Add security audits to wallet data.

This also involved sprucing up the way entities are handled so that security
auditors could be represented as well. So revamped the Entity data structure
to make it usable by things other than the data-collection-related features,
and added icons.

Author: polymutex

.vscode/settings.json

@@ -6,6 +6,7 @@
     "autoswitch",
     "brandable",
     "Buterin",
+    "bypassable",
     "Chainalysis",
     "checkmark",
     "codesandbox",
@@ -41,11 +42,13 @@
     "Protip",
     "rabby",
     "Renderable",
+    "slowmist",
     "subfeature",
     "Timelocks",
     "Uncorrelatable",
     "UNPROXIED",
     "Venmo",
+    "Veridise",
     "Viem",
     "Vitalik",
     "walletbeat",

public/images/entities/binance.svg

@@ -13,6 +13,7 @@ import { ExternalLink } from '../../../atoms/ExternalLink';
 import { ReferenceLinks } from '../../../atoms/ReferenceLinks';
 import { subsectionWeight } from '@/beta/components/constants';
 import { WrapRatingIcon } from '../../../atoms/WrapRatingIcon';
+import { isUrl } from '@/beta/schema/url';
 
 export function AddressCorrelationDetails({
   wallet,
@@ -69,7 +70,7 @@ export function AddressCorrelationDetails({
       return;
     }
     let entityName: React.ReactNode | null = null;
-    if (entity.legalName === null) {
+    if (entity.legalName === 'NOT_A_LEGAL_ENTITY') {
       entityName = <strong>{entity.name}</strong>;
     } else if (entity.legalName.soundsDifferent) {
       entityName = (
@@ -80,14 +81,14 @@ export function AddressCorrelationDetails({
     } else {
       entityName = <strong>{entity.legalName.name}</strong>;
     }
-    if (entity.url !== null) {
+    if (isUrl(entity.url)) {
       entityName = <ExternalLink url={entity.url}>{entityName}</ExternalLink>;
     }
     leaksList.push(
       <li key={sourceName}>
         <Typography>
           {entityName}{' '}
-          {entity.privacyPolicy !== null ? (
+          {isUrl(entity.privacyPolicy) ? (
             <>
               {' ('}
               <ExternalLink url={entity.privacyPolicy} defaultLabel="Privacy policy" />

public/images/entities/cure53.png

@@ -1,8 +1,22 @@
-import type { Entity } from '@/beta/schema/features/privacy/data-collection';
+import type { CorporateEntity, Exchange } from '@/beta/schema/entity';
 
-export const binance: Entity = {
+export const binance: CorporateEntity & Exchange = {
+  id: 'binance',
   name: 'Binance',
   legalName: { name: 'Binance Holdings Ltd', soundsDifferent: false },
+  type: {
+    chainDataProvider: false,
+    corporate: true,
+    dataBroker: false,
+    exchange: true,
+    offchainDataProvider: false,
+    securityAuditor: false,
+    transactionBroadcastProvider: false,
+    walletDeveloper: false,
+  },
+  icon: {
+    extension: 'svg',
+  },
   jurisdiction: 'Malta',
   url: 'https://binance.com/',
   privacyPolicy: 'https://www.binance.com/en/about-legal/privacy-portal',

public/images/entities/daimo.svg

@@ -0,0 +1,26 @@
+import type { CorporateEntity, SecurityAuditor } from '@/beta/schema/entity';
+
+export const cure53: CorporateEntity & SecurityAuditor = {
+  id: 'cure53',
+  name: 'Cure53',
+  legalName: { name: 'Cure53', soundsDifferent: false },
+  type: {
+    chainDataProvider: false,
+    corporate: true,
+    dataBroker: false,
+    exchange: false,
+    offchainDataProvider: false,
+    securityAuditor: true,
+    transactionBroadcastProvider: false,
+    walletDeveloper: false,
+  },
+  icon: {
+    extension: 'png',
+    width: 137,
+    height: 136,
+  },
+  jurisdiction: 'Berlin, Germany',
+  url: 'https://cure53.de/',
+  privacyPolicy: 'https://cure53.de/datenschutz.php',
+  crunchbase: 'https://www.crunchbase.com/organization/cure53',
+};

public/images/entities/debank.svg

@@ -1,8 +1,22 @@
-import type { Entity } from '@/beta/schema/features/privacy/data-collection';
+import type { CorporateEntity, WalletDeveloper } from '@/beta/schema/entity';
 
-export const daimoInc: Entity = {
+export const daimoInc: CorporateEntity & WalletDeveloper = {
+  id: 'daimo',
   name: 'Daimo',
   legalName: { name: 'Daimo, Inc', soundsDifferent: false },
+  type: {
+    chainDataProvider: false,
+    corporate: true,
+    dataBroker: false,
+    exchange: false,
+    offchainDataProvider: false,
+    securityAuditor: false,
+    transactionBroadcastProvider: false,
+    walletDeveloper: true,
+  },
+  icon: {
+    extension: 'svg',
+  },
   jurisdiction: 'United States',
   url: 'https://daimo.com/',
   privacyPolicy: 'https://daimo.com/privacy',

public/images/entities/honeycomb.svg

@@ -1,8 +1,30 @@
-import type { Entity } from '@/beta/schema/features/privacy/data-collection';
+import type {
+  ChainDataProvider,
+  CorporateEntity,
+  TransactionBroadcastProvider,
+  WalletDeveloper,
+} from '@/beta/schema/entity';
 
