Zero-leakage, biometric-secured portfolio tracker: Live data, local encryption, and cross-device FIDO2 authentication for finance and crypto.
Your wealth data never leaves your device. No cloud storage. No data brokers. No surveillance capitalism. Just pure, cryptographic-grade privacy with real-time portfolio insights.
Stop feeding your financial data to surveillance platforms. Mint, Personal Capital, and others monetize your transaction history. EchoForge takes a different approach: zero-knowledge architecture where even we can't see your data.
- π¨ Traditional portfolio trackers sell your data to advertisers
- π Cloud storage = attack surface for hackers
- π Manual tracking = outdated, error-prone portfolios
- π Password authentication = phishing vulnerability
β
Local-First Architecture: All data encrypted client-side using AES-256-GCM
β
FIDO2 Biometric Auth: Fingerprint/Face ID replaces vulnerable passwords
β
Real-Time Intelligence: Live price feeds with zero API key exposure
β
Multi-Asset Support: Stocks, crypto, commodities, real estate, NFTs
β
Set-and-Forget Automation: Runs offline with automated security scanning
Real-time portfolio visualization with privacy-preserving price feeds
Passwordless authentication using WebAuthn standard
Multi-asset price monitoring with cosmic-themed UI
Note: Screenshot placeholders - see Mockup Guide for design specifications
- Three-Layer Defense Model: FIDO2 β Client Encryption β Offline Storage
- AES-256-GCM Encryption: Military-grade cryptography for all data at rest
- PBKDF2 Key Derivation: 600,000 iterations (OWASP 2023 standard)
- No Cloud Dependencies: Your data never touches our servers
- Open Source Transparency: Audit every line of security code
- Crypto: BTC, ETH, and 5,000+ altcoins
- Traditional Finance: Stocks, bonds, ETFs, mutual funds
- Alternative Assets: Real estate, NFTs, commodities
- Custom Holdings: Private equity, angel investments
- Unified Dashboard: Single pane of glass for entire net worth
- Real-Time Price Feeds: Sub-second updates without API keys
- Smart Alerts: Desktop notifications for significant movements
- Portfolio Rebalancing: AI-suggested optimizations (coming soon)
- Tax Loss Harvesting: Automated wash sale detection (coming soon)
- Accessibility-First: Screen reader support, keyboard navigation
| Feature | EchoForge | Mint | Personal Capital | CoinTracker | Delta |
|---|---|---|---|---|---|
| Data Privacy | β Zero-knowledge | β Sold to advertisers | β Shared with partners | ||
| Biometric Auth | β FIDO2 WebAuthn | β Password only | β Password only | β Password only | β Password only |
| Client-Side Encryption | β AES-256-GCM | β None | β None | ||
| Offline Mode | β Full functionality | β Cloud required | β Cloud required | β Cloud required | β Cloud required |
| Open Source | β MIT License | β Proprietary | β Proprietary | β Proprietary | β Proprietary |
| Cost | FREE | Free (ad-supported) | $89/year | $199/year | $59/year |
| Crypto Support | β 5,000+ coins | β Limited | β None | β Extensive | β Extensive |
| Multi-Device Sync | β End-to-end encrypted | β Cloud sync | β Cloud sync | β Cloud sync | β Cloud sync |
Winner: EchoForge for privacy-conscious users who refuse to compromise security
See detailed comparison: docs/competitor-comparison.md
EchoForge implements defense-in-depth with three independent security layers:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β LAYER 1: FIDO2 Biometric Authentication β
β β’ WebAuthn standard (W3C) β
β β’ Device-bound cryptographic keys β
β β’ Phishing-resistant by design β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β LAYER 2: Client-Side Encryption β
β β’ AES-256-GCM (NIST approved) β
β β’ PBKDF2 key derivation (600k iterations) β
