Symbiont{s} | Steem DAO | Wallet Development Update #2
Thriving Through a Symbiotic Equilibrium
Steem DAO | Wallet Development Update #2
Greetings!
This is our second update related to the wallet upgrade proposal. The first update can be found here.
The Steem blockchain, while sharing foundational principles with other distributed ledger technologies such as immutability and decentralization, introduces a distinct layer of functionality through its social media-oriented architecture. Social interactions were not an afterthought but a core design principle, resulting in a blockchain purpose-built for scalable content creation, community curation, and user engagement.
This emphasis on accessibility and usability differentiates Steem from most other blockchain platforms. Whereas traditional blockchains typically attract users with a strong technical background and prior knowledge of the crypto ecosystem, Steem, particularly through platforms like steemit.com, has been designed to accommodate a broader audience. This includes users who may have little to no prior exposure to blockchain technology. Consequently, the learning curve is minimized, which lowers the barrier to entry. However, this same accessibility also shifts the responsibility toward the community and protocol maintainers, who must take an active role in educating users about blockchain practices, expectations, and responsibilities.
The inclusive and large scale nature of the Steem ecosystem inevitably introduces challenges alongside its benefits. The ease of onboarding and the social component make it a fertile ground for potential abuse. Malicious actors are drawn to environments with high user activity and open participation, and Steem is no exception. Scammers, in particular, have demonstrated a consistent ability to adapt and exploit unprotected vectors within the ecosystem.
Despite these risks, the Steem community has evolved significantly since the blockchain's inception. Through increased awareness, improved tooling, and coordinated moderation, the platform has become more resilient to large-scale scam operations. Nonetheless, threat actors continue to demonstrate innovation and persistence, often outpacing reactive countermeasures. This ongoing reality highlights the necessity of continuous investment in proactive security frameworks, education initiatives, and community vigilance to maintain the integrity of the ecosystem.
Furthermore, this second wallet update will address several security concerns that are inherent to the current environment. In parallel, it will focus on resolving known issues and implementing essential features to enhance overall functionality, improve system reliability, and strengthen user safety.
List of changes
🟩 Green: Pre-existing implementations
🔵 Blue: Newly added implementations
🟥 Red: Planned or pending implementations
🟪 Purple: Community-suggested-added implementations
Early warning system for account recovery change operations
Last year, we were contacted by a community manager who had received feedback from numerous users who had lost access to their accounts. These users were unable to initiate the account recovery process because the recovery account had been silently changed more than thirty days prior, rendering the default recovery window ineffective. The critical issue lies in the fact that users had no awareness of this change, as there is currently no notification mechanism in place. Unless users actively monitor their account history through a blockchain explorer on a daily basis, such unauthorized changes can go completely unnoticed until it is too late.
This strategy demonstrates that the attackers have a strong understanding of the technical architecture of the Steem blockchain and are adapting their methods accordingly. Since compromised users can recover their accounts minutes and interrupt any pending power downs, the attackers have adopted a more effective approach. By first changing the recovery account without the user’s knowledge, they create a delay-based attack vector. Once the mandatory thirty-day period passes, the original user can no longer initiate a recovery, allowing the attacker to take full control of the account without interruption.
To mitigate this issue, users should now receive a warning whenever a change to their recovery account is detected. This notification will clearly display the number of days remaining before the new recovery account becomes effective. It will also identify the new designated recovery account, allowing users to take timely action if the change was unauthorized.
Given the critical nature of a recovery account change, we decided not to allow users to permanently dismiss the associated warning. This is to prevent scenarios where users might unintentionally overlook or ignore the alert due to unforeseen circumstances. When users click the Dismiss button, the warning will be temporarily hidden for five days before it automatically reappears. Additionally, if an attacker attempts to initiate another recovery account change during that period, the warning will be shown again immediately, regardless of the previous dismissal status. Ultimately, if users believe their account has been compromised, they should immediately update their keys or initiate the account recovery process if the keys were changed. This early warning system serves as an additional layer of security, designed to help users detect potential threats and take timely action to protect their accounts.
However, this measure alone is not sufficient. Users must also update their recovery account to ensure long term protection. Clicking on the Take Action button will redirect them to a simple form where they can perform this update. It is important to treat any unauthorized recovery account change as a strong indicator that the owner key has been compromised. In such cases, all keys should be rotated immediately to prevent further unauthorized access.
