On desktop the Paste button in the wallet-restore seed entry did nothing, and the mirror copy on the new-wallet creation screen was equally broken: a copied recovery phrase never made it to the clipboard. Root cause (inherited from GRIM, not a Goblin regression — the two clipboard impls are byte-identical): copy_string_to_buffer / get_string_from_buffer each created a fresh `arboard::Clipboard` and dropped it the instant the function returned. On Linux (X11 AND Wayland) the clipboard selection is owned by the live Clipboard instance, so dropping it immediately released ownership and the copied text vanished before it could be pasted. Reproduced with arboard 3.6.1 on a Wayland session: fresh-instance-per-call read back empty; one persistent instance across set+get read back correctly. Fix: keep ONE long-lived `arboard::Clipboard` on the Desktop platform (behind a Mutex, since the trait methods take &self and arboard's take &mut self), so our process stays the durable selection owner. Also stop unwrap()-panicking on a clipboard backend error — a failed copy/paste now logs instead of crashing. Every clipboard button in the app routes through this one platform pair (onboarding paste/copy, GRIM creation paste/copy, proof, slatepack message entry, tx/receipt copy, receive copy, npub/nsec/backup copy, the shared TextEdit paste), so this single change repairs the whole class at once. Verified end-to-end: an #[ignore]d clipboard_roundtrip test drives the real Desktop impl on the live session clipboard and asserts a 24-word phrase survives copy -> paste (run with --ignored). It passes on Wayland now and would fail under the old pattern.
Goblin
Goblin is a private, pay-by-username wallet for GRIN ツ - confidential digital cash on Mimblewimble, with no amounts or addresses on the chain.
Instead of passing slatepack files back and forth, you pay a username (or an npub) and the payment is delivered for you as an end-to-end encrypted message over nostr, routed through Tor. Relays only ever see ciphertext - never the amount, the sender, or the recipient. Tor hides your IP from the relay; the relay and encryption hide the rest - content, sender, timing.
Goblin is a fork of the Grim egui GRIN wallet: it keeps Grim's full GRIN node/wallet engine and layers a Nostr-native, mobile-first payments experience on top.
What it does
- Send to people - pay a
usernameornpub; the GRIN slatepack travels as a NIP-17 gift-wrapped DM (kind 1059) over Tor and is applied automatically by the recipient's wallet. No files to swap, no need to both be online at once. - Manual slatepacks too - when you need to pay or get paid without a handle, Settings → Wallet → Slatepacks exposes the classic by-hand flow: create a slatepack to send, or paste one to receive, finalize, or pay.
- In-app identity - a nostr payment key that is deliberately not part of your seed, so you can rotate it any time to stay unlinkable without touching your funds. An optional human-readable
namecomes from the goblin.st identity service. - Private by construction - GRIN's address-less, confidential chain; your payments and identity (nostr relays, NIP-05 lookups, price) are routed through Tor, so who-pays-whom never touches the clear net. The GRIN node connection - block sync and broadcasting your transaction - is direct: public chain data, the same for everyone, and not tied to your identity. Keys, names and history stay on your device.
- Configurable amount pairing - show balances against a world currency, Bitcoin, or sats (rates fetched over Tor), or turn the preview off.
- News on Home - the latest post from the official Goblin news key (a kind 30023 long-form article) appears on the Home screen; it stays hidden when there is nothing to show, and only ever shows the newest article.
- Cross-platform - Linux, macOS, Windows, Android, built in pure Rust on egui.
How a payment travels
you ──slatepack──▶ NIP-17 gift wrap (kind 1059, NIP-44 encrypted)
│
Tor
│
┌─────────────┴─────────────┐
your relays recipient's DM relays (kind 10050)
└─────────────┬─────────────┘
▼
recipient ◀──unwrap, verify seal author, apply slatepack
The wrap is NIP-44-encrypted, and delivery uses the recipient's DM relay list (kind 10050). Tor hides your IP from the relay; the relay and the encryption above hide the rest - content, sender, timing.
Both parties only need one relay in common. The default set is the Goblin relay plus large public relays (relay.damus.io, nos.lol), and the set is editable in Settings → Relays.
Build
Desktop (Linux / macOS / Windows)
Goblin links Tor in-process via arti - the wallet is a single self-contained binary, no sidecar, nothing separate to install:
git submodule update --init --recursive
cargo build --release
./target/release/goblin
Goblin's identity and payment traffic (nostr relays, NIP-05 lookups and price fetches) rides Tor: every relay, the money-path relay included, is reached over a Tor exit to its ordinary clearnet host. The GRIN node connection (block sync and transaction broadcast) is not routed through Tor: it connects directly, as it carries only public chain data that isn't linked to your wallet.
Android
Install the Android SDK / NDK, then from the repo root:
./scripts/android.sh build|release v7|v8|x86
v7/v8/x86 is the device CPU architecture for build; for release pass a version in major.minor.patch form.
Identity service (goblin-nip05d)
The optional name service lives in goblin-nip05d/ (axum + SQLite) and is deployed at goblin.st. It implements NIP-05 resolution, NIP-98-authenticated registration and release (names are never transferred - on a key rotation you release the old name and re-register, or import your existing identity). The wallet is fully usable - and fully anonymous - without it. Avatars aren't stored or served - clients render them from the pubkey (an npub gradient with the username's first letter, else the Grin mark).
License
Apache License v2.0.
Credits
🤖 Built with AI pair-programming assistance (Claude)
The underlying cross-platform GRIN wallet engine is the upstream Grim project.