β β’ Web Crypto API (hardware-accelerated) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β LAYER 3: Offline Storage β
β β’ IndexedDB (sandboxed browser storage) β
β β’ No network transmission of sensitive data β
β β’ Optional encrypted backups (user-controlled) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
Server Breach: Impossible - we don't store your data
β
Man-in-the-Middle: Client-side encryption renders intercepts useless
β
Phishing: FIDO2 is origin-bound and phishing-resistant
β
Brute Force: 600k PBKDF2 iterations + rate limiting
β
Supply Chain Attack: Open source + automated security scanning
β
Insider Threat: Zero-knowledge architecture = zero access
Deep Dive: Security Architecture Documentation
- Node.js 18+ (for local development)
- Modern browser with WebAuthn support (Chrome 67+, Firefox 60+, Safari 14+)
- FIDO2 authenticator (fingerprint scanner, Face ID, or hardware key)
# Clone the repository
git clone https://github.com/ivan09069/EchoForge.git
cd EchoForge
# Install dependencies (if using Node-based setup)
npm install
# Run locally
npm run dev- Register Biometric: Click "π Login with Biometrics" to create FIDO2 credential
- Add Assets: Navigate to Dashboard β Add Holding
- Configure Alerts: Set price thresholds for notifications
- Enable Offline Mode: Service worker caches everything locally
π Complete Integration Guide - Step-by-step instructions for:
- Detailed installation and setup
- Integration with existing React projects
- Vanilla JavaScript integration
- Component usage and configuration
- Troubleshooting common issues
// config.js (optional)
export default {
priceUpdateInterval: 2500, // milliseconds
encryptionIterations: 600000, // PBKDF2 rounds
allowedOrigins: ['https://yourdomain.com'],
enableAudioAlerts: true
}EchoForge includes a production-grade RMΒ²E (Risk-Momentum-Magic-Effort) scoring algorithm for cryptocurrency momentum tracking. This system helps identify explosive opportunities while managing risk through volatility-adjusted scoring.
Use these calibrated thresholds to interpret RMΒ²E scores:
- < 50: Stagnant (avoid)
- 50-100: Normal momentum (HOLD)
- 100-150: Heating up (BUY)
- 150+: Explosive (STRONG BUY)
- > 300: Parabolic (take profits)
The enhanced algorithm produces differentiated scores based on market conditions:
- Bitcoin (low volatility, high cap): typically 80-120
- Ethereum (medium volatility): typically 100-150
- Solana (high volatility, lower cap): typically 150-300
RMΒ²E = (momentum Γ magic) / (risk Γ effort) Γ 100
Where:
- Risk: Volatility-adjusted (24h + 7d weighted standard deviation)
- Momentum: Recent change weighted (70% 24h, 30% 7d)
- Magic: Progressive multiplier (1x to 20x based on uptrend strength)
- Effort: Liquidity penalty (inverse log of market cap)
Component Details:
-
Risk Calculation:
Math.sqrt(Math.pow(change24h, 2) + Math.pow(change7d / 7, 2)) / 10- Volatility-based formula with 0.1 floor to prevent division by zero
-
Momentum Scoring:
change24h * 0.7 + change7d * 0.3- Weights recent changes higher
- Only positive momentum counts (negatives filtered to 0)
-
Magic Multiplier:
- change24h > 10%: magic = 20
- change24h > 5%: magic = 15
- change24h > 0%: magic = 10
- Otherwise: magic = 1
-
Effort Calculation:
Math.max(1, 100 / Math.log10(usd_market_cap + 10))- Larger market cap = easier entry = lower effort penalty
The system implements exponential backoff to respect CoinGecko API limits:
- CoinGecko free tier: 50 calls/min
- Current polling: 24 calls/min (2.5s intervals)
- Safe margin: Automatic backoff on 429 errors
- Max retry delay: 60 seconds
Rate limit protection doubles the delay on each 429 error (up to 60s max), then resets to 2.5s on successful fetch.
