[Bug Report] Web Wallet v0.5.0 — Comprehensive QA Audit (12 Bugs + 8 UX Issues)
Summary
Full QA audit of the Unicity Web Wallet v0.5.0 conducted on 2026-03-11 against live deployment at https://unicitynetwork.github.io/webwallet/. Testing was performed using watch-only mode with address alpha1q87a7gapm2k8vp5ne0v5qrptlw4h6m9nkpc7sxe (2 ALPHA funded).
12 functional/security bugs and 8 UI/UX issues were identified. Issues are grouped by severity below.
Environment
High Severity
BUG-008 — No BIP39 Mnemonic / Seed Phrase on Wallet Creation
Type: UX / Missing Feature
The wallet generates keys using the Web Crypto API (CSPRNG) but does not produce a BIP39 mnemonic phrase. The only backup method is exporting a .txt file. This is a critical UX gap — every standard crypto wallet displays a 12 or 24-word seed phrase with a confirmation step on creation. Without this, users have no human-readable recovery path if their device fails.
Expected: BIP39 mnemonic displayed on wallet creation with a confirmation step before the wallet is accessible.
Actual: No mnemonic shown. File export is the only backup.
Recommendation: Implement bip39 mnemonic generation and display on creation. Add a confirmation screen requiring the user to verify 3 random words before proceeding.
BUG-002 — wallet.dat Import Requires Pre-Decryption (Security Risk)
Type: Functional / Security
The wallet only imports unencrypted .dat files. The documentation instructs users to decrypt their wallet on disk via:
alpha-cli walletpassphrase "yourpassword" 600
This exposes the private key on disk during the copy window. Any process or background sync tool with filesystem access during this window can capture the decrypted key material.
Recommendation: Implement in-browser decryption of encrypted .dat files, accepting the wallet passphrase in the UI and decrypting in memory. If that is out of scope, add a prominent security warning with steps to minimize the exposure window.
BUG-003 — Address Restoration Disclaimer Undermines Feature Trust
Type: Trust / Accuracy
The help text for wallet import explicitly states:
"We cannot guarantee correct address restoration. Always compare with alpha-qt or alpha-cli."
Shipping a feature with a built-in disclaimer that it may silently produce wrong addresses is a significant trust issue. A user who imports their wallet, sees what appears to be their address, and sends funds to it could lose funds permanently if the address is incorrect.
Recommendation: Either fix the address derivation until it can be guaranteed deterministic and correct, or gate the feature behind a mandatory CLI comparison step with clear visual warnings before funds can be sent.
Medium Severity
BUG-004 — Debug Reporter Sends Data to Dynamic DNS Endpoint
Type: Privacy / Security
The debug bug reporter submits telemetry to:
https://unicity-debug-report.dyndns.org:3487
This raises three concerns:
- Dynamic DNS is not a stable, verifiable endpoint — the domain can resolve to any IP at any time.
- The domain is not a verifiable official Unicity Labs subdomain.
- Port
3487 on a dyndns host is non-standard for production telemetry.
While the documentation notes private keys are excluded from the payload, the instability of the endpoint itself is a risk.
Recommendation: Migrate to a stable, verifiable official domain such as debug.unicity.network. Ensure the endpoint is HTTPS with a valid certificate from a recognised CA.
BUG-005 — Encrypted File Strength Unclear; Brute-Force Risk Undocumented
Type: Security
The wallet saves encrypted files using AES + PBKDF2 (100,000 iterations). The UI includes a "Verify Password" re-entry step, but this is a UX gate only — it does not add cryptographic protection. The security of the saved file depends entirely on password strength, which is not communicated to the user.
There is no password strength indicator, no minimum length enforcement, and no documentation that the file is fully offline-bruteforceable.
Recommendation: Add a password strength indicator on the save flow. Document in the UI that the file can be brute-forced offline and advise users to use a strong, unique passphrase.
BUG-006 — "Loading transactions..." Stuck Indefinitely When Offline
Type: UI / Reliability
The Transaction History section shows a "Loading transactions..." placeholder that persists indefinitely if the Fulcrum WebSocket connection cannot be established. There is no timeout, no retry count display, and no user-facing error state.
Steps to reproduce:
- Open wallet in a network-restricted environment or while the Fulcrum server is down.
- Load or create any wallet.
- Observe Transaction History section.