-export const deBank: Entity = {
+export const deBank: ChainDataProvider &
+  CorporateEntity &
+  TransactionBroadcastProvider &
+  WalletDeveloper = {
+  id: 'debank',
   name: 'DeBank',
   legalName: { name: 'DeBank Global PTE Ltd', soundsDifferent: false },
+  type: {
+    chainDataProvider: true,
+    corporate: true,
+    dataBroker: false,
+    exchange: false,
+    offchainDataProvider: false,
+    securityAuditor: false,
+    transactionBroadcastProvider: true,
+    walletDeveloper: true,
+  },
+  icon: {
+    extension: 'svg',
+  },
   jurisdiction: 'Singapore',
   url: 'https://debank.com/',
   privacyPolicy: 'https://rabby.io/docs/privacy/',

public/images/entities/least-authority.png

@@ -1,19 +1,50 @@
-import type { Entity } from '@/beta/schema/features/privacy/data-collection';
+import type {
+  ChainDataProvider,
+  CorporateEntity,
+  Exchange,
+  TransactionBroadcastProvider,
+} from '@/beta/schema/entity';
 
-export const exampleNodeCompany: Entity = {
+export const exampleNodeCompany: CorporateEntity &
+  ChainDataProvider &
+  TransactionBroadcastProvider = {
+  id: 'exampleNodeCompany',
   name: 'Example RPC Company',
   legalName: { name: 'Example RPC Corp', soundsDifferent: false },
+  type: {
+    chainDataProvider: true,
+    corporate: true,
+    dataBroker: false,
+    exchange: false,
+    offchainDataProvider: false,
+    securityAuditor: false,
+    transactionBroadcastProvider: true,
+    walletDeveloper: false,
+  },
+  icon: 'NO_ICON',
   jurisdiction: 'Atlantis',
   url: 'https://example.com/',
   privacyPolicy: 'https://example.com/privacy',
-  crunchbase: null,
+  crunchbase: { type: 'NO_CRUNCHBASE_URL' },
 };
 
-export const exampleCex: Entity = {
+export const exampleCex: CorporateEntity & Exchange = {
+  id: 'exampleCex',
   name: 'Example Centralized Exchange',
   legalName: { name: 'Example Centralized Exchange Corp', soundsDifferent: false },
+  type: {
+    chainDataProvider: false,
+    corporate: true,
+    dataBroker: false,
+    exchange: true,
+    offchainDataProvider: false,
+    securityAuditor: false,
+    transactionBroadcastProvider: false,
+    walletDeveloper: false,
+  },
+  icon: 'NO_ICON',
   jurisdiction: 'Atlantis',
   url: 'https://example.com/',
   privacyPolicy: 'https://example.com/privacy',
-  crunchbase: null,
+  crunchbase: { type: 'NO_CRUNCHBASE_URL' },
 };

public/images/entities/pimlico.png

@@ -1,8 +1,22 @@
-import type { Entity } from '@/beta/schema/features/privacy/data-collection';
+import type { CorporateEntity, DataBroker } from '@/beta/schema/entity';
 
-export const honeycomb: Entity = {
+export const honeycomb: CorporateEntity & DataBroker = {
+  id: 'honeycomb',
   name: 'Honeycomb',
   legalName: { name: 'Hound Technology, Inc', soundsDifferent: true },
+  type: {
+    chainDataProvider: false,
+    corporate: true,
+    dataBroker: true,
+    exchange: false,
+    offchainDataProvider: false,
+    securityAuditor: false,
+    transactionBroadcastProvider: false,
+    walletDeveloper: false,
+  },
+  icon: {
+    extension: 'svg',
+  },
   jurisdiction: 'San Francisco, California, United States',
   url: 'https://www.honeycomb.io/',
   privacyPolicy: 'https://www.honeycomb.io/privacy',

public/images/entities/slowmist.png

@@ -0,0 +1,26 @@
+import type { CorporateEntity, SecurityAuditor } from '@/beta/schema/entity';
+
+export const leastAuthority: CorporateEntity & SecurityAuditor = {
+  id: 'least-authority',
+  name: 'Least Authority',
+  legalName: { name: 'Least Authority', soundsDifferent: false },
+  type: {
+    chainDataProvider: false,
+    corporate: true,
+    dataBroker: false,
+    exchange: false,
+    offchainDataProvider: false,
+    securityAuditor: true,
+    transactionBroadcastProvider: false,
+    walletDeveloper: false,
+  },
+  icon: {
+    extension: 'png',
+    width: 1246,
+    height: 1043,
+  },
+  jurisdiction: 'Berlin, Germany',
+  url: 'https://leastauthority.com/',
+  privacyPolicy: 'https://leastauthority.com/privacy-policy/',
+  crunchbase: 'https://www.crunchbase.com/organization/least-authority-enterprises',
+};

public/images/entities/veridise.svg

@@ -1,10 +1,22 @@
-import type { Entity } from '@/beta/schema/features/privacy/data-collection';
+import type { CorporateEntity } from '@/beta/schema/entity';
 