import CryptoSparks from '../components/CryptoSparks';
export default function Dashboard() {
return (
<div>
<h1>Portfolio Dashboard</h1>
<CryptoSparks
symbols={['bitcoin', 'ethereum', 'solana']}
pollingInterval={2500}
/>
</div>
);
}- React 18: Component-based UI with hooks
- Next.js: Static site generation for performance
- TailwindCSS: Utility-first styling (cosmic theme)
- Web Crypto API: Hardware-accelerated encryption (AES-256-GCM)
- WebAuthn: FIDO2 biometric authentication
- IndexedDB: Client-side encrypted data storage
- Service Workers: Offline-first progressive web app
- CoinGecko API: Crypto price feeds (no auth required)
- Yahoo Finance API: Stock/ETF data
- Custom WebSocket: Real-time price streaming (optional)
- GitHub Actions: Automated security scanning (1000+ repos managed by maintainer)
- Jest + React Testing Library: Accessibility-focused testing
- ESLint + Prettier: Code quality enforcement
- CodeQL: Automated vulnerability detection
- π¬ Discussions: Ask questions, share ideas
- π Issues: Report bugs, request features
- π Pull Requests: See CONTRIBUTING.md for guidelines
- π Star the Project: Help us reach more privacy advocates
- Twitter/X: @EchoForgeHQ (planned)
- Reddit: r/EchoForge (coming soon)
- Discord: Community server launching Q1 2025
- Newsletter: Privacy-focused fintech updates (subscribe via GitHub)
Ivan - Security engineer managing 1000+ repositories with automated scanning infrastructure
- π§ Email: github0906@gmail.com
- π PGP Key: See SECURITY.md
- πΌ Expertise: Zero-knowledge systems, biometric auth, automated security
- Security Architecture - Deep dive into encryption
- Competitor Comparison - Feature matrix
- Privacy Policy - What we collect (spoiler: nothing)
- Launch Templates - Social media kit
- Mockup Guide - Screenshot specifications
- Resilience Architecture - System design
- Visibility & Growth Plan - Roadmap
- API Documentation - Component reference
- Core portfolio tracking (crypto + stocks)
- FIDO2 authentication flow
- Real-time price feeds
- Client-side encryption (AES-256-GCM)
- Accessibility compliance (WCAG 2.1 AA)
- Browser extension (Chrome, Firefox)
- Mobile PWA (iOS, Android)
- Multi-device sync (end-to-end encrypted)
- Advanced portfolio analytics
- CSV import/export
- DeFi protocol integration (Uniswap, Aave)
- Tax loss harvesting automation
- Portfolio rebalancing AI
- Third-party audit (Trail of Bits / Cure53)
- Bug bounty program ($10k+ rewards)
- Hardware wallet integration (Ledger, Trezor)
- Decentralized sync (IPFS / Ceramic)
- Zero-knowledge proofs for sharing (zk-SNARKs)
- AI financial advisor (local LLM)
Every line of code is auditable. No hidden backdoors. MIT license allows commercial use.
Ivan manages 1000+ repositories with automated security scanning. See track record at github.com/ivan09069.
We literally cannot access your data, even if we wanted to. Cryptographic guarantee.
Aligned with GDPR, CCPA, HIPAA, and PCI DSS standards. See Security Architecture.
No VC funding. No acquisition pressure. Pure open-source sustainability model.
Found a vulnerability? We take security seriously.
- π§ Contact: github0906@gmail.com
- π PGP Key: Available in SECURITY.md
- π° Bug Bounty: Up to $5,000 for critical vulnerabilities (launching Q1 2025)
- β±οΈ Response Time: 24 hours for critical, 72 hours for others
Responsible Disclosure Policy: SECURITY.md
MIT License - see LICENSE for details.
TL;DR: Free to use, modify, and distribute. No warranty. Use at your own risk.
- WebAuthn Community: For making FIDO2 accessible to developers
- CoinGecko: For free, reliable crypto price API
- React Team: For the best UI framework in existence
- Privacy Advocates: For keeping surveillance capitalism in check
- You: For caring about your financial privacy
Built with β€οΈ by privacy advocates, for privacy advocates
β Star on GitHub β’ π Read Docs β’ π¦ Follow Updates
"Set it and forget it - your wealth, your rules, your data."