FlexPool has released the first major public release of their FlexFarmer software, releasing version 1.0 for Linux and Windows. I did not cover the exact moment of release because I honestly felt the Alpha and Beta versions were quite good and production ready.
However, one of the main critiques I had about the process when I participated in the Alpha was the farmer private key extraction process. It was a little unwieldly and I recommended a better process. However, what they have gone with makes me very nervous and I don’t think this is it.
FlexPool has enabled a browser based Key Extraction process in the browser. Where you literally type your 24 words into their website and it spits out the secret key based on your mnemonic. Yeah. This ain’t it, FlexPool. Sorry. It almost wouldn’t be as bad if it wasn’t their default option. But it is.
To be clear, they are quite explicit in how they are doing this, all with JavaScript, and that it runs entirely in the browser and not on FlexPool servers with the key never transmitted to them. This is almost certainly true, it is indeed possible and they have no reason to lie about something that will be checked. But that’s not the only concern here, with these things easily grabbed by browser extensions or other software running on the PC. It even puts that key into plaintext and gives you a config file to use with FlexFarmer, which you download and leave on disk probably. This is a direct trade-off of convenience for security.
I’m not sure what the right solution is here. Luckily its not my problem to solve. But I think training users to type their mnemonics into web pages is going to backfire spectacularly at some point. Especially since FlexPool makes their website front-end open source and it would be very easy to grab a copy of this, modify it to capture that password and phish users for their keys.
I like, mostly, what FlexPool is doing with FlexFarmer. I think that it really does reduce the barrier of entry for Chia farming and will ultimately help grow the community. I am certainly more positive about the whole thing than Chia Network. But its as big a risk, security wise, as the Chia client keeping all their keys in easily accessible places on disk. These lightweight farmers should improve security from running a full client, not just trade risks.
