DEV Community: Heath Mcintyre The latest articles on DEV Community by Heath Mcintyre (@heath_mcintyre_dea31db820). https://dev.to/heath_mcintyre_dea31db820 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3897866%2F02b134ac-46c0-4151-b244-062e0dd09165.png DEV Community: Heath Mcintyre https://dev.to/heath_mcintyre_dea31db820 en AI security monitoring at scale: one LLM call, every dashboard Heath Mcintyre Sat, 25 Apr 2026 18:03:29 +0000 https://dev.to/heath_mcintyre_dea31db820/ai-security-monitoring-at-scale-one-llm-call-every-dashboard-5fep https://dev.to/heath_mcintyre_dea31db820/ai-security-monitoring-at-scale-one-llm-call-every-dashboard-5fep <p><em>How CoinHawk runs a continuous AI security scan for every connected user using a single shared LLM call every 5 minutes.</em></p> <h2> The dumb version doesn't scale </h2> <p>Imagine you want every user's dashboard to display a live "security score" produced by an LLM. The first instinct is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>GET /api/security/scan → call OpenAI → return result </code></pre> </div> <p>If 1,000 users hit the dashboard, you make 1,000 LLM calls. At ~$0.02 per call you've burned $20 in 30 seconds, OpenAI rate-limits you, and your p95 latency is now whatever GPT feels like today.</p> <p>The second instinct is to cache the response per-user. That's a little better, but you still scale costs linearly with users, and the cache invalidation logic gets ugly fast.</p> <p>The real answer for monitoring-style features is dead simple: <strong>the scan is global, so make exactly one global scan and serve it to everyone.</strong> Below is the production pattern I shipped in CoinHawk's "Sentinel" feature.</p> <h2> The mental model </h2> <ul> <li> <strong>The data is shared, not user-specific.</strong> A "system security posture" doesn't care who's logged in.</li> <li> <strong>Compute on a timer, not on demand.</strong> Refresh every N minutes regardless of traffic.</li> <li> <strong>Reads are O(1) and instant.</strong> Every API request just returns the cached object.</li> <li> <strong>One in-flight refresh at a time.</strong> No matter how many things ask, only one LLM call runs.</li> </ul> <p>This pattern works for any "expensive global signal you want to display everywhere": status pages, market summaries, anomaly detectors, AI-curated newsfeeds, etc.</p> <h2> The full implementation (~50 lines) </h2> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">openai</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@workspace/integrations-openai-ai-server</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">type</span> <span class="nx">SecurityScanResult</span> <span class="o">=</span> <span class="p">{</span> <span class="na">riskScore</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">status</span><span class="p">:</span> <span class="dl">"</span><span class="s2">secure</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">watch</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">elevated</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">critical</span><span class="dl">"</span><span class="p">;</span> <span class="nl">summary</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">risks</span><span class="p">:</span> <span class="nb">Array</span><span class="o">&lt;</span><span class="p">{</span> <span class="na">severity</span><span class="p">:</span> <span class="dl">"</span><span class="s2">low</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">medium</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">high</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">critical</span><span class="dl">"</span><span class="p">;</span> <span class="nl">category</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">title</span><span class="p">:</span> <span class="dl">"</span><span class="s2">string;</span><span class="dl">"</span> <span class="na">description</span><span class="p">:</span> <span class="dl">"</span><span class="s2">string;</span><span class="dl">"</span> <span class="na">recommendation</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">}</span><span class="o">&gt;</span><span class="p">;</span> <span class="nl">scannedAt</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">};</span> <span class="kd">let</span> <span class="nx">cachedScan</span><span class="p">:</span> <span class="nx">SecurityScanResult</span> <span class="o">=</span> <span class="nf">fallbackScan</span><span class="p">();</span> <span class="kd">let</span> <span class="nx">inFlight</span><span class="p">:</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">SecurityScanResult</span><span class="o">&gt;</span> <span class="o">|</span> <span class="kc">null</span> <span class="o">=</span> <span class="kc">null</span><span class="p">;</span> <span class="kd">let</span> <span class="nx">schedulerStarted</span> <span class="o">=</span> <span class="kc">false</span><span class="p">;</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">getCachedScan</span><span class="p">():</span> <span class="nx">SecurityScanResult</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">cachedScan</span><span class="p">;</span> <span class="c1">// O(1), no I/O, every request hits this</span> <span class="p">}</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">refreshScan</span><span class="p">():</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">SecurityScanResult</span><span class="o">&gt;</span> <span class="p">{</span> <span class="c1">// Coalesce concurrent refresh requests into the same in-flight call.