-export const merkleManufactory: Entity = {
+export const merkleManufactory: CorporateEntity = {
+  id: 'merkle-manufactory',
   name: 'Merkle Manufactory',
   legalName: { name: 'Merkle Manufactory Inc', soundsDifferent: false },
+  type: {
+    chainDataProvider: false,
+    corporate: true,
+    dataBroker: false,
+    exchange: false,
+    offchainDataProvider: false,
+    securityAuditor: false,
+    transactionBroadcastProvider: false,
+    walletDeveloper: false,
+  },
+  icon: 'NO_ICON',
   jurisdiction: 'Los Angeles, California, United States',
   url: 'https://merklemanufactory.com/',
-  privacyPolicy: null,
+  privacyPolicy: { type: 'NO_PRIVACY_POLICY' },
   crunchbase: 'https://www.crunchbase.com/organization/merkle-manufactory',
 };

src/beta/components/ui/molecules/attributes/privacy/AddressCorrelationDetails.tsx

@@ -1,9 +1,21 @@
-import type { Entity } from '@/beta/schema/features/privacy/data-collection';
+import type { CorporateEntity, OffchainDataProvider } from '@/beta/schema/entity';
 
-export const openExchangeRates: Entity = {
+export const openExchangeRates: CorporateEntity & OffchainDataProvider = {
+  id: 'open-exchange-rates',
   name: 'Open Exchange Rates',
   legalName: { name: 'Open Exchange Rates Ltd', soundsDifferent: false },
-  jurisdiction: null, // Unclear
+  type: {
+    chainDataProvider: false,
+    corporate: true,
+    dataBroker: false,
+    exchange: false,
+    offchainDataProvider: true,
+    securityAuditor: false,
+    transactionBroadcastProvider: false,
+    walletDeveloper: false,
+  },
+  icon: 'NO_ICON',
+  jurisdiction: { type: 'UNKNOWN' }, // Unclear
   url: 'https://openexchangerates.org/',
   privacyPolicy: 'https://openexchangerates.org/privacy',
   crunchbase: 'https://www.crunchbase.com/organization/open-exchange-rates',

src/beta/data/entities/binance.ts

@@ -1,8 +1,24 @@
-import type { Entity } from '@/beta/schema/features/privacy/data-collection';
+import type { CorporateEntity, TransactionBroadcastProvider } from '@/beta/schema/entity';
 
-export const pimlico: Entity = {
+export const pimlico: CorporateEntity & TransactionBroadcastProvider = {
+  id: 'pimlico',
   name: 'Pimlico',
   legalName: { name: 'Austerlitz Labs Ltd', soundsDifferent: true },
+  type: {
+    chainDataProvider: false,
+    corporate: true,
+    dataBroker: false,
+    exchange: false,
+    offchainDataProvider: false,
+    securityAuditor: false,
+    transactionBroadcastProvider: true,
+    walletDeveloper: false,
+  },
+  icon: {
+    extension: 'png',
+    width: 200,
+    height: 200,
+  },
   jurisdiction: 'London, England, United Kingdom',
   url: 'https://www.pimlico.io/',
   privacyPolicy: 'https://www.pimlico.io/privacy',

src/beta/data/entities/cure53.ts

@@ -0,0 +1,26 @@
+import type { CorporateEntity, SecurityAuditor } from '@/beta/schema/entity';
+
+export const slowMist: CorporateEntity & SecurityAuditor = {
+  id: 'slowmist',
+  name: 'SlowMist',
+  legalName: { name: 'SlowMist Ltd', soundsDifferent: false },
+  type: {
+    chainDataProvider: false,
+    corporate: true,
+    dataBroker: false,
+    exchange: false,
+    offchainDataProvider: false,
+    securityAuditor: true,
+    transactionBroadcastProvider: false,
+    walletDeveloper: false,
+  },
+  icon: {
+    extension: 'png',
+    width: 375,
+    height: 375,
+  },
+  jurisdiction: 'China',
+  url: 'https://www.slowmist.com/',
+  privacyPolicy: { type: 'NO_PRIVACY_POLICY' },
+  crunchbase: 'https://www.crunchbase.com/organization/slowmist',
+};

src/beta/data/entities/daimo.ts

@@ -0,0 +1,24 @@
+import type { CorporateEntity, SecurityAuditor } from '@/beta/schema/entity';
+
+export const veridise: CorporateEntity & SecurityAuditor = {
+  id: 'veridise',
+  name: 'Veridise',
+  legalName: { name: 'Veridise Inc', soundsDifferent: false },
+  type: {
+    chainDataProvider: false,
+    corporate: true,
+    dataBroker: false,
+    exchange: false,
+    offchainDataProvider: false,
+    securityAuditor: true,
+    transactionBroadcastProvider: false,
+    walletDeveloper: false,
+  },
+  icon: {
+    extension: 'svg',
+  },
+  jurisdiction: 'Austin, Texas, United States',
+  url: 'https://veridise.com/',
+  privacyPolicy: 'https://veridise.com/privacy-policy/',
+  crunchbase: 'https://www.crunchbase.com/organization/veridise',
+};

