Wallet Integration Guide
This guide will walk you through how to integrate the Blowfish API into your wallet. There are three places that you can currently integrate Blowfish:
- Your transaction approval screen
- Your message signing screen
- Your dApp browser or current domain blocklist
Let's dive into what each of those would look like.
Transaction scanning & simulation
Before a user approves a blockchain transaction, it is paramount to show them how executing this transaction will impact their crypto assets. In addition, it's important to alert them if they are interacting with a known malicious or suspicious dApp or smart contract. This is what the Blowfish transactions endpoints allow you to do (Solana, Ethereum).
In addition to warnings and simulation results, the API response also returns a suggested action. The recommended action might be to show the user a block screen instead of the approval screen. This is reserved for cases where the user is interacting with a known malicious entity. When the "BLOCK" action is returned, it would be ideal to show the user a block screen.
It is recommended to still allow the user to bypass the block screen and proceed with signing. There is a chance we might incorrectly identify a transaction or cases where the user knows best.
Javascript / Typescript
We have put together a React/React Native reference implementation of integrating with the Solana transactions endpoint that you are free to use: https://github.com/blowfishxyz/blowfish-solana-react-example. It encapsulates the calls to the Blowfish API into a memoized function that can be called from a React render function. It re-fetches the Blowfish transaction simulation every 5 seconds in order to keep the results results up-to-date. It doesn't require a lot of modification to use this same reference implementation with the transaction endpoint for any other blockchain that we support.
Other programming languages
In order to use the Blowfish API with other programming languages, please integrate with our HTTP endpoints directly. We would like to support more languages in the future, so please let us know what type of language support you would like by letting our team know directly.
Message scanning
Signing certain messages can lead to users losing funds. Sometimes the message itself is a transaction. Other times, it represents an off-chain DEX order that once submitted on-chain has the authority to transfer a users funds. Because of this, it would be best to evaluate a message before showing a message signing interface to your user. The Blowfish API can help you conduct this evaluation (currently supported on Ethereum only).
The integration is very similar to the Transactions endpoint described above.
Domain scanning & Blocklist
When a user visits a dApp via your wallet's dApp browser or while using your browser extension, you now have the ability to check whether the dApp is dangerous. There are two ways to implement this.
-
The Blowfish domains endpoint allows you to check if a domain is on a trusted blocklist (e.g., Metamasks, Phantoms, Solflare, etc.) or if it's been flagged as malicious by Blowfish's detection engine. If a domain is found to be dangerous, the API will return a high risk score and you can warn the user visiting the site. Check out the domains endpoint documentation for more information.
-
The Blowfish blocklist endpoint allows you to download a snapshot of all blocked domains in order to check each domain that a user visits against a local blocklist, preserving each user's browsing history. This integration takes a little more engineering work, but is fast & private once integrated. Check out the blocklist endpoint documentation for more information.
Optional proxy server
Some wallets wish to proxy API requests to third-party APIs over a proxy server. This is also possible when interacting with Blowfish. The benefits of doing so are two-fold:
- You do not expose your Blowfish API key to clients and only append it to the requests proxied
- You can prevent your user's IP addresses from being sent to Blowfish. We do not store or use the IP addresses attached to API requests but could access this information if you don't use a proxy.
We highly recommend making the proxy a clear pass-through proxy that does not modify the request or response in any way.
Updated 22 days ago