</span> <span class="k">if </span><span class="p">(</span><span class="nx">inFlight</span><span class="p">)</span> <span class="k">return</span> <span class="nx">inFlight</span><span class="p">;</span> <span class="nx">inFlight</span> <span class="o">=</span> <span class="p">(</span><span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">runSecurityScan</span><span class="p">();</span> <span class="c1">// the actual OpenAI call</span> <span class="nx">cachedScan</span> <span class="o">=</span> <span class="nx">result</span><span class="p">;</span> <span class="k">return</span> <span class="nx">result</span><span class="p">;</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="nx">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">({</span> <span class="nx">err</span> <span class="p">},</span> <span class="dl">"</span><span class="s2">Sentinel scan failed</span><span class="dl">"</span><span class="p">);</span> <span class="k">return</span> <span class="nx">cachedScan</span><span class="p">;</span> <span class="c1">// serve stale on failure, never break the dashboard</span> <span class="p">}</span> <span class="k">finally</span> <span class="p">{</span> <span class="nx">inFlight</span> <span class="o">=</span> <span class="kc">null</span><span class="p">;</span> <span class="p">}</span> <span class="p">})();</span> <span class="k">return</span> <span class="nx">inFlight</span><span class="p">;</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">startSecurityScanScheduler</span><span class="p">(</span><span class="nx">intervalMs</span> <span class="o">=</span> <span class="mi">5</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">schedulerStarted</span><span class="p">)</span> <span class="k">return</span><span class="p">;</span> <span class="nx">schedulerStarted</span> <span class="o">=</span> <span class="kc">true</span><span class="p">;</span> <span class="nf">setTimeout</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="nf">refreshScan</span><span class="p">().</span><span class="k">catch</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{}),</span> <span class="mi">3000</span><span class="p">);</span> <span class="c1">// warm-up</span> <span class="nf">setInterval</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="nf">refreshScan</span><span class="p">().</span><span class="k">catch</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{}),</span> <span class="nx">intervalMs</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>And the route:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">router</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">/security/scan</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span><span class="nf">getCachedScan</span><span class="p">());</span> <span class="p">});</span> </code></pre> </div> <p>That's it. 1 user or 100,000 users, the cost is the same: one LLM call every 5 minutes.</p> <h2> The four design decisions that matter </h2> <h3> 1. Coalesce in-flight calls </h3> <p>The <code>inFlight</code> promise is the most important line in the file. Without it, two concurrent calls to <code>refreshScan()</code> (e.g. scheduler + manual admin trigger) become two LLM calls. With it, the second call just awaits the first. This single guard collapses thundering-herd risk to zero.</p> <h3> 2. Serve stale on failure </h3> <p>The <code>catch</code> block returns <code>cachedScan</code> instead of throwing. If OpenAI has an outage, your dashboard keeps showing the last known scan instead of a red error banner. Users stay calm. You buy yourself time to fix things.</p> <h3> 3. Warm up before the first user hits </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nf">setTimeout</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="nf">refreshScan</span><span class="p">(),</span> <span class="mi">3000</span><span class="p">);</span> </code></pre> </div> <p>Three seconds after boot, kick off the first scan in the background. Otherwise the very first dashboard request after deploy waits on an OpenAI cold start (3–10s).</p> <h3> 4. Force structured output </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">completion</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">openai</span><span class="p">.</span><span class="nx">chat</span><span class="p">.