparison with MetaMask, Trust Wallet, and other competitors to understand why Q-Wallet offers quantum-resistant security that traditional wallets cannot match.
- π Secure Account Management - Create and manage Nexus accounts with encrypted storage
- π° Send & Receive NXS - Easy-to-use interface for sending and receiving NXS tokens
- π Transaction History - View all your past transactions
- π Real-time Balance Updates - Automatic balance refresh every 5 minutes
- βοΈ Configurable Node - Connect to any Nexus node (local or remote)
- π Session Management - Secure login/logout with PIN protection
- π Web3 Provider - Inject
window.qWalletobject for dApp connectivity - π€ dApp Connections - Connect your wallet to Nexus-based decentralized applications
- βοΈ Transaction Signing - Sign and approve transactions from dApps
- π‘ Message Passing - Secure communication between dApps and wallet
- π Password Protected - Strong password encryption
- π’ PIN Authentication - Additional PIN layer for transaction approval
- π Memory-Only Session Storage - Session ID and PIN stored in chrome.storage.session (RAM only), NEVER written to disk
- π Encrypted Fallback - If browser doesn't support session storage, uses memory-only encryption key (lost on reload)
- οΏ½οΈ Content Security Policy - Strict CSP prevents code injection and XSS attacks
- π« XSS Prevention - All user inputs sanitized, no innerHTML with dynamic content
- β±οΈ Rate Limiting - Protection against brute force attacks (2-second delay after failed login)
- π HTTPS Enforcement - Remote nodes require HTTPS connections
- πͺ Lock/Unlock - Lock your wallet when not in use
- ποΈ Automatic Session Cleanup - Sessions automatically terminated on logout or browser close
- π‘οΈ Defense in Depth - Multiple layers of security protection
- π Blockchain Session Termination - Active sessions properly terminated on Nexus node on logout/browser close
- π‘οΈ Quantum-Resistant SigChains - Protected by Nexus blockchain's signature chain technology
- π One-Time Keypairs - Each transaction uses a unique keypair, never reused
- π« No Public Key Reuse - Eliminates vulnerability to quantum attacks via Shor's algorithm
- βοΈ Post-Quantum Ready - Future-proof security architecture resistant to quantum computing threats
- π Hardware-Like Security - SigChain architecture provides security similar to hardware wallets
-
Download the Extension
- Clone or download this repository
- Or download the latest release from the releases page
-
Install in Chrome/Brave/Edge
- Open your browser and navigate to
chrome://extensions/(orbrave://extensions/,edge://extensions/) - Enable "Developer mode" (toggle in top-right corner)
- Click "Load unpacked"
- Select the
qwalletfolder
- Open your browser and navigate to
-
Install in Firefox
- Open Firefox and navigate to
about:debugging#/runtime/this-firefox - Click "Load Temporary Add-on"
- Select the
manifest.jsonfile from theqwalletfolder
- Open Firefox and navigate to
# Clone the repository
git clone https://github.com/AkstonCap/q-wallet.git
cd q-wallet
# No build process required - it's vanilla JavaScript!
# Just load the extension in your browser as described aboveBefore using the wallet, you need a Nexus node running. You can:
Option A: Run a Local Node
# Download and run the Nexus core
./nexus -apiuser=youruser -apipassword=yourpassword
# Or run without authentication (for local testing only)
./nexus -noapiauthOption B: Connect to a Remote Node
- Use a public Nexus node or hosted service like api.distordia.com
- Configure the node URL in wallet settings (api.distordia.com available as default)
- Click the Nexus Wallet extension icon
- Click "Create New Wallet"
- Enter your details:
- Username: Your unique identifier
- Password: Strong password (min 8 characters)
- PIN: 4-8 digit PIN for transaction approval
- Confirm and create
- Click the "Receive" button
- Copy your address or share the QR code
- Give this address to whoever is sending you NXS
- Click the "Send" button
- Click the "Send" button
- Enter recipient address or username
- Enter amount to send
- Add optional reference number (64-bit integer for invoice/order tracking)
- Review transaction summary including fees
- Confirm transaction with PIN
Transaction Fees:
- Nexus Network Fee: 0.01 NXS (automatically deducted for multiple transactions within 10 seconds)
- Distordia Service Fee (only for amounts > 1):
- For NXS sends > 1 NXS: 0.1% of send amount (minimum 0.000001 NXS)
- For USDD sends > 1 USDD: 0.1% of send amount in USDD (minimum 0.0001 USDD)
- For other tokens or small amounts: No service fee
- NXS fees are deducted from your default NXS account; USDD fees from the sending account
Example: Sending 10 NXS
- Amount sent: 10 NXS
- Distordia service fee: 0.01 NXS (0.1%)
- Nexus network congestion fee: 0.01 NXS (auto-deducted)
- Total cost: 10.02 NXS
Example: Sending 0.5 NXS (no service fee)
- Amount sent: 0.5 NXS
- Distordia service fee: None (amount β€ 1 NXS)
- Nexus network congestion fee: 0.01 NXS (auto-deducted only if additional transactions during last 10 seconds)
- Total cost: 0.50-0.51 NXS
- Go to "Receive" screen
- Click "Create New Account"
- Enter optional account name
- Select token (NXS or custom token name/address)
- Enter PIN to confirm
Account Creation Fees:
- Nexus Account Creation Fee: 1.0 NXS
- Nexus Local Name Creation Fee: 1.0 NXS (optional to name the account)
- No Distordia Service Fee
- Total: 1.0/2.0 NXS (deducted from default account)
- Check the "Transactions" tab to see your history
- Click any transaction for details
Configure your Nexus node connection:
- Click the βοΈ settings icon
- Enter your node URL (default:
http://localhost:8080) - Click "Save Node"
Common node configurations:
- Local node:
http://localhost:8080 - Remote node:
https://your-node-url:8080
Developers can integrate Nexus Wallet into their dApps using the injected provider.
