OneKey: a simple crypto wallet with bulletproof security

GoPlus Security
5 min readFeb 7, 2023


Simple means one place for all your crypto needs. Instead of managing various assets on various decentralized platforms, you’ll have a one-stop solution here that could meet all your needs about crypto asset management. OneKey offers a user-friendly way in one powerful app to access the world of DeFi and Web 3.0, from trading, investment,prices tracking, portfolios management,getting access to all Dapps ,fiat on and off ramps and even more. It’s available on your phone, iOS & Android and in your browser.

On security, OneKey provides best-in-class security for crypto assets without compromising accessibility and day-to-day operations.

On the design of hardware,OneKey is made with bulletproof security. OneKey is open sourced and keeps private keys offline. In addition, OneKey uses a Secure Element — the ATECC608A from Microchip, to be exact — to protect your crypto assets. With the help of the exquisitely designed SHA-256 response control, OneKey can effectively prevent replay and eavesdropping attacks.

Once an interaction associated with crypto assets happens, users SHOULD STAY VIGILANT. Just like in the traditional world of finance, there are sometimes bad actors and scammers looking to steal your stuff. In the crypto world, they have other names like phishing scams,hacks and other attacks. Web3 is still in its infancy. Like any new emerging technology, the nascent crypto industry has often been compared to a digital “Wild West ‘’ — a lawless place where there are so many creative hacks, phishing scams and other attacks out there,which likely leads to millions of dollars in losses.

OneKey aims to address security concerns and reduce the risk of financial loss by integrating with the security API service powered by GoPlus.

Token Security API

When searching tokens on the tab of Manage Tokens, OneKey would auto-detect the risk of security for the given token. This service would identify risks and assess its risk levels around the tokens on its basic information, contract security, trading security, and information security. Once the token is detected with a security risk, users will be informed with detailed risks info.

Taking the following case as an example, the given token is associated with two potential risks of security, one is Whitelist, which means some addresses may not trade regularly if there’s a whitelist. And the other one is Modifiable Tax which means if the transaction tax is increased to more than 49%, the tokens will not be able to be traded(honeypot risk).

The powerful token security detection service of OneKey Wallet is supported by the Token security API provided by GoPlus, which would detect the risks of security for the token, checking over 30 safety indicators from contract code, transaction security to info security, including but not limited to: whether the contract is open sourced, whether it is mintable, whether there is any risks of security associated with the owner address, the amount of token holders, LP info, the percentage of buy/sell tax, whether it is honeypot and more.

The powerful token security detection service of OneKey Wallet is supported by the Token security API provided by GoPlus, which is one of the most complete and accurate security services for token data on the market. As of October 21, a total of 1.6m+ tokens have been detected and nearly 3 million times of calls happen per day. The database is currently automatically keeping on adding newly issued tokens in the market and doing security identification and detection for them, covering as fast as possible for as many tokens in the market as possible.

Malicious Address API

In the event of asset transfer, OneKey Wallet would auto-detect the receiving address. The identification of potential risk for security would be based on if the following honeypot activities are ever involved with the given address: phishing scams, blackmail activities, malicious mining activities, money laundering, token mixing and financial crime.

Once the address is identified to be a malicious address, a security warning will be given to the user, informing that the address is a malicious address, and the user SHOULD NOT do the next step.

GoPlus Security Engine has integrated several public blockchains including Ethereum, BNB Chain, Polygon, HECO、Arbitrum、Avalanche and etc. Aggregating data sources from multiple security companies including SlowMist and BlockSec, GoPlus takes a leading spot in the market in terms of public blockchain compatibility(Supported public chains including Ethereum, BNB Chain, Polygon, HECO、Arbitrum、Avalanche, etc.), token standards supported(ERC 20,ERC 721 and ERC 1155 supported), library pattern diversity(data sources from multiple security companies which provided different type of code analysis patterns ), sync-up speed(maintain a library to keep up with the emerging honeypot tokens related addresses in the market) and coverage(the library has accumulated more than 100,000 of black addresses now , and it keeps up adding newly ones).

Approval Security V1 API:

When a user uses dApps in OneKey Wallet, a security check on the approved contract would pop up and once any potential risks are detected, an alert with flag mark would be displayed, informing users that they should NEVER click the confirm button.

This approval contract security detection of OneKey Wallet is supported by GoPlus Security Engine Approval Security V1 API. It has a growing number of whitelists as a full library by collecting the approval contract of legit dApps on the market. Combined with the malicious addresses database and on-chain data analysis, it is aimed at protecting users against would-be crypto thieves.

No risk mark will appear if no potential risk is detected

GoPlus has released version 1 of Approval Security API, which would auto-detect the contract that is requesting approval when a user is doing Approval for a dApp in a dex and browsers. Once any potential risks are detected, an alert with a red flag mark would be displayed, informing that NEVER click the confirm button.

The version 2 of Approval Security API would check the approval activities of a given wallet address in the past and auto-check if there are potential risks of security for the contracts you’ve ever approved, whatever it is ERC20,ERC721 NFT or ERC1155 standard.

Approval Security API V2 checks the risk of security for a contract that requests an approval from the basic info, main security and the contract info around the token. An alert with a red flag mark would appear once any of the potential risks are detected.

Serving as the Web3 security infrastructure, GoPlus supports for all these assets issued on blockchains including Ethereum, BNB Chain, AVALANCHE, Polygon, and Harmony, which means that once any apps on those blockchains integrate the API services provided by GoPlus, they could provide security detection for their users on the tokens security, malicious addresses, NFT security and approval Security.



GoPlus Security

Empowering a #SaferWeb3 with user-driven, open access security solutions. Championing user education for a fortified front against adversaries.