</span><span class="nx">completions</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="na">model</span><span class="p">:</span> <span class="dl">"</span><span class="s2">gpt-5.4</span><span class="dl">"</span><span class="p">,</span> <span class="na">response_format</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">json_object</span><span class="dl">"</span> <span class="p">},</span> <span class="c1">// &lt;-- strict JSON, no markdown</span> <span class="na">messages</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">role</span><span class="p">:</span> <span class="dl">"</span><span class="s2">system</span><span class="dl">"</span><span class="p">,</span> <span class="na">content</span><span class="p">:</span> <span class="nx">SECURITY_SYSTEM_PROMPT</span> <span class="p">},</span> <span class="p">{</span> <span class="na">role</span><span class="p">:</span> <span class="dl">"</span><span class="s2">user</span><span class="dl">"</span><span class="p">,</span> <span class="na">content</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Run a fresh security scan.</span><span class="dl">"</span> <span class="p">},</span> <span class="p">],</span> <span class="p">});</span> </code></pre> </div> <p><code>response_format: { type: "json_object" }</code> plus a system prompt that includes the exact schema means you can <code>JSON.parse()</code> without regret. Then defensively coerce every field — never trust the model's types.</p> <h2> The system prompt that produces useful output </h2> <p>The system prompt is doing real work. It defines the schema, enumerates allowed values, sets distribution expectations ("most scans should mostly be low/medium with at most 1-2 high or critical items"), and forbids prose around the JSON.</p> <p>The interesting trick: include the <strong>portfolio context</strong> (holdings, win rate, exchanges connected) directly in the system prompt rather than the user message. The model produces more grounded, specific risks ("watch your AVAX exposure on bridge X") instead of generic ones ("be careful of phishing").</p> <h2> What about user-specific scans? </h2> <p>For per-user signals (e.g. "scan THIS wallet"), the same pattern applies — just key the cache:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">cache</span> <span class="o">=</span> <span class="k">new</span> <span class="nb">Map</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="p">{</span> <span class="na">result</span><span class="p">:</span> <span class="nx">SecurityScanResult</span><span class="p">;</span> <span class="nl">ts</span><span class="p">:</span> <span class="kr">number</span> <span class="p">}</span><span class="o">&gt;</span><span class="p">();</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">getScanForWallet</span><span class="p">(</span><span class="nx">addr</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">hit</span> <span class="o">=</span> <span class="nx">cache</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">addr</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">hit</span> <span class="o">&amp;&amp;</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">-</span> <span class="nx">hit</span><span class="p">.</span><span class="nx">ts</span> <span class="o">&lt;</span> <span class="mi">60</span><span class="nx">_000</span><span class="p">)</span> <span class="k">return</span> <span class="nx">hit</span><span class="p">.</span><span class="nx">result</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">runSecurityScan</span><span class="p">(</span><span class="nx">addr</span><span class="p">);</span> <span class="nx">cache</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="nx">addr</span><span class="p">,</span> <span class="p">{</span> <span class="nx">result</span><span class="p">,</span> <span class="na">ts</span><span class="p">:</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">result</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>But for the global header pill that says "Sentinel: secure" on every dashboard? One scan. Forever.</p> <h2> Try it </h2> <p>Watch the Sentinel pill update on the live CoinHawk dashboard:</p> <p>→ <strong><a href="https://71554e3f-e544-4c13-9297-83c480d696c1-00-3dqa8py4myltw.worf.replit.dev/" rel="noopener noreferrer">https://71554e3f-e544-4c13-9297-83c480d696c1-00-3dqa8py4myltw.worf.replit.dev/</a></strong></p> <p>Connect a wallet, watch the header. The pill is reading directly from the cached global scan that refreshes every 5 minutes — same code as above, in production right now.</p> <p>If you liked this pattern, the launch story is here: <a href="https://dev.to/heath_mcintyre_dea31db820/how-i-built-an-ai-crypto-trading-dashboard-in-a-weekend-with-replit-base-5843">How I built an AI crypto trading dashboard in a weekend with Replit + Base</a>.