// Check if Q-Wallet is available
if (typeof window.qWallet !== 'undefined') {
console.log('Q-Wallet is installed!');
// Connect to wallet
const accounts = await window.qWallet.connect();
console.log('Connected account:', accounts[0]);
// Get balance
const balance = await window.qWallet.getBalance();
console.log('Balance:', balance);
// Send transaction
const tx = await window.qWallet.sendTransaction({
to: 'recipient-address',
amount: 10.5,
reference: 12345 // Optional: 64-bit unsigned integer
});
console.log('Transaction:', tx);
}qWallet.connect()- Request connection to walletqWallet.connectWithFee(feeConfig)- Connect with token fee requirementqWallet.disconnect()- Disconnect site from walletqWallet.getAccounts()- Get connected accountsqWallet.listAccounts()- List all user accounts with detailsqWallet.getBalance(account)- Get account balanceqWallet.getAllBalances()- Get all token balancesqWallet.sendTransaction(params)- Send a transactionqWallet.sendBatchTransactions(txs)- Send multiple transactionsqWallet.executeBatchCalls(calls)- Execute multiple API operationsqWallet.signTransaction(tx)- Sign a transactionqWallet.getTransactionHistory(limit)- Get transaction historyqWallet.isWalletConnected()- Check connection statusqWallet.isLoggedIn()- Check if wallet is logged in
For complete dApp integration documentation, see DAPP-INTEGRATION.md.
The wallet uses Chrome's session storage API for sensitive data like session IDs and PINs. This provides:
- β Memory-Only Storage - Data stored in RAM only, NEVER written to disk
- β Automatic Cleanup - All session data cleared when browser closes
- β Isolation - Not accessible to web pages or other extensions
- β Browser Security - Protected by browser's security sandbox
Fallback Mode (if chrome.storage.session unavailable):
- Uses encryption with memory-only key (generated per session)
- Encryption key stored in JavaScript memory, lost on extension reload
- Encrypted data unrecoverable without the key
- Still cleared on browser close
What's stored in session:
- Session ID (UUID from Nexus blockchain)
- PIN (for transaction approval and logout)
- Username and genesis hash (non-sensitive identifiers)
When data is cleared:
- User logs out (explicit action)
- Browser window closes (automatic)
- Extension is reloaded/updated
- Fallback mode: Key lost = data unrecoverable
- π Active Session Termination - Wallet attempts to terminate sessions on the Nexus blockchain when you logout or close the browser
- π PIN Authentication - Required for terminating sessions on multi-user nodes
- π‘οΈ Security-First Cleanup - Local session data (session ID, PIN) is ALWAYS cleared from storage, even if blockchain termination fails
β οΈ Offline Node Handling - If the node is offline, local data is still cleared immediately (blockchain session will expire naturally)- ποΈ Public Computer Safety - Closing browser always clears all sensitive data from local storage, regardless of network status
- π No Credential Storage - Your username, password, and PIN are never stored persistently
- π Session-Based Security - Only session tokens are kept (in memory)
- π PIN Confirmation - All transactions require PIN re-entry for approval
- π HTTPS Enforcement - Remote connections must use secure HTTPS protocol
Why chrome.storage.session?
- β Stored in RAM only, not written to disk
- β Automatically cleared on browser close
- β Native browser security sandbox
- β No need to manage encryption keys
Why the encrypted fallback?
- Some browsers may not support chrome.storage.session fully
- Encryption key lives in memory only (lost on reload)
- Better than plaintext on disk
- Data becomes unrecoverable when key is lost
Why not always encrypt in local storage?
- Encryption key must be stored somewhere
- If key on disk β not secure
- If key in code β visible to anyone
- If key from password β defeats the purpose
- Session storage is simpler and more secure
Hardware wallet integration?
- Not currently supported (browser extension limitation)
- Consider this for future mobile/desktop versions
- Current approach matches industry standard (MetaMask, etc.)
