Could I implement an ASA with it's own custom wallet?

Welcome to Algorand!

You can always create your own wallet to handle your coin yourself and obscure the fact you’re using Algorand from the user perspective.

You have two options for key management:

  1. Custodial: you keep the keys and the user has no ideas that there are keys involved.
  2. Non-custodial: the user keeps the keys and must make the backup. So you cannot really obscure things too much from the user.

In both cases, key management is a complex task and requires specific expertise to be designed securely. For the non-custodial key management I would highly recommend using existing solutions such as AlgoSigner (AlgoSigner | Algorand Wallet Extension for Chrome | PureStake) or MyAlgo Connect (Introducing MyAlgo Connect for DApp Developers | Algorand Developer Portal).

Note that you can also have custodial key management by default and allow for non-custodial key management for advanced used. Actually Aikon ORE ID allows for such an hybrid key management: Getting Started with ORE ID | Algorand Developer Portal

In what follows, I’m assuming you are using the custodial route.

One solution is to use the clawback address to make all the transactions: Assets - Algorand Developer Portal. This is what Props is doing (see Algorand   ). Using the clawback address means that only this address is paying the fees in Algos. Note that you would still need to have the user account opt in to the ASA, but that can be done once and for all.

Another idea to improve security is to use delegated smart contracts. You can keep the secret keys completely offline for more security and delegate to a key stored online on your servers the ability to make transactions. You can use a smart contract as Using a Smart Contract for Advanced Approvals: Hierarchical Thresholds | Algorand Developer Portal with additional checks to ensure that the only operations allowed by the clawback address are clawback ASA transactions.
What this ensures is that even if your online keys become compromised, the adversary can just record incorrect transactions but cannot steal Algos on the key, or rekey the key to prevent you re-taking control of the asset.

3 Likes