How Transaction Signing Works in the Basic Web Version of the Wallet

What Happens When You Enter the Wallet

When accessing the wallet, besides regular data like images, a list of cryptocurrencies with current exchange rates comes from mitilena.com server via socket. Rates update every 90 seconds for most currencies, and every 2 minutes for less popular ones.
At the same moment, your addresses saved in the browser or app are taken and sent to the server. Important: only addresses are sent. The server checks their balance, and the list returns with current values.
This concludes the main communication part. Then approximately every 1.5 minutes we check balance updates using the same scheme.
When you click “send cryptocurrency”, we fetch specific data — such as nonce (next transaction number for your address in the specific blockchain network) and current fee cost (updates every couple of minutes). Balance verification happens on the client side.

You enter the private key — it’s verified only on your device: whether it matches your address (if it generates the correct address). A local library is used for this, which rarely updates to avoid supply chain attacks. If the key is valid, we form the transaction. The transaction structure is always created first, and only then signed.
We could use higher-level libraries where you just pass the private key and everything is done automatically (including sending). We don’t do that. We always create an offline transaction, sign it, get the signed transaction hex, delete the private key from memory, and only then send the transaction through mitilena.com server. This excludes using functions like createSignBroadcast() and prevents leaks.
The private key stays in device RAM literally for milliseconds or a couple of seconds if entered through the interface. Catching it during this time is extremely difficult unless your device is completely compromised. Though even then it’s hard to imagine a virus that could work so quickly.
This description concerns the standard signing scenario through the web version or desktop app, when you manually entered the private key or scanned it from paper via QR code (yes, our system supports this).

If you clicked “save private key in memory”, security increases because the key no longer appears in the interface (even for a couple seconds), but is decrypted and disappears from memory in 0.1 second — without display. Basic viruses can’t extract it anymore — you need a virus that can scan RAM.
Encryption happens using your PIN code, where you must use special characters, including emojis. We use PBKDF2, where generating one key takes 100-500 thousand iterations — this effectively protects against brute-force attacks. Cracking the encrypted key would require colossal computational resources. You’d need to connect it to a nuclear power plant for it to be somehow worthwhile — which is of course unrealistic.
Salt is also applied, so rainbow tables won’t help. Even if an attacker somehow gets the encrypted private key from memory, they can’t decrypt it — unless your password is 12345678.
But overall, to reach the encrypted private key from the device, you need a completely compromised system. This isn’t simple.
The advantage of storing the key in memory — you enter the password, and the private key is instantly decrypted, verified, used, and deleted from memory. At the moment of sending (broadcasting) the private key is no longer in the app’s memory. It’s there literally for 100 milliseconds.

Signed transaction hex → Mitilena server broadcasts to the required network → receives confirmation → sends hex back to client → it’s displayed in your interface.
If everything went successfully, mitilena.com server saves data about the sending fact (anonymously — even if you’re registered, without IP and other identifiers, can be disabled through sockets if desired). This data is used to display history and protect against fake entries, for example, from third-party blockchain explorers.

That’s how sending technically works.

Sending from an NFC card works similarly: the private key enters device memory for only 0.1 second and immediately disappears.

Узнайте как Mitilena защищает ваши приватные ключи при подписании транзакций. PBKDF2 шифрование, 0.1 секунды в памяти, полная изоляция от интернета. Максимальная безопасность ваших средств. Безопасное Подписание Криптовалютных Транзакций в Mitilena: Техническое Руководство