For Regular Use:
- β Always logout when finished (don't just close window)
- β Use strong, unique password and PIN
- β Only connect to trusted dApps
- β Verify transaction details before approving
For Public Computers:
β οΈ Use with caution - Browser wallets on shared computers have inherent risks- β Always explicitly logout before leaving (don't rely on browser close alone)
- β Verify logout was successful before walking away
- β Clear browser data after logout for extra security (Ctrl+Shift+Delete)
- π Local data is always cleared - Even if node is offline, session/PIN are removed from computer
- β³ Blockchain session timeout - If logout fails due to offline node, session will expire naturally (typically 24 hours)
For Public/Shared Computers:
β οΈ Use the Logout button before walking awayβ οΈ Don't rely on browser close aloneβ οΈ Clear browser data after useβ οΈ Consider not using wallet on public computers at all- π° Transparent Fees - All transaction and service fees are clearly displayed before confirmation
The wallet implements a two-tier fee system to ensure sustainability and network security:
Nexus Network Fee (Automatic):
- 0.01 NXS per additional transaction within 10 seconds
- Automatically deducted by the Nexus blockchain
- Not charged by the wallet, but included in fee estimates
Distordia Service Fee:
- For NXS sends: 0.1% of amount (minimum 0.000001 NXS)
- Example: 1 NXS = 0.001 NXS fee
- Example: 100 NXS = 0.1 NXS fee
- Example: 0.001 NXS = 0.000001 NXS fee (minimum)
- For token sends: 0.01 NXS flat fee
- For account creation: 0.01 NXS flat fee
All fees are clearly displayed in the transaction summary before you confirm. Service fees are sent to the Distordia development address to support ongoing wallet development and maintenance.
- β Use strong, unique passwords (minimum 8 characters)
- β Never share your password or PIN with anyone
- β Only connect to trusted Nexus nodes
- β Review all transactions carefully before confirming
- β Lock your wallet when not in use
- β Only approve dApp connections from websites you trust
- β Keep your credentials backed up safely offline
- β Session tokens (temporarily, auto-cleared on browser close)
- β Wallet preferences and settings
- β Node URL configuration
- β Transaction cache for quick display
- β Your username, password, or PIN
- β Any sensitive credentials
Your wallet is created on the Nexus blockchain, not in the browser extension. Make sure to securely store your username, password, and PIN. You can access your wallet from any device with these credentials.
Yes! The Nexus blockchain supports multiple accounts per profile. Create additional accounts in the wallet settings.
If you forget your username, password or PIN, you can recover access to your wallet using the private seed phrase, these must be created in the Nexus desktop wallet (Nexus Interface) or CLI. Always keep secure backups of your credentials and seed phrase.
Yes! Your credentials are never stored in the extension. Session tokens are temporary and auto-clear when you close your browser. All transactions require PIN confirmation.
Not currently.
Go to Settings β Node Settings, and enter your remote node URL. For security, only HTTPS connections are allowed for remote nodes (localhost/LAN can use HTTP).
Chrome, Brave, Edge, and other Chromium-based browsers are fully supported. Firefox is supported but the extension needs to be loaded as a temporary add-on.
- Ensure you're using a Chromium-based browser or Firefox
- Check that all files are present
- Look for errors in
chrome://extensionswith Developer mode enabled
- Verify your Nexus node is running (try:
curl http://localhost:8080/system/get/info) - Check the node URL in settings
- Ensure CORS is enabled on your node (for remote connections)
- Check firewall settings
- Verify username, password, and PIN are correct
- Ensure your Nexus node is accessible
- Check that the profile exists (create a new wallet if needed)
- Wait for blockchain confirmation (usually a few seconds)
- Refresh wallet data by locking and unlocking
- Check node connection in settings
- Verify transaction on the blockchain
The extension works perfectly without icons. If you want custom icons, open generate-icons.html in your browser and save the generated images to the icons/ folder.
For a comprehensive overview of the security measures, see SECURITY.md.
Key Security Features:
- β Content Security Policy (CSP) - Blocks all inline scripts and code injection attacks
- β XSS Prevention - All dynamic content safely rendered using textContent
- β Rate Limiting - 2-second delay after failed login attempts to prevent brute force
- β HTTPS Enforcement - Remote API connections require secure protocol
- β Memory-Only Storage - Session data stored in RAM, never written to disk
- β No eval() - Zero use of dangerous eval() or Function() constructors
- β Input Validation - All user inputs validated before processing
- β Secure Session Management - Proper termination on logout/browser close
Security Grade: A- (Production Ready)
The wallet implements defense-in-depth security with multiple protection layers:
- Storage security (chrome.storage.session)
- Code security (CSP + no unsafe patterns)
- Network security (HTTPS enforcement)
- Authentication security (PIN + rate limiting)
- Input/output sanitization
Audited Files:
manifest.json- CSP configurationservices/storage.js- Secure storage implementationservices/wallet.js- Session managementpopup.js- UI security (XSS prevention, rate limiting)background.js- Service worker securityservices/nexus-api.js- API communication
MIT License - Use freely, modify, and distribute as needed.
This wallet manages cryptocurrency. Use at your own risk. Always:
- β Keep secure backups of your credentials
- β Use strong, unique passwords
- β Verify all transactions before confirming
- β Only install from trusted sources
- β Never share your password or PIN
Built with β€οΈ for the Nexus Blockchain Community