src/beta/data/entities/debank.ts

@@ -11,6 +11,7 @@ import { pimlico } from '../entities/pimlico';
 import { honeycomb } from '../entities/honeycomb';
 import { WalletProfile } from '@/beta/schema/features/profile';
 import { RpcEndpointConfiguration } from '@/beta/schema/features/chain-configurability';
+import { veridise } from '../entities/veridise';
 
 export const daimo: Wallet = {
   metadata: {
@@ -60,6 +61,23 @@ export const daimo: Wallet = {
       browser: 'NOT_A_BROWSER_WALLET',
     },
     security: {
+      // Note: Daimo has had their p256 verifier contract audited:
+      // https://github.com/daimo-eth/p256-verifier/blob/master/audits/2023-10-veridise.pdf
+      // However while the wallet relies on it, it is not the wallet software itself,
+      // so it is not a full-stack audit of the wallet software.
+      publicSecurityAudits: [
+        {
+          auditor: veridise,
+          auditDate: '2023-10-06',
+          ref: 'https://github.com/daimo-eth/daimo/blob/master/audits/2023-10-veridise-daimo.pdf',
+          variantsScope: { mobile: true },
+          codeSnapshot: {
+            date: '2023-09-12',
+            commit: 'f0dc56d68852c1488461e88a506ff7b0f027f245',
+          },
+          unpatchedFlaws: 'ALL_FIXED',
+        },
+      ],
       lightClient: {
         ethereumL1: false,
       },

src/beta/data/entities/example.ts

@@ -6,6 +6,10 @@ import type { Wallet } from '@/beta/schema/wallet';
 import { License } from '@/beta/schema/features/license';
 import { WalletProfile } from '@/beta/schema/features/profile';
 import { RpcEndpointConfiguration } from '@/beta/schema/features/chain-configurability';
+import { leastAuthority } from '../entities/least-authority';
+import { slowMist } from '../entities/slowmist';
+import { SecurityFlawSeverity } from '@/beta/schema/features/security/security-audits';
+import { cure53 } from '../entities/cure53';
 