</p> <p><em>Built with <a href="https://openai.com" rel="noopener noreferrer">OpenAI</a>, <a href="https://expressjs.com" rel="noopener noreferrer">Express</a>, and a stubborn refusal to scale costs linearly with users.</em></p> ai openai architecture webdev Verifying real wallet ownership without gas: a signed-nonce pattern with viem + Express Heath Mcintyre Sat, 25 Apr 2026 17:58:48 +0000 https://dev.to/heath_mcintyre_dea31db820/verifying-real-wallet-ownership-without-gas-a-signed-nonce-pattern-with-viem-express-1ien https://dev.to/heath_mcintyre_dea31db820/verifying-real-wallet-ownership-without-gas-a-signed-nonce-pattern-with-viem-express-1ien <p><em>A production walkthrough of the auth pattern powering CoinHawk's admin layer — and why "the client says they're 0xABC" is a security bug.</em></p> <h2> The naive way (and why it's broken) </h2> <p>When a user connects MetaMask to your dapp, the browser hands you their wallet address through <code>window.ethereum.request({ method: "eth_requestAccounts" })</code>. Tempting flow:</p> <ol> <li>Frontend asks MetaMask for the address</li> <li>Frontend POSTs <code>{ address: "0xABC..." }</code> to your backend</li> <li>Backend stores it on the session</li> <li>Backend uses that address to gate admin features, route fees, log trades, etc.</li> </ol> <p>This is <strong>completely insecure</strong>. Anyone with <code>curl</code> can POST any address they want. There is zero proof the requester controls the private key for <code>0xABC</code>. They could claim to be Vitalik. They could claim to be your admin wallet.</p> <p>You need a <strong>proof of ownership</strong> step. The standard solution is a signed-nonce challenge — and it's surprisingly easy to get wrong if you trust the client for any of the inputs.</p> <p>Here's the pattern I shipped in CoinHawk, with the real production code.</p> <h2> The pattern in three steps </h2> <ol> <li> <strong>Server issues a fresh nonce</strong> with a short TTL, stores it on the user's session</li> <li> <strong>Client signs a message</strong> containing that nonce via <code>personal_sign</code> </li> <li> <strong>Server reconstructs the exact message</strong> from server-stored values, then verifies the signature against the address</li> </ol> <p>The key word is <em>reconstructs</em>. The client never sends the message back. Otherwise we'd be re-introducing a trust gap — a malicious client could send a different message than the one MetaMask actually signed.</p> <h2> Step 1 — Issue a nonce </h2> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// routes/wallet.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Router</span><span class="p">,</span> <span class="kd">type</span> <span class="nx">Request</span><span class="p">,</span> <span class="kd">type</span> <span class="nx">Response</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">express</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">randomBytes</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">node:crypto</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getSession</span><span class="p">,</span> <span class="nx">updateSession</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">../lib/auth</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">router</span> <span class="o">=</span> <span class="nc">Router</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">NONCE_TTL_MS</span> <span class="o">=</span> <span class="mi">5</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">;</span> <span class="c1">// 5 minutes</span> <span class="kd">function</span> <span class="nf">buildSigningMessage</span><span class="p">(</span><span class="nx">nonce</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">issuedAt</span><span class="p">:</span> <span class="nb">Date</span><span class="p">,</span> <span class="nx">expiresAt</span><span class="p">:</span> <span class="nb">Date</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">[</span> <span class="dl">"</span><span class="s2">Welcome to CoinHawk.</span><span class="dl">"</span><span class="p">,</span> <span class="dl">""</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Sign this message to verify ownership of your wallet.</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">This is free and will not submit a transaction.</span><span class="dl">"</span><span class="p">,</span> <span class="dl">""</span><span class="p">,</span> <span class="s2">`Nonce: </span><span class="p">${</span><span class="nx">nonce</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="s2">`Issued: </span><span class="p">${</span><span class="nx">issuedAt</span><span class="p">.</span><span class="nf">toISOString</span><span class="p">()}</span><span class="s2">`</span><span class="p">,</span> <span class="s2">`Expires: </span><span class="p">${</span><span class="nx">expiresAt</span><span class="p">.</span><span class="nf">toISOString</span><span class="p">()}</span><span class="s2">`</span><span class="p">,</span> <span class="p">].