securitygeneration / contracts

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Upvest's smart contracts

CircleCI

Forwarding contract

Background (the why)

While thinking about how to allow users to manage their ERC20 tokens in our platform without knowing anything about the Ethereum blockchain (including having to hold any ether), we stumbled upon the idea that what's really needed is for us to be the transaction originator (paying the gas) while having an intermediate contract talking to the ERC20 contracts (so that it will be the msg.sender in the call).

References

The code (the how)

Pseudo implementation

def forward(self, sig, target, value, input):
    assert(ecrecover(keccak256(self.address + target + value + self.nonce + input), sig) == self.owner)
    self.nonce += 1
    return call(target, value, input)

Notice the fact that the contracts address is included in the signature, in order to prevent the transaction from being replayed to a cloned contract. Consider the scenario with a voting contract: the user votes through his forwarding contract, then without this check a malicious user can deploy copies of the forwarding contract (with the same owner) and replay the voting call.

About

License:MIT License


Languages

Language:Python 87.0%Language:Makefile 7.5%Language:Dockerfile 3.0%Language:Shell 2.5%