 export const rabby: Wallet = {
   metadata: {
@@ -60,6 +64,162 @@ export const rabby: Wallet = {
       },
     },
     security: {
+      publicSecurityAudits: [
+        {
+          auditor: slowMist,
+          auditDate: '2021-06-18',
+          ref: 'https://github.com/RabbyHub/Rabby/blob/master/docs/Rabby%20chrome%20extension%20Penetration%20Testing%20Report.pdf',
+          variantsScope: { browser: true },
+          codeSnapshot: {
+            date: '2021-06-23',
+          },
+          unpatchedFlaws: 'ALL_FIXED',
+        },
+        {
+          auditor: slowMist,
+          auditDate: '2022-03-18',
+          ref: 'https://github.com/RabbyHub/Rabby/blob/master/docs/SlowMist%20Audit%20Report%20-%20Rabby%20browser%20extension%20wallet-2022.03.18.pdf',
+          variantsScope: { browser: true },
+          codeSnapshot: {
+            date: '2022-01-26',
+            commit: 'f6d19bd70664a7214677918e298619d583f9c3f1',
+            tag: 'v0.21.1',
+          },
+          unpatchedFlaws: 'ALL_FIXED',
+        },
+        {
+          auditor: slowMist,
+          auditDate: '2023-07-20',
+          ref: 'https://github.com/RabbyHub/Rabby/blob/master/docs/SlowMist%20Audit%20Report%20-%20Rabby%20Wallet-2023.07.20.pdf',
+          variantsScope: { browser: true },
+          codeSnapshot: {
+            date: '2023-06-19',
+            commit: 'f6221693b877b3c4eb1c7ac61146137eb1908997',
+            tag: 'v0.91.0',
+          },
+          unpatchedFlaws: 'ALL_FIXED',
+        },
+        {
+          auditor: slowMist,
+          auditDate: '2023-09-26',
+          ref: 'https://github.com/RabbyHub/RabbyDesktop/blob/publish/prod/docs/SlowMist%20Audit%20Report%20-%20Rabby%20Wallet%20Desktop.pdf',
+          variantsScope: { desktop: true },
+          codeSnapshot: {
+            date: '2023-09-01',
+            commit: '586447a46bcd0abab6356076e369357050c97796',
+            tag: 'v0.33.0-prod',
+          },
+          unpatchedFlaws: 'ALL_FIXED',
+        },
+        {
+          auditor: leastAuthority,
+          auditDate: '2024-10-18',
+          ref: 'https://github.com/RabbyHub/rabby-mobile/blob/develop/docs/Least%20Authority%20-%20Debank%20Rabby%20Walle%20Audit%20Report.pdf',
+          variantsScope: { mobile: true },
+          codeSnapshot: {
+            date: '2024-09-08',
+            commit: 'a8dea5d8c530cb1acf9104a7854089256c36d85a',
+          },
+          unpatchedFlaws: [
+            {
+              name: 'Issue B: Insecure Key Derivation Function',
+              severityAtAuditPublication: SecurityFlawSeverity.NOT_CATEGORIZED,
+              presentStatus: 'NOT_FIXED',
+            },
+            {
+              name: 'Issue C: Weak Encryption Method Used',
+              severityAtAuditPublication: SecurityFlawSeverity.NOT_CATEGORIZED,
+              presentStatus: 'NOT_FIXED',
+            },
+            {
+              name: 'Issue D: Weak PBKDF2 Parameters Used',
+              severityAtAuditPublication: SecurityFlawSeverity.NOT_CATEGORIZED,
+              presentStatus: 'NOT_FIXED',
+            },
+          ],
+        },
+        {
+          auditor: cure53,
+          auditDate: '2024-10-22',
+          ref: 'https://github.com/RabbyHub/rabby-mobile/blob/develop/docs/Cure53%20-%20Debank%20Rabby%20Wallet%20Audit%20Report.pdf',
+          variantsScope: { mobile: true },
+          codeSnapshot: {
+            date: '2024-09-08',
+            commit: 'a8dea5d8c530cb1acf9104a7854089256c36d85a',
+          },
+          unpatchedFlaws: [
+            {
+              name: 'RBY-01-001 WP1-WP2: Mnemonic recoverable via process dump',
+              severityAtAuditPublication: SecurityFlawSeverity.HIGH,
+              presentStatus: 'NOT_FIXED',
+            },
+            {
+              name: 'RBY-01-002 WP1-WP2: Password recoverable via process dump',
+              severityAtAuditPublication: SecurityFlawSeverity.HIGH,
+              presentStatus: 'NOT_FIXED',
+            },
+            {
+              name: 'RBY-01-012 WP1-WP2: RabbitCode secret recoverable from installer files',
+              severityAtAuditPublication: SecurityFlawSeverity.HIGH,
+              presentStatus: 'NOT_FIXED',
+            },
+            {
+              name: 'RBY-01-014 WP1-WP2: Backup password prompt bypassable',
+              severityAtAuditPublication: SecurityFlawSeverity.MEDIUM,
+              presentStatus: 'NOT_FIXED',
+            },
+            {
+              name: 'RBY-01-003 WP1-WP2: Lack of rate limiting for password unlock',
+              severityAtAuditPublication: SecurityFlawSeverity.MEDIUM,
+              presentStatus: 'NOT_FIXED',
+            },
+          ],
+        },
+        {
+          auditor: slowMist,
+          auditDate: '2024-10-23',
+          variantsScope: { mobile: true },
+          ref: 'https://github.com/RabbyHub/rabby-mobile/blob/develop/docs/SlowMist%20Audit%20Report%20-%20Rabby%20mobile%20wallet%20iOS.pdf',
+          codeSnapshot: {
+            date: '2024-06-17',
+            commit: 'a424dbe54bba464da7585769140f6b7136c9108b',
+          },
+          unpatchedFlaws: 'ALL_FIXED',
+        },
+        {
+          auditor: leastAuthority,
+          auditDate: '2024-12-12',
+          ref: 'https://github.com/RabbyHub/Rabby/blob/develop/docs/Least%20Authority%20-%20DeBank%20Rabby%20Wallet%20Extension%20Final%20Audit%20Report-20241212.pdf',
+          variantsScope: { browser: true },
+          codeSnapshot: {
+            date: '2024-10-14',
+            commit: 'eb5da18727b38a3fd693af8b74f6f151f2fd361c',
+          },
+          unpatchedFlaws: [
+            {
+              name: 'Issue B: Setting the Cache Before It Has Been Initialized Will Cause an Exception',
+              severityAtAuditPublication: SecurityFlawSeverity.NOT_CATEGORIZED,
+              presentStatus: 'NOT_FIXED',
+            },
+            {
+              name: 'Issue C: persistStore Module Can Become Out of Sync With Browser Local Storage',
+              severityAtAuditPublication: SecurityFlawSeverity.NOT_CATEGORIZED,
+              presentStatus: 'NOT_FIXED',
+            },
+          ],
+        },
+        {
+          auditor: slowMist,
+          auditDate: '2024-12-17',
+          variantsScope: { browser: true },
+          ref: 'https://github.com/RabbyHub/Rabby/blob/develop/docs/Rabby%20Browser%20Extension%20Wallet%20-%20SlowMist%20Audit%20Report-20241217.pdf',
+          codeSnapshot: {
+            date: '2024-11-28',
+            commit: '4e900e5944a671e99a135eea417bdfdb93072d99',
+          },
+          unpatchedFlaws: 'ALL_FIXED',
+        },
+      ],
       lightClient: {
         ethereumL1: {
           helios: false,