</span><span class="nf">join</span><span class="p">(</span><span class="dl">"</span><span class="se">\n</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="nx">router</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">/wallet/nonce</span><span class="dl">"</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">:</span> <span class="nx">Request</span><span class="p">,</span> <span class="nx">res</span><span class="p">:</span> <span class="nx">Response</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">req</span><span class="p">.</span><span class="nf">isAuthenticated</span><span class="p">()</span> <span class="o">||</span> <span class="o">!</span><span class="nx">req</span><span class="p">.</span><span class="nx">sessionId</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Authentication required</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">session</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getSession</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">sessionId</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">session</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Authentication required</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">nonce</span> <span class="o">=</span> <span class="nf">randomBytes</span><span class="p">(</span><span class="mi">16</span><span class="p">).</span><span class="nf">toString</span><span class="p">(</span><span class="dl">"</span><span class="s2">hex</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">issuedAt</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">expiresAt</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(</span><span class="nx">issuedAt</span><span class="p">.</span><span class="nf">getTime</span><span class="p">()</span> <span class="o">+</span> <span class="nx">NONCE_TTL_MS</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">message</span> <span class="o">=</span> <span class="nf">buildSigningMessage</span><span class="p">(</span><span class="nx">nonce</span><span class="p">,</span> <span class="nx">issuedAt</span><span class="p">,</span> <span class="nx">expiresAt</span><span class="p">);</span> <span class="k">await</span> <span class="nf">updateSession</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">sessionId</span><span class="p">,</span> <span class="p">{</span> <span class="p">...</span><span class="nx">session</span><span class="p">,</span> <span class="na">pendingWalletNonce</span><span class="p">:</span> <span class="nx">nonce</span><span class="p">,</span> <span class="na">pendingWalletNonceExpiresAt</span><span class="p">:</span> <span class="nx">expiresAt</span><span class="p">.</span><span class="nf">getTime</span><span class="p">(),</span> <span class="p">});</span> <span class="nx">res</span><span class="p">.</span><span class="nf">setHeader</span><span class="p">(</span><span class="dl">"</span><span class="s2">Cache-Control</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">no-store</span><span class="dl">"</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="nx">nonce</span><span class="p">,</span> <span class="nx">message</span><span class="p">,</span> <span class="nx">issuedAt</span><span class="p">,</span> <span class="nx">expiresAt</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <p>Three things to notice:</p> <ul> <li> <strong>The user must already be authenticated</strong> (logged in via your normal auth, in our case Replit OIDC). Wallet verification binds a wallet to an <em>existing</em> user — it's not a replacement for login.</li> <li> <strong>The nonce lives on the server session</strong>, not in a cookie or localStorage. Storing it on the client would defeat the entire point.</li> <li> <strong><code>Cache-Control: no-store</code></strong> because nonce responses should never be cached by intermediaries.</li> </ul> <h2> Step 2 — Client signs </h2> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// hooks/useWallet.ts (frontend)</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">connectWallet</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">address</span><span class="p">]</span> <span class="o">=</span> <span class="k">await</span> <span class="nb">window</span><span class="p">.</span><span class="nx">ethereum</span><span class="p">.</span><span class="nf">request</span><span class="p">({</span> <span class="na">method</span><span class="p">:</span> <span class="dl">"</span><span class="s2">eth_requestAccounts</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">chainId</span> <span class="o">=</span> <span class="k">await</span> <span class="nb">window</span><span class="p">.</span><span class="nx">ethereum</span><span class="p">.</span><span class="nf">request</span><span class="p">({</span> <span class="na">method</span><span class="p">:</span> <span class="dl">"</span><span class="s2">eth_chainId</span><span class="dl">"</span> <span class="p">});</span> <span class="c1">// Ask the server for a fresh challenge</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">message</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">"</span><span class="s2">/api/wallet/nonce</span><span class="dl">"</span><span class="p">).