Expected: After ~10 seconds, replace loading state with "Unable to load transactions — check your connection." with a manual retry button.
Actual: Placeholder shown indefinitely with no error or timeout.
BUG-007 — "Cold Wallet Tools" Shows "Connecting..." with No Failure State
Type: UI / Reliability
The Cold Wallet Tools tab displays "Connecting..." as its initial state. If the connection fails (server down, offline, firewall), users are left with no indication of failure, no retry option, and no explanation of what "Connecting..." refers to.
Recommendation: Add a connection timeout with a clear error message and a "Retry" button.
BUG-001 — Outdated URL in GitHub README
Type: Documentation
The README links to:
https://unicitynetwork.github.io/guiwallet/
The correct live URL is:
https://unicitynetwork.github.io/webwallet/
The /guiwallet/ URL points to an older deployment that may diverge from the current /webwallet/ release. New users arriving via the README may be running a stale version without knowing it.
Fix: One-line change — update the README link to /webwallet/.
Low Severity
BUG-009 — No Countdown Before Private Key Auto-Hide (30s)
Type: UX
Private keys are auto-hidden after 30 seconds. There is no visible countdown or warning before this happens. Users who are slow to copy their key (e.g., writing it down) will see it vanish without explanation.
Recommendation: Show a countdown timer in the last 10 seconds, e.g. "Key hidden in 8s".
BUG-010 — Watch-Only Mode Inaccessible While Wallet Is Loaded
Type: UX
The Watch-Only address field only appears when no wallet is loaded. To access it, users must click Reset first — which is non-obvious and risky (users may think Reset deletes their wallet).
Recommendation: Add a dedicated Watch-Only button in the navigation bar, or add inline help text explaining that Reset is required and does not delete the saved wallet file.
BUG-011 — 30 TX/Block Broadcast Limit Has No UI Indicator
Type: Functional
The transaction broadcast queue is hard-limited to 30 transactions per block. This limit is documented but there is no UI indicator showing the current queue depth or warning when approaching the limit. Power users or automated flows could silently stall.
Recommendation: Show a queue counter in the Broadcast Queue section, e.g. "3 / 30 queued this block".
BUG-012 — UTXO Export File Leaks Balance Information
Type: Privacy
The UTXO export file used in the Cold Wallet flow contains UTXO data including amounts. If this file is intercepted, shared accidentally, or left in a temp folder, an attacker learns the exact ALPHA balance of the cold wallet.
Recommendation: Add a warning in the UI and documentation that UTXO export files should be treated with the same sensitivity as private key backups.
UI / UX Issues
| ID |
Severity |
Issue |
Recommendation |
| UI-001 |
Low |
No loading spinner on initial Fulcrum connection |
Add spinner with status text |
| UI-002 |
Medium |
No mobile-responsive design |
Accelerate responsive CSS (listed as roadmap — should be prioritised) |
| UI-003 |
Low |
Cold Wallet Tools has no onboarding tooltip or wizard |
Add a brief explainer or step-by-step guide on first open |
| UI-004 |
Low |
No dark mode |
Add prefers-color-scheme: dark CSS support |
| UI-005 |
Low |
No keyboard shortcuts for common actions |
Add Ctrl+S to save, Ctrl+R to reset, etc. |
| UI-006 |
Low |
No clipboard confirmation toast after copying address |
Show "Address copied" toast for 2 seconds |
| UI-007 |
Medium |
No session timeout or re-lock after inactivity |
Add optional auto-lock after N minutes of inactivity |
| UI-008 |
Low |
No changelog link next to version number |
Link v0.5.0 to a CHANGELOG.md or GitHub releases page |
Security Summary
| Item |
Status |
Notes |
| Private key storage |
Safe |
LocalStorage / IndexedDB only — never sent to server |
| Key generation |
Safe |
Web Crypto API (CSPRNG) |
| File encryption |
Strong |
AES + PBKDF2 (100k iterations) |
| Debug telemetry endpoint |
Review needed |
Dynamic DNS — migrate to official domain |
| HTTPS |
Enforced |
GitHub Pages |
| Clickjacking / CSP |
Unknown |
No CSP headers observed — recommend adding |
| Browser extension risk |
Documented |
No mitigation — consider warning banner |
Audit Scores
| Category |
Score |
| Functionality |
7 / 10 |
| UI / UX |
5 / 10 |
| Security |
7 / 10 |
| Documentation |
8 / 10 |
| Mobile UX |
2 / 10 |
| Overall |
6 / 10 |
Confirmed Working Features
All features below were verified as present and functional from source review:
- Create New Wallet (secp256k1 + BIP44)
- Load Wallet from
.txt / .dat file
- Save Wallet to Encrypted File (AES + PBKDF2 x100k)
- Watch-Only Mode
- BIP32/BIP34 HD Wallet with multi-address scan (up to 100 addresses)
- Send funds (online mode)
- Offline Signing + Export, then Broadcast later
- Cold Wallet Tools (UTXO export/import)
- Transaction Broadcast Queue with retry (up to 3x)
- QR Code for address
- Max Amount button
- Debug Modal + Remote Bug Reporting
- Transaction History (paginated, 20 per page)
- Fee estimation
- Password verification (re-entry confirmation)
Priority Fix List
In recommended order of impact:
- BUG-008 — Add BIP39 mnemonic to wallet creation (critical UX gap)
- BUG-003 — Fix address restoration accuracy or gate the feature with a hard warning
- BUG-002 — Support encrypted
.dat import with in-browser decryption
- BUG-004 — Migrate debug endpoint to a verified official domain
- BUG-006 / BUG-007 — Add connection failure feedback with timeout and retry
- UI-002 — Accelerate mobile-responsive CSS
- BUG-001 — Fix outdated README URL (one-line change)
Reported by: Ibrahim Rabiu — Agentic AI & Web3 Developer
Contact: alhibb01@gmail.com | x.com/I_Bakondare | github.com/alhibb
[Bug Report] Web Wallet v0.5.0 — Comprehensive QA Audit (12 Bugs + 8 UX Issues)
Summary
Full QA audit of the Unicity Web Wallet v0.5.0 conducted on 2026-03-11 against live deployment at https://unicitynetwork.github.io/webwallet/. Testing was performed using watch-only mode with address
alpha1q87a7gapm2k8vp5ne0v5qrptlw4h6m9nkpc7sxe(2 ALPHA funded).12 functional/security bugs and 8 UI/UX issues were identified. Issues are grouped by severity below.
Environment
alpha1q87a7gapm2k8vp5ne0v5qrptlw4h6m9nkpc7sxeHigh Severity
BUG-008 — No BIP39 Mnemonic / Seed Phrase on Wallet Creation
Type: UX / Missing Feature
The wallet generates keys using the Web Crypto API (CSPRNG) but does not produce a BIP39 mnemonic phrase. The only backup method is exporting a
.txtfile. This is a critical UX gap — every standard crypto wallet displays a 12 or 24-word seed phrase with a confirmation step on creation. Without this, users have no human-readable recovery path if their device fails.Expected: BIP39 mnemonic displayed on wallet creation with a confirmation step before the wallet is accessible.
Actual: No mnemonic shown. File export is the only backup.
Recommendation: Implement
bip39mnemonic generation and display on creation. Add a confirmation screen requiring the user to verify 3 random words before proceeding.BUG-002 —
wallet.datImport Requires Pre-Decryption (Security Risk)Type: Functional / Security
The wallet only imports unencrypted
.datfiles. The documentation instructs users to decrypt their wallet on disk via:alpha-cli walletpassphrase "yourpassword" 600This exposes the private key on disk during the copy window. Any process or background sync tool with filesystem access during this window can capture the decrypted key material.
Recommendation: Implement in-browser decryption of encrypted
.datfiles, accepting the wallet passphrase in the UI and decrypting in memory. If that is out of scope, add a prominent security warning with steps to minimize the exposure window.BUG-003 — Address Restoration Disclaimer Undermines Feature Trust
Type: Trust / Accuracy
The help text for wallet import explicitly states:
Shipping a feature with a built-in disclaimer that it may silently produce wrong addresses is a significant trust issue. A user who imports their wallet, sees what appears to be their address, and sends funds to it could lose funds permanently if the address is incorrect.
Recommendation: Either fix the address derivation until it can be guaranteed deterministic and correct, or gate the feature behind a mandatory CLI comparison step with clear visual warnings before funds can be sent.