src/beta/data/entities/honeycomb.ts

@@ -11,7 +11,6 @@ import {
 import { pickWorstRating, unrated } from '../common';
 import {
   compareLeakedInfo,
-  type Entity,
   inferLeaks,
   Leak,
   type LeakedInfo,
@@ -35,6 +34,7 @@ import type { WalletMetadata } from '@/beta/schema/wallet';
 import { AddressCorrelationDetails } from '@/beta/components/ui/molecules/attributes/privacy/AddressCorrelationDetails';
 import { isNonEmptyArray, type NonEmptyArray, nonEmptyFirst } from '@/beta/types/utils/non-empty';
 import { type FullyQualifiedReference, refs } from '../../reference';
+import type { Entity } from '../../entity';
 
 const brand = 'attributes.privacy.address_correlation';
 export type AddressCorrelationValue = Value & {

src/beta/data/entities/least-authority.ts

@@ -0,0 +1,85 @@
+import type { Url } from './url';
+
+export enum EntityType {
+  chainDataProvider = 'chainDataProvider',
+  corporate = 'corporate',
+  dataBroker = 'dataBroker',
+  exchange = 'exchange',
+  offchainDataProvider = 'offchainDataProvider',
+  transactionBroadcastProvider = 'transactionBroadcastProvider',
+  walletDeveloper = 'walletDeveloper',
+  securityAuditor = 'securityAuditor',
+}
+
+/**
+ * An entity, typically corporate.
+ *
+ * `Ts` is a set of entity types that the entity must have.
+ */
+export interface Entity<Ts extends EntityType[] = []> {
+  /** The ID of the entity. */
+  id: string;
+
+  /** The name of the entity. */
+  name: string;
+
+  /**
+   * Legal name of the entity, if any.
+   *
+   * `soundsDifferent` indicates whether the legal name sounds significantly
+   * different from `name`, such that most people may not be able to tell that
+   * these names refer to the same entity.
+   */
+  legalName: { name: string; soundsDifferent: boolean } | 'NOT_A_LEGAL_ENTITY';
+
+  /* Type(s) of the entity. */
+  type: {
+    [K in EntityType]: K extends Ts[number] ? true : boolean;
+  };
+
+  /**
+   * The entity's icon, if any.
+   * If specified, there must exist an icon file at
+   * `/public/images/entities/${id}.${icon.extension}`.
+   */
+  icon:
+    | 'NO_ICON'
+    | {
+        extension: 'png';
+        width: number;
+        height: number;
+      }
+    | { extension: 'svg' };
+
+  /**
+   * Website of the entity.
+   */
+  url: Url | { type: 'NO_WEBSITE' };
+
+  /**
+   * The jurisdiction in which the entity is located.
+   *
+   * 'GLOBAL' should be used when an entity exists in such a manner that
+   * no single jurisdiction has singular control over it.
+   */
+  jurisdiction: string | { type: 'GLOBAL' | 'UNKNOWN' };
+
+  /**
+   * The privacy policy URL of the entity.
+   */
+  privacyPolicy: Url | { type: 'NO_PRIVACY_POLICY' };
+
+  /** The Crunchbase URL of the entity, if any. */
+  crunchbase: Url | { type: 'NO_CRUNCHBASE_URL' };
+}
+
+type EntityWithType<T extends EntityType> = Entity & Entity<[T]>;
+
+export type ChainDataProvider = EntityWithType<EntityType.chainDataProvider>;
+export type CorporateEntity = EntityWithType<EntityType.corporate>;
+export type DataBroker = EntityWithType<EntityType.dataBroker>;
+export type Exchange = EntityWithType<EntityType.exchange>;
+export type OffchainDataProvider = EntityWithType<EntityType.offchainDataProvider>;
+export type TransactionBroadcastProvider = EntityWithType<EntityType.transactionBroadcastProvider>;
+export type SecurityAuditor = EntityWithType<EntityType.securityAuditor>;
+export type WalletDeveloper = EntityWithType<EntityType.walletDeveloper>;

src/beta/data/entities/merkle-manufactory.ts

@@ -13,6 +13,7 @@ import type { ChainConfigurability } from './features/chain-configurability';
 import type { WalletProfile } from './features/profile';
 import type { WalletIntegration } from './features/integration';
 import type { AddressResolution } from './features/address-resolution';
+import type { SecurityAudit } from './features/security/security-audits';
 
 /**
  * A set of features about a wallet, each of which may or may not depend on
@@ -31,6 +32,13 @@ export interface WalletFeatures {
 
   /** Security features. */
   security: {
+    /**
+     * Public security audits the wallet has gone through.
+     * If never audited, this should be an empty array, as 'null' represents
+     * the fact that we haven't checked whether there have been any audit.
+     */
+    publicSecurityAudits: null | SecurityAudit[];
+
     /** Light clients. */
     lightClient: {
       /** Light client used for Ethereum L1. False means no light client support. */
@@ -81,6 +89,7 @@ export interface ResolvedFeatures {
   profile: WalletProfile;
 
   security: {
+    publicSecurityAudits: null | SecurityAudit[];
     lightClient: {
       ethereumL1: ResolvedFeature<WithRef<EthereumL1LightClientSupport> | false>;
     };
@@ -105,6 +114,13 @@ export function resolveFeatures(features: WalletFeatures, variant: Variant): Res
     variant,
     profile: features.profile,
     security: {
+      publicSecurityAudits:
+        features.security.publicSecurityAudits === null
+          ? null
+          : features.security.publicSecurityAudits.filter(
+              audit =>
+                audit.variantsScope === 'ALL_VARIANTS' || audit.variantsScope[variant] === true
+            ),
       lightClient: {
         ethereumL1: feat(features.security.lightClient.ethereumL1),
       },

src/beta/data/entities/open-exchange-rates.ts

@@ -1,7 +1,7 @@
 import type { WithRef } from '@/beta/schema/reference';
-import type { Url } from '@/beta/schema/url';
 import type { Dict } from '@/beta/types/utils/dict';
 import type { WalletMetadata } from '../../wallet';
+import type { Entity } from '../../entity';
 
 /**
  * An enum representing when data collection or leak occurs.
@@ -152,29 +152,6 @@ export function leaksByDefault(leak: Leak): boolean {
   return leak >= Leak.BY_DEFAULT;
 }
 
-/**
- * An entity to which some data may be sent.
- */
-export interface Entity {
-  /** The name of the entity to which data may be sent. */
-  name: string;
-  /**
-   * Legal name of the entity, if any.
-   * `soundsDifferent` indicates whether the legal name sounds significantly
-   * different from `name`, such that most people may not be able to tell that
-   * these names refer to the same entity.
-   */
-  legalName: { name: string; soundsDifferent: boolean } | null;
-  /** Website of the entity to which data may be sent. */
-  url: Url | null;
-  /** The jurisdiction in which the entity is located. */
-  jurisdiction: string | null;
-  /** The privacy policy URL of the entity. */
-  privacyPolicy: Url | null;
-  /** The Crunchbase URL of the entity, if any. */
-  crunchbase: Url | null;
-}
-
 /** Personal information types. */
 export enum LeakedPersonalInfo {
   /** The user's IP address. */

src/beta/data/entities/pimlico.ts

@@ -0,0 +1,87 @@
+import type { NonEmptyArray } from '@/beta/types/utils/non-empty';
+import type { AtLeastOneTrueVariant } from '../../variants';
+import type { MustRef } from '../../reference';
+import type { CalendarDate } from '@/beta/types/date';
+import type { SecurityAuditor } from '../../entity';
+
+/** The severity of a security flaw, as assigned by the security auditor. */
+export enum SecurityFlawSeverity {
+  CRITICAL = 'CRITICAL',
+  HIGH = 'HIGH',
+  MEDIUM = 'MEDIUM',
+
+  // Lower-than-medium security flaws are not tracked.
+
+  /** The security auditing entity did not assign a severity rating. */
+  NOT_CATEGORIZED = 'NOT_CATEGORIZED',
+}
+
+/** A security flaw which was not addressed at audit publication time. */
+export type UnpatchedSecurityFlaw = {
+  /** The name/description of the security flaw. */
+  name: string;
+
+  /** The severity level of the security flaw. */
+  severityAtAuditPublication: SecurityFlawSeverity;
+} & (
+  | {
+      /** The status of this flaw in the present day. */
+      presentStatus: 'NOT_FIXED';
+    }
+  | MustRef<{
+      /**
+       * The status of this flaw in the present day.
+       * If a flaw was fixed after audit publication, it must come with a
+       * reference, such as a link to a code commit or to a statement or
+       * newer audit from the same auditor.
+       */
+      presentStatus: 'FIXED';
+
+      /** The date at which the flaw was fixed. */
+      fixedDate: CalendarDate;
+    }>
+);
+
+/**
+ * A single security audit.
+ * A URL to the audit report must be added as `ref`.
+ */
+export type SecurityAudit = MustRef<{
+  /** The entity that performed the security audit. */
+  auditor: SecurityAuditor;
+
+  /** The date the audit report was done or published. */
+  auditDate: CalendarDate;
+
+  /**
+   * The snapshot of the code being audited, if provided in the report.
+   */
+  codeSnapshot?: {
+    /** When the snapshot of code was taken. */
+    date: CalendarDate;
+
+    /** The commit hash of the code snapshot, if known. */
+    commit?: string;
+
+    /** The release tag of the code snapshot, if known. */
+    tag?: string;
+  };
+
+  /**
+   * Which variants of the wallet were audited.
+   */
+  variantsScope: AtLeastOneTrueVariant | 'ALL_VARIANTS';
+
+  /**
+   * The set of security flaws that were found but not addressed by the time
+   * the audit was published.
+   *
+   * Only medium-severity or higher flaws are tracked.
+   *
+   * 'NONE_FOUND' means there were either no flaws found at all.
+   * 'ALL_FIXED' means that all flaws that were found by the auditor were
+   * either fixed by time the audit was published, or were of a lower
+   * severity than MEDIUM.
+   */
+  unpatchedFlaws: 'NONE_FOUND' | 'ALL_FIXED' | NonEmptyArray<UnpatchedSecurityFlaw>;
+}>;

src/beta/data/entities/slowmist.ts

@@ -26,6 +26,7 @@ import {
   type LabeledUrl,
   type Url,
 } from './url';
+import type { CalendarDate } from '../types/date';
 