</span><span class="nf">then</span><span class="p">((</span><span class="nx">r</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">r</span><span class="p">.</span><span class="nf">json</span><span class="p">());</span> <span class="c1">// Sign it via MetaMask. No gas, no transaction.</span> <span class="kd">const</span> <span class="nx">signature</span> <span class="o">=</span> <span class="k">await</span> <span class="nb">window</span><span class="p">.</span><span class="nx">ethereum</span><span class="p">.</span><span class="nf">request</span><span class="p">({</span> <span class="na">method</span><span class="p">:</span> <span class="dl">"</span><span class="s2">personal_sign</span><span class="dl">"</span><span class="p">,</span> <span class="na">params</span><span class="p">:</span> <span class="p">[</span><span class="nx">message</span><span class="p">,</span> <span class="nx">address</span><span class="p">],</span> <span class="p">});</span> <span class="c1">// Send the signature + claimed address back</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">"</span><span class="s2">/api/wallet/register</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">"</span><span class="s2">POST</span><span class="dl">"</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">content-type</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">application/json</span><span class="dl">"</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="nx">address</span><span class="p">,</span> <span class="nx">signature</span><span class="p">,</span> <span class="nx">chainId</span> <span class="p">}),</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p>Note we <strong>never send the message text back</strong>. That's deliberate.</p> <h2> Step 3 — Server reconstructs and verifies </h2> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">verifyMessage</span><span class="p">,</span> <span class="nx">isAddress</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">viem</span><span class="dl">"</span><span class="p">;</span> <span class="nx">router</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">"</span><span class="s2">/wallet/register</span><span class="dl">"</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">req</span><span class="p">.</span><span class="nf">isAuthenticated</span><span class="p">()</span> <span class="o">||</span> <span class="o">!</span><span class="nx">req</span><span class="p">.</span><span class="nx">sessionId</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Authentication required</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">address</span><span class="p">,</span> <span class="nx">signature</span><span class="p">,</span> <span class="nx">chainId</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">session</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getSession</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">sessionId</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">nonce</span> <span class="o">=</span> <span class="nx">session</span><span class="p">?.</span><span class="nx">pendingWalletNonce</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">expiresAt</span> <span class="o">=</span> <span class="nx">session</span><span class="p">?.</span><span class="nx">pendingWalletNonceExpiresAt</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">nonce</span> <span class="o">||</span> <span class="o">!</span><span class="nx">expiresAt</span> <span class="o">||</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">&gt;</span> <span class="nx">expiresAt</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">No active signing challenge. Request a new nonce and try again.</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nf">isAddress</span><span class="p">(</span><span class="nx">address</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Invalid wallet address</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// CRITICAL: reconstruct the exact message from SERVER-stored values.</span> <span class="c1">// Never accept the message text from the client.