Skip to content
@Bunkr-2FA

Bunkr

Bunkr aims to bring self-custodial 2FA to the Solana blockchain

Logo

🔓 Bunkr | Fully On-Chain 2FA [v1 is deprecated -> link to v2 ]

Bunkr enables asset protection on Solana by utilizing the widely known TOTP (Time-based OneTime Password) 2FA standard that can be found here.

It is compatible with all major Authentication Apps and is frequently used in web2 as a means to secure account access

❌ Problem

Wallet security is still lacking inside web2 and on Solana.

Yes, Ledgers and Multi-Sigs exist, but these options are sub-optimal. One is expensive and the other is hard to understand if you're a new user coming from web2.

🏁 Goal / Solution

Provide users on Solana with an option to protect their assets with 2FA that's similar to how they're used to in Web2. Addionally the whole thing should be free, permissionless, trustless, open-source and generally deliver a common good to the Solana ecosystem.

🤝 Why Solana?

Quite simple. UX and feasibility. In order to enable web2 style TOTP 2FA, transactions need to:

  • be virtually free to the user
  • take less than 30s to finality (validity period of an OTP)

Solana nails both of these. Period.

🔒 Security

Bunkr as a whole relies on the following security mechanisms to enable asset protection

  • User Private Key (Baseline)
  • User chosen password (Hashchain)
  • TOTPs (Merkle Tree)

✔️ How does the OTP mechanism work?

Fundamentally the on-chain OTP Verification is facilitated by a combination of merkle inclusion proofs and Solana's ability to expose a clock/timestamp function at runtime.

Essentially OTPs for any given secret are generated for 6 months upfront, hashed individually, then extended with their timestamp and then hashed again to then represent the leaves of a merkle tree. The root of that merkle tree is then stored on-chain.

In order to prove the validity of any given OTP the client then just needs to submit the current hashed OTP together with it's corresponding proof path. The on-chain program then extends that hashed OTP with the current on-chain timestamp and simply checks whether that extended hash + the proof path lead to the stored root.

🌳 Storage of the Merkle Tree

Surely you're now wondering:

"Well, how am I meant to use standard auth apps if I have to store this merkle tree to submit proof paths??"

And you're totally right. The storage of the tree is a non-trivial task. Not only does the tree need to be readily accessible to the user, but it also needs to not be public and openly crackable.

Solution: The leaves of the tree are stored encrypted on ShadowDrive. The encryption key is derived from a message the user signs when logging into their Bunkr. That way:

  • The user doesn't need to store an extra password
  • An attacker needs to have access to the users private key to even start an attempt at cracking the OTP codes.

🔒 A rough, but full explanation of the security spec can be found here

In the meantime, if you'd like to take a look at any of the transactions, the early version of the Bunkr program is deployed on mainnet at:

BunKrGBXdGxyTLjvE44eQXDuKY7TyHZfPu9bj2Ugk5j2

Popular repositories Loading

  1. bunkr-program bunkr-program Public

    On-Chain 2FA for Assets on Solana

    TypeScript 20 5

  2. SIMD-48-Testing SIMD-48-Testing Public

    A repo designed to fuzz and test the secp256r1 implementation on Solana

    HTML 3

  3. .github .github Public

  4. solana solana Public

    Forked from solana-labs/solana

    Web-Scale Blockchain for fast, secure, scalable, decentralized apps and marketplaces.

    Rust

  5. secp256r1-verify-instruction secp256r1-verify-instruction Public

    A TypeScript SDK to generate instruction for the Secp256r1 Precompile Program

    TypeScript

Repositories

Showing 5 of 5 repositories
  • solana Public Forked from solana-labs/solana

    Web-Scale Blockchain for fast, secure, scalable, decentralized apps and marketplaces.

    Bunkr-2FA/solana’s past year of commit activity
    Rust 0 Apache-2.0 4,615 0 0 Updated Jan 11, 2024
  • SIMD-48-Testing Public

    A repo designed to fuzz and test the secp256r1 implementation on Solana

    Bunkr-2FA/SIMD-48-Testing’s past year of commit activity
    HTML 3 0 0 0 Updated Jan 4, 2024
  • .github Public
    Bunkr-2FA/.github’s past year of commit activity
    0 0 0 0 Updated Dec 8, 2023
  • secp256r1-verify-instruction Public

    A TypeScript SDK to generate instruction for the Secp256r1 Precompile Program

    Bunkr-2FA/secp256r1-verify-instruction’s past year of commit activity
    TypeScript 0 0 0 0 Updated Oct 25, 2023
  • bunkr-program Public

    On-Chain 2FA for Assets on Solana

    Bunkr-2FA/bunkr-program’s past year of commit activity
    TypeScript 20 MIT 5 0 0 Updated Aug 5, 2023

Top languages

Loading…

Most used topics

Loading…