 /**
  * A loose reference which can be converted to a FullyQualifiedReference.
@@ -41,7 +42,7 @@ export interface LooseReference {
   explanation?: string;
 
   /** The date the reference was last retrieved. */
-  lastRetrieved?: string;
+  lastRetrieved?: CalendarDate;
 }
 
 /**
@@ -55,7 +56,7 @@ export interface FullyQualifiedReference {
   explanation?: string;
 
   /** The date the reference was last retrieved. */
-  lastRetrieved?: string;
+  lastRetrieved?: CalendarDate;
 }
 
 type Reference = Url | LooseReference | FullyQualifiedReference;
@@ -69,8 +70,11 @@ export function isFullyQualifiedReference(
 
 type References = Reference | NonEmptyArray<Reference>;
 
-/** An object that can be annotated with References. */
-export type WithRef<T> = T & { ref?: References };
+/** An object that *must* be annotated with References. */
+export type MustRef<T> = T & { ref: References };
+
+/** An object that *may or may not* be annotated with References. */
+export type WithRef<T> = MustRef<T> | (T & { ref?: undefined });
 
 /** Fully qualify a `Reference`. */
 function toFullyQualified(reference: Reference): FullyQualifiedReference[] {

src/beta/data/entities/veridise.ts

@@ -17,6 +17,11 @@ export type ComprehensiveVariants<T> = Record<Variant, T>;
 /** Maps at least one variant to a T. */
 export type AtLeastOneVariant<T> = NonEmptyRecord<Variant, T>;
 
+/** Maps at least one variant to a T. */
+export type AtLeastOneTrueVariant = {
+  [V in Variant]: Record<V, true> & Partial<Record<Exclude<Variant, V>, boolean>>;
+}[Variant];
+
 /**
  * A feature that may or may not depend on the wallet variant.
  * 'null' represents the fact that the feature was not evaluated on a wallet.

src/beta/data/wallets/daimo.ts

@@ -11,6 +11,7 @@ import type { Paragraph, Renderable, WithTypography } from '@/beta/types/text';
 import type { Url } from './url';
 import { Rating, type Attribute, type EvaluatedAttribute, type Value } from './attributes';
 import type { Dict } from '../types/utils/dict';
+import type { CalendarDate } from '../types/date';
 
 /** A contributor to walletbeat. */
 export interface Contributor {
@@ -23,15 +24,15 @@ export interface WalletMetadata {
   /**
    * ID of the wallet.
    * It is expected that a wallet image exists at
-   * `/public/images/wallet/${id}.${iconExtension}`.
+   * `/public/images/wallets/${id}.${iconExtension}`.
    */
   id: string;
 
   /** Human-readable name of the wallet. */
   displayName: string;
 
   /** Extension of the wallet icon image at
-   * `/public/images/wallet/${id}.${iconExtension}`.
+   * `/public/images/wallets/${id}.${iconExtension}`.
    * Wallet icons should be cropped to touch all edges, then minimal margins
    * added to make the image aspect ratio be 1:1 (square).
    */
@@ -60,8 +61,8 @@ export interface WalletMetadata {
   /** Link to the wallet's source code repository, if public. */
   repoUrl: Url | null;
 
-  /** The last time the wallet information was updated. */
-  lastUpdated: string;
+  /** The last date the wallet information was updated. */
+  lastUpdated: CalendarDate;
 
   /** List of people who contributed to the information for this wallet. */
   contributors: NonEmptyArray<Contributor>;

src/beta/data/wallets/rabby.ts

@@ -0,0 +1,31 @@
+type Digit = '0' | '1' | '2' | '3' | '4' | '5' | '6' | '7' | '8' | '9';
+type ThirtyDays = `0${Exclude<Digit, '0'>}` | `1${Digit}` | `2${Digit}` | '30';
+type ThirtyOneDays = ThirtyDays | '31';
+type FebruaryDays = Exclude<ThirtyDays, '30'>;
+type ThirtyDayMonths = '04' | '06' | '08' | '10' | '12';
+type ThirtyOneDayMonths = '01' | '03' | '05' | '07' | '09' | '11';
+type MonthAndDay =
+  | `${ThirtyDayMonths}-${ThirtyDays}`
+  | `${ThirtyOneDayMonths}-${ThirtyOneDays}`
+  | `02-${FebruaryDays}`;
+type Century = '20' | '21'; // We're good from 2000 to 2199.
+
+/** A valid date in YYYY-MM-DD format. */
+export type CalendarDate = `${Century}${Digit}${Digit}-${MonthAndDay}`;
+
+/** The components of a calendar date in YYYY-MM-DD format. */
+export interface CalendarDateParts {
+  year: number;
+  month: number;
+  day: number;
+}
+
+/** Break a CalendarDate into its components. */
+export function calendarParts(calendarDate: CalendarDate): CalendarDateParts {
+  const [year, month, day] = calendarDate.split('-');
+  return {
+    year: +year,
+    month: +month,
+    day: +day,
+  };
+}