Skip to content

[Bug Report] Web Wallet v0.5.0 — Comprehensive QA Audit (12 Bugs + 8 UX Issues) #4

Description

@Alhibb

[Bug Report] Web Wallet v0.5.0 — Comprehensive QA Audit (12 Bugs + 8 UX Issues)

Summary

Full QA audit of the Unicity Web Wallet v0.5.0 conducted on 2026-03-11 against live deployment at https://unicitynetwork.github.io/webwallet/. Testing was performed using watch-only mode with address alpha1q87a7gapm2k8vp5ne0v5qrptlw4h6m9nkpc7sxe (2 ALPHA funded).

12 functional/security bugs and 8 UI/UX issues were identified. Issues are grouped by severity below.


Environment

Field Value
Wallet Version v0.5.0
URL https://unicitynetwork.github.io/webwallet/
Test Date 2026-03-11
Test Method Source review + live browser interaction
Test Address alpha1q87a7gapm2k8vp5ne0v5qrptlw4h6m9nkpc7sxe

High Severity

BUG-008 — No BIP39 Mnemonic / Seed Phrase on Wallet Creation

Type: UX / Missing Feature

The wallet generates keys using the Web Crypto API (CSPRNG) but does not produce a BIP39 mnemonic phrase. The only backup method is exporting a .txt file. This is a critical UX gap — every standard crypto wallet displays a 12 or 24-word seed phrase with a confirmation step on creation. Without this, users have no human-readable recovery path if their device fails.

Expected: BIP39 mnemonic displayed on wallet creation with a confirmation step before the wallet is accessible.

Actual: No mnemonic shown. File export is the only backup.

Recommendation: Implement bip39 mnemonic generation and display on creation. Add a confirmation screen requiring the user to verify 3 random words before proceeding.


BUG-002 — wallet.dat Import Requires Pre-Decryption (Security Risk)

Type: Functional / Security

The wallet only imports unencrypted .dat files. The documentation instructs users to decrypt their wallet on disk via:

alpha-cli walletpassphrase "yourpassword" 600

This exposes the private key on disk during the copy window. Any process or background sync tool with filesystem access during this window can capture the decrypted key material.

Recommendation: Implement in-browser decryption of encrypted .dat files, accepting the wallet passphrase in the UI and decrypting in memory. If that is out of scope, add a prominent security warning with steps to minimize the exposure window.


BUG-003 — Address Restoration Disclaimer Undermines Feature Trust

Type: Trust / Accuracy

The help text for wallet import explicitly states:

"We cannot guarantee correct address restoration. Always compare with alpha-qt or alpha-cli."

Shipping a feature with a built-in disclaimer that it may silently produce wrong addresses is a significant trust issue. A user who imports their wallet, sees what appears to be their address, and sends funds to it could lose funds permanently if the address is incorrect.

Recommendation: Either fix the address derivation until it can be guaranteed deterministic and correct, or gate the feature behind a mandatory CLI comparison step with clear visual warnings before funds can be sent.


Medium Severity

BUG-004 — Debug Reporter Sends Data to Dynamic DNS Endpoint

Type: Privacy / Security

The debug bug reporter submits telemetry to:

https://unicity-debug-report.dyndns.org:3487

This raises three concerns:

  1. Dynamic DNS is not a stable, verifiable endpoint — the domain can resolve to any IP at any time.
  2. The domain is not a verifiable official Unicity Labs subdomain.
  3. Port 3487 on a dyndns host is non-standard for production telemetry.

While the documentation notes private keys are excluded from the payload, the instability of the endpoint itself is a risk.

Recommendation: Migrate to a stable, verifiable official domain such as debug.unicity.network. Ensure the endpoint is HTTPS with a valid certificate from a recognised CA.


BUG-005 — Encrypted File Strength Unclear; Brute-Force Risk Undocumented

Type: Security

The wallet saves encrypted files using AES + PBKDF2 (100,000 iterations). The UI includes a "Verify Password" re-entry step, but this is a UX gate only — it does not add cryptographic protection. The security of the saved file depends entirely on password strength, which is not communicated to the user.

There is no password strength indicator, no minimum length enforcement, and no documentation that the file is fully offline-bruteforceable.

Recommendation: Add a password strength indicator on the save flow. Document in the UI that the file can be brute-forced offline and advise users to use a strong, unique passphrase.


BUG-006 — "Loading transactions..." Stuck Indefinitely When Offline

Type: UI / Reliability

The Transaction History section shows a "Loading transactions..." placeholder that persists indefinitely if the Fulcrum WebSocket connection cannot be established. There is no timeout, no retry count display, and no user-facing error state.

Steps to reproduce:

  1. Open wallet in a network-restricted environment or while the Fulcrum server is down.
  2. Load or create any wallet.
  3. Observe Transaction History section.

Expected: After ~10 seconds, replace loading state with "Unable to load transactions — check your connection." with a manual retry button.

Actual: Placeholder shown indefinitely with no error or timeout.


BUG-007 — "Cold Wallet Tools" Shows "Connecting..." with No Failure State

Type: UI / Reliability

The Cold Wallet Tools tab displays "Connecting..." as its initial state. If the connection fails (server down, offline, firewall), users are left with no indication of failure, no retry option, and no explanation of what "Connecting..." refers to.

Recommendation: Add a connection timeout with a clear error message and a "Retry" button.


BUG-001 — Outdated URL in GitHub README

Type: Documentation

The README links to:

https://unicitynetwork.github.io/guiwallet/

The correct live URL is:

https://unicitynetwork.github.io/webwallet/

The /guiwallet/ URL points to an older deployment that may diverge from the current /webwallet/ release. New users arriving via the README may be running a stale version without knowing it.

Fix: One-line change — update the README link to /webwallet/.


Low Severity

BUG-009 — No Countdown Before Private Key Auto-Hide (30s)

Type: UX

Private keys are auto-hidden after 30 seconds. There is no visible countdown or warning before this happens. Users who are slow to copy their key (e.g., writing it down) will see it vanish without explanation.

Recommendation: Show a countdown timer in the last 10 seconds, e.g. "Key hidden in 8s".


BUG-010 — Watch-Only Mode Inaccessible While Wallet Is Loaded

Type: UX

The Watch-Only address field only appears when no wallet is loaded. To access it, users must click Reset first — which is non-obvious and risky (users may think Reset deletes their wallet).

Recommendation: Add a dedicated Watch-Only button in the navigation bar, or add inline help text explaining that Reset is required and does not delete the saved wallet file.


BUG-011 — 30 TX/Block Broadcast Limit Has No UI Indicator

Type: Functional

The transaction broadcast queue is hard-limited to 30 transactions per block. This limit is documented but there is no UI indicator showing the current queue depth or warning when approaching the limit. Power users or automated flows could silently stall.

Recommendation: Show a queue counter in the Broadcast Queue section, e.g. "3 / 30 queued this block".


BUG-012 — UTXO Export File Leaks Balance Information

Type: Privacy

The UTXO export file used in the Cold Wallet flow contains UTXO data including amounts. If this file is intercepted, shared accidentally, or left in a temp folder, an attacker learns the exact ALPHA balance of the cold wallet.

Recommendation: Add a warning in the UI and documentation that UTXO export files should be treated with the same sensitivity as private key backups.


UI / UX Issues

ID Severity Issue Recommendation
UI-001 Low No loading spinner on initial Fulcrum connection Add spinner with status text
UI-002 Medium No mobile-responsive design Accelerate responsive CSS (listed as roadmap — should be prioritised)
UI-003 Low Cold Wallet Tools has no onboarding tooltip or wizard Add a brief explainer or step-by-step guide on first open
UI-004 Low No dark mode Add prefers-color-scheme: dark CSS support
UI-005 Low No keyboard shortcuts for common actions Add Ctrl+S to save, Ctrl+R to reset, etc.
UI-006 Low No clipboard confirmation toast after copying address Show "Address copied" toast for 2 seconds
UI-007 Medium No session timeout or re-lock after inactivity Add optional auto-lock after N minutes of inactivity
UI-008 Low No changelog link next to version number Link v0.5.0 to a CHANGELOG.md or GitHub releases page

Security Summary

Item Status Notes
Private key storage Safe LocalStorage / IndexedDB only — never sent to server
Key generation Safe Web Crypto API (CSPRNG)
File encryption Strong AES + PBKDF2 (100k iterations)
Debug telemetry endpoint Review needed Dynamic DNS — migrate to official domain
HTTPS Enforced GitHub Pages
Clickjacking / CSP Unknown No CSP headers observed — recommend adding
Browser extension risk Documented No mitigation — consider warning banner

Audit Scores

Category Score
Functionality 7 / 10
UI / UX 5 / 10
Security 7 / 10
Documentation 8 / 10
Mobile UX 2 / 10
Overall 6 / 10

Confirmed Working Features

All features below were verified as present and functional from source review:

  • Create New Wallet (secp256k1 + BIP44)
  • Load Wallet from .txt / .dat file
  • Save Wallet to Encrypted File (AES + PBKDF2 x100k)
  • Watch-Only Mode
  • BIP32/BIP34 HD Wallet with multi-address scan (up to 100 addresses)
  • Send funds (online mode)
  • Offline Signing + Export, then Broadcast later
  • Cold Wallet Tools (UTXO export/import)
  • Transaction Broadcast Queue with retry (up to 3x)
  • QR Code for address
  • Max Amount button
  • Debug Modal + Remote Bug Reporting
  • Transaction History (paginated, 20 per page)
  • Fee estimation
  • Password verification (re-entry confirmation)

Priority Fix List

In recommended order of impact:

  1. BUG-008 — Add BIP39 mnemonic to wallet creation (critical UX gap)
  2. BUG-003 — Fix address restoration accuracy or gate the feature with a hard warning
  3. BUG-002 — Support encrypted .dat import with in-browser decryption
  4. BUG-004 — Migrate debug endpoint to a verified official domain
  5. BUG-006 / BUG-007 — Add connection failure feedback with timeout and retry
  6. UI-002 — Accelerate mobile-responsive CSS
  7. BUG-001 — Fix outdated README URL (one-line change)

Reported by: Ibrahim Rabiu — Agentic AI & Web3 Developer
Contact: alhibb01@gmail.com | x.com/I_Bakondare | github.com/alhibb

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

Status
Todo

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions