|
| 1 | +# Palchemy |
| 2 | + |
| 3 | +A cryptocurrency payment platform that makes sending and receiving crypto as easy as sending an email. Built with Alchemy Account Kit smart wallets and Turnkey's secure infrastructure. |
| 4 | + |
| 5 | +## ✨ Features |
| 6 | + |
| 7 | +- **Email-like payments**: Send crypto to anyone with just an email address |
| 8 | +- **No wallet required**: Recipients can claim payments without existing crypto wallets |
| 9 | +- **Smart wallet integration**: Email, passkey & social login using Account Kit |
| 10 | +- **Secure escrow system**: Temporary escrow wallets using Turnkey infrastructure |
| 11 | +- **Gasless transactions**: Sponsored transactions for seamless user experience |
| 12 | +- **Blockchain transparency**: All transactions verifiable on Arbitrum Sepolia |
| 13 | +- **Modern UI**: TailwindCSS + shadcn/ui components, React Query, TypeScript |
| 14 | + |
| 15 | +## 🌐 Network |
| 16 | + |
| 17 | +This application runs on **Arbitrum Sepolia** testnet. |
| 18 | + |
| 19 | +## 🚀 Getting Started |
| 20 | + |
| 21 | +### 1. Clone and Install |
| 22 | + |
| 23 | +```bash |
| 24 | +git clone <repository-url> |
| 25 | +cd palchemy-demo |
| 26 | +npm install |
| 27 | +``` |
| 28 | + |
| 29 | +### 2. Environment Configuration |
| 30 | + |
| 31 | +Create a `.env.local` file in the root directory and add the following environment variables: |
| 32 | + |
| 33 | +```bash |
| 34 | +# Alchemy Configuration |
| 35 | +NEXT_PUBLIC_ALCHEMY_API_KEY=your_alchemy_api_key |
| 36 | +NEXT_PUBLIC_ALCHEMY_POLICY_ID=your_alchemy_gas_policy_id |
| 37 | + |
| 38 | +# Turnkey Configuration |
| 39 | +TURNKEY_API_PUBLIC_KEY=your_turnkey_public_key |
| 40 | +TURNKEY_API_PRIVATE_KEY=your_turnkey_private_key |
| 41 | +TURNKEY_ORGANIZATION_ID=your_turnkey_organization_id |
| 42 | +``` |
| 43 | + |
| 44 | +#### Required API Keys |
| 45 | + |
| 46 | +| Variable | Purpose | How to Get | |
| 47 | +| ------------------------------- | ------------------------------------------------ | ----------------------------------------------------------------------------------------- | |
| 48 | +| `NEXT_PUBLIC_ALCHEMY_API_KEY` | Alchemy API key for blockchain interactions | Create an app in [Alchemy Dashboard](https://dashboard.alchemy.com/apps) | |
| 49 | +| `NEXT_PUBLIC_ALCHEMY_POLICY_ID` | Gas sponsorship policy for free transactions | Set up in [Gas Manager](https://dashboard.alchemy.com/services/gas-manager/configuration) | |
| 50 | +| `TURNKEY_API_PUBLIC_KEY` | Turnkey public key for escrow wallet management | Generated in [Turnkey Dashboard](https://app.turnkey.com/) | |
| 51 | +| `TURNKEY_API_PRIVATE_KEY` | Turnkey private key for escrow wallet management | Generated with public key in Turnkey Dashboard | |
| 52 | +| `TURNKEY_ORGANIZATION_ID` | Your Turnkey organization identifier | Found in [Turnkey Dashboard](https://app.turnkey.com/) | |
| 53 | + |
| 54 | +### 3. Alchemy Setup |
| 55 | + |
| 56 | +1. **Create an Alchemy Account**: Sign up at [alchemy.com](https://www.alchemy.com/) |
| 57 | +2. **Create a New App**: |
| 58 | + - Go to [Alchemy Dashboard](https://dashboard.alchemy.com/apps) |
| 59 | + - Click "Create App" |
| 60 | + - Choose "Arbitrum Sepolia" as the network |
| 61 | + - Copy your API key |
| 62 | +3. **Set up Smart Wallets**: |
| 63 | + - Navigate to [Smart Wallets Configuration](https://dashboard.alchemy.com/services/smart-wallets/configuration) |
| 64 | + - Enable email, passkey, and social login methods |
| 65 | +4. **Configure Gas Sponsorship**: |
| 66 | + - Go to [Gas Manager](https://dashboard.alchemy.com/services/gas-manager/configuration) |
| 67 | + - Create a new policy for Arbitrum Sepolia |
| 68 | + - Copy the Policy ID |
| 69 | + |
| 70 | +### 4. Turnkey Setup |
| 71 | + |
| 72 | +1. **Create a Turnkey Account**: Sign up at [turnkey.com](https://www.turnkey.com/) |
| 73 | +2. **Set up Organization**: |
| 74 | + - Complete the organization setup in [Turnkey Dashboard](https://app.turnkey.com/) |
| 75 | + - Note your Organization ID |
| 76 | +3. **Generate API Keys**: |
| 77 | + - In the Turnkey dashboard, create a new API key pair |
| 78 | + - Download both the public and private keys |
| 79 | + - **Important**: Store the private key securely - it cannot be recovered |
| 80 | + |
| 81 | +### 5. Run the Application |
| 82 | + |
| 83 | +```bash |
| 84 | +npm run dev |
| 85 | +``` |
| 86 | + |
| 87 | +Open [http://localhost:3000](http://localhost:3000) to start using Palchemy! |
| 88 | + |
| 89 | +## 🗂 Project Layout |
| 90 | + |
| 91 | +``` |
| 92 | +app/ |
| 93 | +├── api/turnkey/ # Turnkey API routes for escrow management |
| 94 | +├── claim/[token]/ # Claim page for payment recipients |
| 95 | +├── components/ # React components |
| 96 | +├── hooks/ # Custom React hooks |
| 97 | +└── page.tsx # Main payment interface |
| 98 | +
|
| 99 | +components/ui/ # shadcn/ui primitives |
| 100 | +lib/ |
| 101 | +├── alchemy.ts # Alchemy SDK configuration |
| 102 | +├── turnkey.ts # Turnkey escrow management |
| 103 | +├── constants.ts # Contract addresses and ABIs |
| 104 | +└── types/ # TypeScript type definitions |
| 105 | +
|
| 106 | +config.ts # Account Kit + Gas Sponsorship setup |
| 107 | +``` |
| 108 | + |
| 109 | +## 🏗️ How Palchemy Works |
| 110 | + |
| 111 | +### Payment Flow |
| 112 | + |
| 113 | +1. **Sender Login**: User authenticates via email, passkey, or social login using Account Kit |
| 114 | +2. **Payment Creation**: |
| 115 | + - User enters recipient email and amount |
| 116 | + - Palchemy creates a secure escrow wallet using Turnkey |
| 117 | + - Funds are transferred to the escrow wallet |
| 118 | +3. **Claim Link Generation**: A secure claim link is generated with encrypted payment data |
| 119 | +4. **Recipient Experience**: |
| 120 | + - Recipient clicks the claim link |
| 121 | + - They can see payment details and escrow wallet on blockchain |
| 122 | + - After login, funds transfer to their new smart wallet |
| 123 | + - Escrow wallet is securely deleted |
| 124 | + |
| 125 | +### Key Technologies |
| 126 | + |
| 127 | +- **Account Kit**: Provides smart wallets with social login |
| 128 | +- **Turnkey**: Secure key management for temporary escrow wallets |
| 129 | +- **Arbitrum Sepolia**: Layer 2 network for fast, cheap transactions |
| 130 | +- **Gas Sponsorship**: Palchemy covers transaction fees for smooth UX |
| 131 | + |
| 132 | +## 🚀 Usage |
| 133 | + |
| 134 | +1. **Send a Payment**: |
| 135 | + |
| 136 | + - Log in to Palchemy at [http://localhost:3000](http://localhost:3000) |
| 137 | + - Enter recipient email and amount |
| 138 | + - Click "Continue" to create escrow and generate claim link |
| 139 | + - Share the claim link with your recipient |
| 140 | + |
| 141 | +2. **Receive a Payment**: |
| 142 | + - Click the claim link you received |
| 143 | + - View payment details and verify escrow on blockchain |
| 144 | + - Log in to create/access your smart wallet |
| 145 | + - Claim the payment to transfer funds to your wallet |
| 146 | + |
| 147 | +## 🔧 Development |
| 148 | + |
| 149 | +### Available Scripts |
| 150 | + |
| 151 | +```bash |
| 152 | +npm run dev # Start development server |
| 153 | +npm run build # Production build |
| 154 | +npm run start # Run production build |
| 155 | +npm run lint # Lint code |
| 156 | +``` |
| 157 | + |
| 158 | +### Testing |
| 159 | + |
| 160 | +To test the payment flow: |
| 161 | + |
| 162 | +1. Create a payment with a test email |
| 163 | +2. Copy the generated claim link |
| 164 | +3. Open the claim link in an incognito window |
| 165 | +4. Complete the claim process |
| 166 | + |