Platforms operating on the Steem blockchain are advised to implement a similar warning system. Establishing this as a common standard would significantly increase the deterrence factor for scammers. It would make large-scale attacks far more difficult to execute and would force malicious actors to resort to less harmful methods that pose a lower risk to users.
Although users can currently change their recovery account only when a change warning is triggered, a more comprehensive method will be introduced as part of the broader roadmap. This future update will allow users to update their recovery account at any time, providing greater flexibility and control over account security.
Safer transfers
Based on valuable feedback from the community, we have introduced several changes to the transfer form to minimize the risk of users unintentionally losing their assets. The updated implementation includes three layers of validation designed to detect and prevent common mistakes before a transaction is submitted.
The similarity percentage evaluates how closely the recipient account name matches the deposit address of a known exchange account. Although users are generally discouraged from entering recipient names manually, this mechanism provides an additional safeguard by alerting users when the destination account may be incorrect. It serves as a prompt to verify the information and confirm that the intended recipient is accurate before proceeding with the transaction.
Some scammers deliberately create account names that closely resemble those of well known exchange accounts in an attempt to deceive users. If the recipient account appears on the blacklist, a warning will be displayed to inform the user and strongly advise against proceeding with the transfer. This mechanism is designed to prevent asset loss caused by impersonation and phishing attempts.
Even when all other checks pass, users remain at risk of asset loss if they fail to include the required memo when transferring funds to an exchange. While some major exchanges have mechanisms in place to handle such cases, this cannot be assumed for all platforms. Implementing preventive measures and guiding users at the point of transfer helps avoid unnecessary delays and significantly reduces the risk of irreversible asset loss. Prioritizing prevention is always more effective than attempting to recover lost funds after the fact.
SBD conversion
Users can now use the wallet to convert SBD to STEEM directly from the wallet.
Although SBD conversion is primarily intended for advanced users, we have ensured that sufficient information and clear conversion indicators are provided. This allows users to make informed decisions based on transparent and relevant data, even if they are not deeply familiar with the underlying mechanics.
To improve decision-making accuracy, the SBD conversion interface provides an estimated STEEM output along with supporting metrics displayed in USD. Generating a reliable USD reference required resolving the challenge of establishing consistent pricing for both SBD and STEEM using only on-chain data, without reliance on third-party services. The interface was designed to be user-friendly while conveying the necessary sense of caution to promote responsible usage and reinforce user awareness.
Price estimation fix
Historically, the wallet's price estimation mechanism has suffered from inaccuracies due to limitations in the underlying calculation method. Discrepancies between the estimated account value and real market conditions were frequently observed, particularly during periods of price volatility. Although integrating third-party pricing services could improve precision, doing so would introduce external dependencies and increase operational overhead. To avoid these trade-offs, the estimation logic was restructured to operate entirely on available on-chain data, maintaining system independence and minimizing the burden on node operators.
Building on this foundation, the updated valuation method provides a more accurate and reliable estimation of a user's USD-denominated holdings. Rather than assuming that 1 SBD always equals 1 USD, the system now calculates a market-informed SBD price by analyzing recent trade activity through market_history_api.get_recent_trades. Specifically, it derives the midpoint between the highest and lowest recorded exchange rates between SBD and STEEM. This ratio is then adjusted using the STEEM/USD price, which is obtained from the most recent median witness feed via condenser_api.get_feed_history.
As a result, the system can produce a more realistic valuation of both STEEM and SBD balances. This stands in contrast to the legacy method, which fetched the feed price via condenser_api.get_state, applied it directly to STEEM balances, and treated SBD as fixed at $1. Such simplifications often led to misleading valuations, especially when the SBD peg was unstable or market conditions shifted rapidly. By incorporating live market behavior and improving the internal price derivation process, the revised approach significantly enhances accuracy and better reflects the actual value of user assets across the network.
Thank you for your continued support,
The Symbionts Team,
Upvoted! Thank you for supporting witness @jswit.
You are doing a great job in making the Steemit wallet more advance.
That is good that now the estimated account value will be more accurate.
The direct conversion of Steem and SBD through wallet is also useful with the price shown in USD.
Great work for the detection of exchange account to avoid problems in transfers.
Account recovery notification/message is another good addition.
Thanks for the update! Really glad to see the new recovery warning system and safer transfer checks. These changes will definitely help protect users more. Keep up the great work!
It's good to see beneficiaries can be set for comments aa well.
The only problem left is upvoting comments.
🍀♥️
Nice update. On the current site when a conversion is in-progress the projected completion time doesn't seem right, could be a local-time vs. UTC-time issue. Is that something you'd want to look into?