Slowlyy: A slower (safer) crypto wallet

Abstract

Slowlyy is a crypto wallet designed to mitigate the risks of wallet-draining attacks by introducing a mandatory 3–30 day transaction delay. By combining a dual-source date verification system with client-side enforcement and cryptographic validation, Slowlyy provides users a critical time window to detect unauthorized access before any crypto leaves their wallet.

Problem Statement

For newcomers to crypto, using a personal wallet on mobile phones, laptops, and desktop computers—known as self-custody—can be risky. Today’s hackers can gain remote and unauthorized access to devices through malware or other methods, making it possible to steal funds without being noticed. For those holding small amounts of crypto, a hardware wallet feels like too much—and an exchange doesn’t feel right either.

Solution: Slowlyy

A safer self-custody wallet for mobile phones, laptops, and desktop computers. Slowlyy adds a 3–30 day delay to every transaction, giving time to spot problems and stop theft—without giving up control. Just added time for safety and peace of mind.

Security Architecture

Dual Time Verification

To prevent clock tampering or spoofed timestamps, Slowlyy uses a dual-source date confirmation system:

• WorldTimeAPI: Public, independent API providing UTC time. Used to prevent local clock spoofing.
• Custom /date API with HMAC Signature:
  Self-hosted endpoint (e.g., https://api.slowlyy.xyz/date) returns JSON:

  {
    "date": "2025-08-01",
    "signature": "..." // HMAC-SHA256 of date
  }

  Signature validated by app using shared secret. Ensures authenticity and integrity of the date.

Both APIs must agree on the date for any transaction check to pass.

Local Time Ignored

Slowlyy does not trust the device’s internal clock. All date validations happen against the above external sources. This removes the risk of attackers spoofing local time to prematurely release funds.

Tamper-Resistant Logic

• Transactions are stored locally and/or off-chain until 3-30 days pass.
• Unlock logic is hard-coded to reject any date mismatch or invalid signature.
• If both APIs are unreachable, app defaults to blocking the transaction.

Developer Integration Flow

1. On transaction initiation, the app stores the timestamp and unlock_date = timestamp + 30 days.
2. On app open or send attempt:
   • Request UTC date from WorldTimeAPI
   • Request /date from Slowlyy API
   • Compare both dates
   • Verify HMAC signature
3. If both sources match, signature is valid, and current date >= unlock_date, then transaction can be broadcast to the blockchain.

Security Assumptions

• The shared HMAC key is known only to the app and server.
• HTTPS is used to prevent MITM attacks.
• Neither date source can independently spoof the time without detection.
• User has visibility and can cancel transactions within the 3-30-day window.

Benefits

• Available on mobile phones, laptops, and desktop computers for secure access anytime, anywhere
• Drastically reduces risk of fast-draining malware
• No third-party custody: users still own their private keys
• Tamper-resistant validation via dual sources and cryptographic signatures
• User-friendly recovery buffer: aligns with real-world financial risk controls

Conclusion

Slowlyy is built on a simple principle: slowing down crypto can actually make it safer. With a minimal but powerful dual-verification time lock, users gain crucial time to act in emergencies. This wallet architecture redefines digital self-custody security by prioritizing control and recovery over speed.

Appendix

WorldTimeAPI

Sample HMAC API response:

{
  "date": "2025-08-01",
  "signature": "f0e2b7234f1f..."
}

Signature generated using: