narwal -- not a real wallet.
narwal is a "lite" wallet server for Sia, using the walrus wallet API. You can
use it with any walrus-compatible program, such as walrus-cli. narwal watches
the blockchain for you, tracking transactions and outputs relevant to your
wallet, but it never sees your seed or private keys. It's a great choice for
users who want to store their siacoins more securely, but aren't ready to make
the leap to running a full node just yet. For more info, see this blog post.
Getting started is easy. Here, I just generated a fresh instance for you:
narwal.lukechampine.com/wallet/03b008e9ea834c05
You can use this URL as your personal walrus server. For example, when
using walrus-cli, pass that URL to the -a flag. Then you can start
generating addresses (using a seed, or a perhaps a Ledger) and narwal
will track them for you.
Keep your URL private! Anyone who knows your URL can make changes to your
wallet, so you should treat your URL like a password.
Donations
All narwal servers have a public donation address, visible at /donations.
Some programs will automatically donate some of your siacoins to this
address. For example, when you send a transaction with walrus-cli, it
will donate 1% of the transaction value.
Security
narwal never sees your private keys, but it sees just about everything else:
your addresses (including unlock conditions), your unspent outputs, your
transactions (including any memos you've attached), your file contracts, and any
blocks you've mined. It will also see your IP address. Taken together, these
pieces of metadata may be sufficient to "deanonymize" you. You should not use
narwal if your threat model requires anonymity.
You are also trusting narwal to accurately report your wallet metadata. A
malicious narwal server can lie about your balance, which addresses and outputs
you control, which transactions are relevant to your wallet, and basically any
other piece of metadata. A few of these claims can be verified on-the-spot (e.g.
checking a transaction signature), but most cannot be repudiated without
another source of "blockchain truth," i.e. a trusted full node.