Skip to content

Add Wallet2QR Connect (@norionsoft/w2qr-snap)#1505

Open
alexvirtech wants to merge 3 commits into
MetaMask:mainfrom
alexvirtech:add-w2qr-snap
Open

Add Wallet2QR Connect (@norionsoft/w2qr-snap)#1505
alexvirtech wants to merge 3 commits into
MetaMask:mainfrom
alexvirtech:add-w2qr-snap

Conversation

@alexvirtech

@alexvirtech alexvirtech commented Jun 27, 2026
edited by cursor Bot
Loading

Copy link
Copy Markdown

Summary

What it does

Wallet2QR Connect turns a honey-encrypted QR seed backup into an external signer for MetaMask — like a Ledger or Trezor, but the QR code replaces the USB device.

  • Honey encryption: every password produces a valid BIP-39 mnemonic, making brute-force attacks useless
  • Argon2id KDF (64 MB memory, 3 iterations) via WebAssembly
  • Time-limited signing sessions with automatic expiry
  • Supports legacy and EIP-1559 transactions, personal_sign, signTypedData_v4
  • Mnemonic never imported into MetaMask — stays in memory only during the session

Permissions used

  • snap_manageState — persist imported accounts
  • snap_manageAccounts — register/remove accounts with MetaMask keyring
  • snap_dialog — alert user when signing session is locked
  • endowment:rpc — handle dapp RPC calls
  • endowment:keyring — act as external keyring signer

Checklist

  • Source code is open source
  • Published on npm with public access
  • Snap builds and installs successfully
  • Security audit (pending — will update)

Note

Medium Risk
Listing an account/keyring snap that handles signing sessions increases user exposure to third-party wallet software; the change is metadata-only but the snap category is security-sensitive and the PR notes a pending security audit.

Overview
Registers Wallet2QR Connect (npm:@norionsoft/w2qr-snap) in src/registry.json as an account management snap at version 1.0.0, with listing metadata (author, site, summary/description, support, source, privacy/terms) and three screenshot paths under ./images/@norionsoft/w2qr-snap/.

The entry describes an external keyring-style signer that unlocks a honey-encrypted QR backup for time-limited signing without importing the mnemonic into MetaMask; no other registry files or snap implementation code are changed in this diff.

Reviewed by Cursor Bugbot for commit 6c5f8f1. Bugbot is set up for automated code reviews on this repo. Configure here.

@alexvirtech
Add Wallet2QR Connect (@norionsoft/w2qr-snap)
a8d9c55 
Honey-encrypted QR backup as a virtual hardware wallet for MetaMask.
Uses Argon2id KDF and time-limited signing sessions.

- Category: account management
- Website: https://w2qr.com
- Source: https://github.com/alexvirtech/w2qr-mm
@alexvirtech alexvirtech requested review from a team and Montoya as code owners June 27, 2026 14:56
@alexvirtech
Add screenshots for Wallet2QR Connect
6103aae 
Three screenshots showing the connect page, account registration
in MetaMask, and wallet with balance.
@alexvirtech
Add privacy policy and terms of use links for w2qr-snap
6c5f8f1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Montoya Montoya Awaiting requested review from Montoya Montoya is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@alexvirtech