Medium Severity
BUG-004 — Debug Reporter Sends Data to Dynamic DNS Endpoint
Type: Privacy / Security
The debug bug reporter submits telemetry to:
This raises three concerns:
3487on a dyndns host is non-standard for production telemetry.While the documentation notes private keys are excluded from the payload, the instability of the endpoint itself is a risk.
Recommendation: Migrate to a stable, verifiable official domain such as
debug.unicity.network. Ensure the endpoint is HTTPS with a valid certificate from a recognised CA.BUG-005 — Encrypted File Strength Unclear; Brute-Force Risk Undocumented
Type: Security
The wallet saves encrypted files using AES + PBKDF2 (100,000 iterations). The UI includes a "Verify Password" re-entry step, but this is a UX gate only — it does not add cryptographic protection. The security of the saved file depends entirely on password strength, which is not communicated to the user.
There is no password strength indicator, no minimum length enforcement, and no documentation that the file is fully offline-bruteforceable.
Recommendation: Add a password strength indicator on the save flow. Document in the UI that the file can be brute-forced offline and advise users to use a strong, unique passphrase.
BUG-006 — "Loading transactions..." Stuck Indefinitely When Offline
Type: UI / Reliability
The Transaction History section shows a
"Loading transactions..."placeholder that persists indefinitely if the Fulcrum WebSocket connection cannot be established. There is no timeout, no retry count display, and no user-facing error state.Steps to reproduce:
Expected: After ~10 seconds, replace loading state with
"Unable to load transactions — check your connection."with a manual retry button.Actual: Placeholder shown indefinitely with no error or timeout.
BUG-007 — "Cold Wallet Tools" Shows "Connecting..." with No Failure State
Type: UI / Reliability
The Cold Wallet Tools tab displays
"Connecting..."as its initial state. If the connection fails (server down, offline, firewall), users are left with no indication of failure, no retry option, and no explanation of what"Connecting..."refers to.Recommendation: Add a connection timeout with a clear error message and a "Retry" button.
BUG-001 — Outdated URL in GitHub README
Type: Documentation
The README links to:
The correct live URL is:
The
/guiwallet/URL points to an older deployment that may diverge from the current/webwallet/release. New users arriving via the README may be running a stale version without knowing it.Fix: One-line change — update the README link to
/webwallet/.Low Severity
BUG-009 — No Countdown Before Private Key Auto-Hide (30s)
Type: UX
Private keys are auto-hidden after 30 seconds. There is no visible countdown or warning before this happens. Users who are slow to copy their key (e.g., writing it down) will see it vanish without explanation.
Recommendation: Show a countdown timer in the last 10 seconds, e.g.
"Key hidden in 8s".BUG-010 — Watch-Only Mode Inaccessible While Wallet Is Loaded
Type: UX
The Watch-Only address field only appears when no wallet is loaded. To access it, users must click
Resetfirst — which is non-obvious and risky (users may think Reset deletes their wallet).Recommendation: Add a dedicated
Watch-Onlybutton in the navigation bar, or add inline help text explaining thatResetis required and does not delete the saved wallet file.BUG-011 — 30 TX/Block Broadcast Limit Has No UI Indicator
Type: Functional
The transaction broadcast queue is hard-limited to 30 transactions per block. This limit is documented but there is no UI indicator showing the current queue depth or warning when approaching the limit. Power users or automated flows could silently stall.
Recommendation: Show a queue counter in the Broadcast Queue section, e.g.
"3 / 30 queued this block".BUG-012 — UTXO Export File Leaks Balance Information
Type: Privacy
The UTXO export file used in the Cold Wallet flow contains UTXO data including amounts. If this file is intercepted, shared accidentally, or left in a temp folder, an attacker learns the exact ALPHA balance of the cold wallet.
Recommendation: Add a warning in the UI and documentation that UTXO export files should be treated with the same sensitivity as private key backups.
UI / UX Issues
prefers-color-scheme: darkCSS supportCtrl+Sto save,Ctrl+Rto reset, etc.v0.5.0to aCHANGELOG.mdor GitHub releases pageSecurity Summary
Audit Scores
Confirmed Working Features
All features below were verified as present and functional from source review:
.txt/.datfilePriority Fix List
In recommended order of impact:
.datimport with in-browser decryptionReported by: Ibrahim Rabiu — Agentic AI & Web3 Developer
Contact: alhibb01@gmail.com | x.com/I_Bakondare | github.com/alhibb