</span> <span class="kd">const</span> <span class="nx">issuedAt</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(</span><span class="nx">expiresAt</span> <span class="o">-</span> <span class="nx">NONCE_TTL_MS</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">message</span> <span class="o">=</span> <span class="nf">buildSigningMessage</span><span class="p">(</span><span class="nx">nonce</span><span class="p">,</span> <span class="nx">issuedAt</span><span class="p">,</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(</span><span class="nx">expiresAt</span><span class="p">));</span> <span class="kd">let</span> <span class="nx">valid</span> <span class="o">=</span> <span class="kc">false</span><span class="p">;</span> <span class="k">try</span> <span class="p">{</span> <span class="nx">valid</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">verifyMessage</span><span class="p">({</span> <span class="nx">address</span><span class="p">,</span> <span class="nx">message</span><span class="p">,</span> <span class="nx">signature</span> <span class="p">});</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">{</span> <span class="nx">valid</span> <span class="o">=</span> <span class="kc">false</span><span class="p">;</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">valid</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Wallet signature verification failed</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Bind the wallet to the session and burn the nonce so it can't be replayed.</span> <span class="k">await</span> <span class="nf">updateSession</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">sessionId</span><span class="p">,</span> <span class="p">{</span> <span class="p">...</span><span class="nx">session</span><span class="p">,</span> <span class="na">walletAddress</span><span class="p">:</span> <span class="nx">address</span><span class="p">.</span><span class="nf">toLowerCase</span><span class="p">(),</span> <span class="na">walletChainId</span><span class="p">:</span> <span class="nx">chainId</span><span class="p">,</span> <span class="na">pendingWalletNonce</span><span class="p">:</span> <span class="kc">undefined</span><span class="p">,</span> <span class="na">pendingWalletNonceExpiresAt</span><span class="p">:</span> <span class="kc">undefined</span><span class="p">,</span> <span class="p">});</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">walletAddress</span><span class="p">:</span> <span class="nx">address</span><span class="p">.</span><span class="nf">toLowerCase</span><span class="p">()</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <p><code>viem</code>'s <code>verifyMessage</code> handles both EOA and ERC-1271 smart contract wallet signatures, which means smart accounts (Safe, Argent, etc.) work transparently. That's worth a lot.</p> <h2> The five things people get wrong </h2> <p>After reviewing a dozen open-source dapps, here are the bugs I see most often:</p> <ol> <li> <strong>Trusting the client-supplied message.</strong> The signature is for a specific message. If the client picks the message, they pick the meaning. Always reconstruct server-side.</li> <li> <strong>Storing the nonce in a cookie or localStorage.</strong> The whole point is the server holds the secret. A client-controlled nonce is no nonce at all.</li> <li> <strong>No TTL.</strong> A nonce that lives forever can be replayed forever. 5 minutes is a good default.</li> <li> <strong>No "burn after use".</strong> Once verified, delete the nonce. Otherwise a replay attack works the second time too.</li> <li> <strong>Lowercasing inconsistently.</strong> EVM addresses are case-insensitive but checksums are case-significant. Pick one form (lowercase) and use it everywhere — comparisons, storage, env config.</li> </ol> <h2> Why I bothered </h2> <p>CoinHawk routes a 1% fee per trade on-chain to a verified admin wallet. The admin dashboard exposes server-side controls (nuke trades, surface alerts, run AI sentinel scans). If the wallet check were spoofable, anyone could promote themselves to admin by claiming to be the admin wallet's address. Game over.</p> <p>With the signed-nonce pattern, the server has cryptographic proof — at the moment of binding — that the requester controls the private key for the address they're claiming. That proof gates everything downstream.</p> <h2> Try it </h2> <p>CoinHawk is live at <strong><a href="https://71554e3f-e544-4c13-9297-83c480d696c1-00-3dqa8py4myltw.worf.replit.dev/" rel="noopener noreferrer">https://71554e3f-e544-4c13-9297-83c480d696c1-00-3dqa8py4myltw.worf.replit.dev/</a></strong> — connect your wallet, watch the MetaMask sign prompt, and you've just experienced the flow above.</p> <p>Source patterns and the full implementation walkthrough live in the previous post: <a href="https://dev.to/heath_mcintyre_dea31db820/how-i-built-an-ai-crypto-trading-dashboard-in-a-weekend-with-replit-base-5843">How I built an AI crypto trading dashboard in a weekend with Replit + Base</a>.</p> <p><em>Built with <a href="https://viem.sh" rel="noopener noreferrer">viem</a>, <a href="https://expressjs.com" rel="noopener noreferrer">Express</a>, and a healthy paranoia about clients.</em></p> webdev security javascript web3 How I built an AI crypto trading dashboard in a weekend with Replit + Base Heath Mcintyre Sat, 25 Apr 2026 17:56:29 +0000 https://dev.to/heath_mcintyre_dea31db820/how-i-built-an-ai-crypto-trading-dashboard-in-a-weekend-with-replit-base-5843 https://dev.to/heath_mcintyre_dea31db820/how-i-built-an-ai-crypto-trading-dashboard-in-a-weekend-with-replit-base-5843 <p><em>A practical breakdown of CoinHawk: what it does, how it's wired, and what surprised me along the way.