| 167 | +## 📚 Documentation & Resources |
| 168 | + |
| 169 | +- [Alchemy Account Kit Documentation](https://www.alchemy.com/docs/wallets/react/overview) |
| 170 | +- [Turnkey Documentation](https://docs.turnkey.com/) |
| 171 | +- [Arbitrum Sepolia Explorer](https://sepolia.arbiscan.io/) |
| 172 | + |
| 173 | +## 🔒 Security |
| 174 | + |
| 175 | +### ⚠️ **CRITICAL SECURITY WARNING FOR PRODUCTION USE** |
| 176 | + |
| 177 | +**This demo application is designed for educational purposes and contains intentional security simplifications to demonstrate the payment flow transparently. DO NOT use this pattern in production without implementing proper security measures.** |
| 178 | + |
| 179 | +### 🚨 **Claim Link Security Issues (DEMO ONLY)** |
| 180 | + |
| 181 | +**The current implementation has intentional security vulnerabilities for educational clarity:** |
| 182 | + |
| 183 | +- **Sensitive data exposure**: Claim links contain unencrypted private keys, wallet addresses, and transaction details in the URL |
| 184 | +- **Clear text transmission**: All sensitive information is transmitted in the clear through URLs |
| 185 | +- **No access control**: Anyone with the claim link can view and potentially claim the payment |
| 186 | +- **Browser history exposure**: Sensitive data persists in browser history, server logs, and referrer headers |
| 187 | +- **Network exposure**: URLs with sensitive data can be logged by proxies, CDNs, and network infrastructure |
| 188 | + |
| 189 | +### 🔐 **Production Security Requirements** |
| 190 | + |
| 191 | +For a production cryptocurrency payment system, you **MUST** implement: |
| 192 | + |
| 193 | +#### **Secure Claim Link Architecture:** |
| 194 | + |
| 195 | +- **Server-side session management**: Store sensitive data server-side with secure session tokens |
| 196 | +- **Database encryption**: Encrypt all sensitive data at rest using industry-standard encryption |
| 197 | +- **Access control**: Implement proper authentication and authorization for claim access |
| 198 | +- **HTTPS everywhere**: Ensure all communication is encrypted in transit |
| 199 | +- **Token expiration**: Implement time-limited access tokens with automatic expiration |
| 200 | +- **Rate limiting**: Prevent brute force attacks on claim endpoints |
| 201 | + |
| 202 | +#### **Key Management:** |
| 203 | + |
| 204 | +- **Hardware Security Modules (HSMs)**: Use HSMs for private key generation and storage |
| 205 | +- **Key rotation**: Implement regular key rotation policies |
| 206 | +- **Minimal privilege**: Limit key access to only necessary operations |
| 207 | +- **Audit logging**: Comprehensive logging of all key operations |
| 208 | + |
| 209 | +#### **Additional Security Measures:** |
| 210 | + |
| 211 | +- **Multi-factor authentication**: Require MFA for sensitive operations |
| 212 | +- **IP allowlisting**: Restrict access based on IP addresses where appropriate |
| 213 | +- **Fraud detection**: Implement real-time fraud monitoring and alerts |
| 214 | +- **Compliance**: Ensure compliance with relevant financial regulations (AML/KYC) |
| 215 | +- **Security audits**: Regular security audits and penetration testing |
| 216 | +- **Incident response**: Comprehensive incident response procedures |
| 217 | + |
| 218 | +### 🏗️ **Infrastructure Security** |
| 219 | + |
| 220 | +- All escrow wallets are managed by Turnkey's secure infrastructure |
| 221 | +- Private keys are never exposed to the application frontend |
| 222 | +- All transactions are verifiable on the Arbitrum Sepolia blockchain |
| 223 | +- Escrow wallets are automatically deleted after successful claims |
| 224 | +- **Production requirement**: Implement proper secret management and environment isolation |
| 225 | + |
| 226 | +## 🛂 License |
| 227 | + |
| 228 | +MIT |
0 commit comments