How I built an AI crypto trading dashboard in a weekend with Replit + Base

#ai #crypto #webdev #showdev

A practical breakdown of CoinHawk: what it does, how it's wired, and what surprised me along the way.

I've been trading crypto on the side for about three years and the same thing kills me every time: I miss the move. The signal hits at 3am, my Discord pings, I'm asleep, and by the time I wake up the trade is gone.

So last weekend I built CoinHawk — an AI-powered trading dashboard that watches the markets so I don't have to. It scans 2,400+ tokens across 14 exchanges, surfaces real-time signals, and executes trades in one click via MetaMask on Base. Free tier available, $29/mo for the full version.

Live demo → https://71554e3f-e544-4c13-9297-83c480d696c1-00-3dqa8py4myltw.worf.replit.dev/

Here's how it came together.

The stack (and why)

Replit for the dev environment, Postgres, and one-click deploy. The whole thing — frontend, backend, database, secrets, deploy — lives in one project. No DevOps required.
React + Vite for the dashboard frontend. Dark theme, accent green, Space Grotesk + DM Sans. Feels like a Bloomberg terminal got a redesign.
Express + Drizzle + Postgres for the API and trade log.
OpenAI gpt-5.4 (via Replit's AI proxy, so I never had to manage an API key) for signal generation and the security monitor.
viem for wallet signature verification.
Base as the on-chain settlement layer. 1% per trade routes to a verified admin wallet — no custodial layer, no third-party processor.

Total time from blank Replit to live production: about 11 hours over a weekend.

The three things I'm proud of

1. Real wallet ownership verification

The naive way to do "wallet-based admin" is: client says "I'm wallet 0xABC" → server trusts it. That's broken. Anyone can claim to be anyone.

CoinHawk does it properly:

Server issues a one-time nonce (5-minute TTL, stored in session)
Client signs the reconstructed message via MetaMask personal_sign
Server verifies the signature with viem's verifyMessage against the server-stored nonce, not the client-supplied one
Only then is the wallet bound to the session

No gas, no transaction, no spoofing. ~80 lines of code.

2. Server-driven AI security monitor

Every dashboard has a "Sentinel" status pill in the header. It's not a static badge — it's the output of a real LLM scan of the deployment that runs every 5 minutes server-side. Cache is shared across all users, so a single API call serves everyone. Frontend polls every 30s.

The trick: ignore user-supplied parameters when computing the cached scan. One bad-actor user shouldn't be able to steer what every other user sees.

3. Tier-aware dashboard from a single URL

Pricing tiers (Scout/Hunter/Apex) on the landing page link to /dashboard?plan=apex. The dashboard reads it via useSearchParams, persists to localStorage, then strips the query. Refresh-safe, share-safe, simple.

What surprised me

Replit's "publish" button is faster than I expected. I push a code change, click Publish, and 60 seconds later it's live on .replit.app. No Dockerfile, no CI/CD pipeline, no AWS console. For a solo project this is the right tradeoff.

OpenAI's gpt-5.4 is wildly good at structured trade analysis when you give it real market context. The hard part wasn't the model — it was building the data pipeline that feeds it.

Wallet UX is still terrible. Even with all my polish, MetaMask popping up two prompts (connect + sign) is friction. Smart accounts will eventually fix this. Until then, it's the cost of Web3.