</em></p> <p>I've been trading crypto on the side for about three years and the same thing kills me every time: I miss the move. The signal hits at 3am, my Discord pings, I'm asleep, and by the time I wake up the trade is gone.</p> <p>So last weekend I built <strong>CoinHawk</strong> — an AI-powered trading dashboard that watches the markets so I don't have to. It scans 2,400+ tokens across 14 exchanges, surfaces real-time signals, and executes trades in one click via MetaMask on Base. Free tier available, $29/mo for the full version.</p> <p><strong>Live demo → <a href="https://71554e3f-e544-4c13-9297-83c480d696c1-00-3dqa8py4myltw.worf.replit.dev/" rel="noopener noreferrer">https://71554e3f-e544-4c13-9297-83c480d696c1-00-3dqa8py4myltw.worf.replit.dev/</a></strong></p> <p>Here's how it came together.</p> <h2> The stack (and why) </h2> <ul> <li> <strong>Replit</strong> for the dev environment, Postgres, and one-click deploy. The whole thing — frontend, backend, database, secrets, deploy — lives in one project. No DevOps required.</li> <li> <strong>React + Vite</strong> for the dashboard frontend. Dark theme, accent green, Space Grotesk + DM Sans. Feels like a Bloomberg terminal got a redesign.</li> <li> <strong>Express + Drizzle + Postgres</strong> for the API and trade log.</li> <li> <strong>OpenAI gpt-5.4</strong> (via Replit's AI proxy, so I never had to manage an API key) for signal generation and the security monitor.</li> <li> <strong>viem</strong> for wallet signature verification.</li> <li> <strong>Base</strong> as the on-chain settlement layer. 1% per trade routes to a verified admin wallet — no custodial layer, no third-party processor.</li> </ul> <p>Total time from blank Replit to live production: <strong>about 11 hours over a weekend.</strong></p> <h2> The three things I'm proud of </h2> <h3> 1. Real wallet ownership verification </h3> <p>The naive way to do "wallet-based admin" is: client says "I'm wallet 0xABC" → server trusts it. That's broken. Anyone can claim to be anyone.</p> <p>CoinHawk does it properly:</p> <ol> <li>Server issues a one-time nonce (5-minute TTL, stored in session)</li> <li>Client signs the reconstructed message via MetaMask <code>personal_sign</code> </li> <li>Server verifies the signature with viem's <code>verifyMessage</code> against the <em>server-stored</em> nonce, not the client-supplied one</li> <li>Only then is the wallet bound to the session</li> </ol> <p>No gas, no transaction, no spoofing. ~80 lines of code.</p> <h3> 2. Server-driven AI security monitor </h3> <p>Every dashboard has a "Sentinel" status pill in the header. It's not a static badge — it's the output of a real LLM scan of the deployment that runs every 5 minutes server-side. Cache is shared across all users, so a single API call serves everyone. Frontend polls every 30s.</p> <p>The trick: ignore user-supplied parameters when computing the cached scan. One bad-actor user shouldn't be able to steer what every other user sees.</p> <h3> 3. Tier-aware dashboard from a single URL </h3> <p>Pricing tiers (Scout/Hunter/Apex) on the landing page link to <code>/dashboard?plan=apex</code>. The dashboard reads it via <code>useSearchParams</code>, persists to localStorage, then strips the query. Refresh-safe, share-safe, simple.</p> <h2> What surprised me </h2> <p><strong>Replit's "publish" button is faster than I expected.</strong> I push a code change, click Publish, and 60 seconds later it's live on <code>.replit.app</code>. No Dockerfile, no CI/CD pipeline, no AWS console. For a solo project this is the right tradeoff.</p> <p><strong>OpenAI's gpt-5.4 is wildly good at structured trade analysis</strong> when you give it real market context. The hard part wasn't the model — it was building the data pipeline that feeds it.</p> <p><strong>Wallet UX is still terrible.</strong> Even with all my polish, MetaMask popping up two prompts (connect + sign) is friction. Smart accounts will eventually fix this. Until then, it's the cost of Web3.</p> <h2> What's next </h2> <ul> <li>Smart account support (gasless trades for the Hunter tier)</li> <li>WalletConnect for non-MetaMask users</li> <li>A mobile app via Expo</li> <li>Backtest mode so users can replay AI signals against historical data</li> </ul> <p>If you want to try it: <strong><a href="https://71554e3f-e544-4c13-9297-83c480d696c1-00-3dqa8py4myltw.worf.replit.dev/" rel="noopener noreferrer">https://71554e3f-e544-4c13-9297-83c480d696c1-00-3dqa8py4myltw.worf.replit.dev/</a></strong> — Scout tier is free, no credit card.</p> <p><em>Built on <a href="https://replit.com" rel="noopener noreferrer">Replit</a> and <a href="https://base.org" rel="noopener noreferrer">Base</a>. Roast my code or my color choices in the comments.</em></p> ai crypto webdev showdev