I'm creating my first Ethereum contract with truffle. I want the web application to be usable without MetaMask so I was wondering if it is a good idea to run my own private node and to
connect from the frontend like this:
this.web3 = new Web3(new Web3.providers.HttpProvider('http://my-public-ip:8545'));
Are there any security risks with this approach?
Here is how I did it, but it allows bots to steal the ether from these accounts:
I did setup publicly accessible node like this:
geth --mine --nodiscover --maxpeers 0 --networkid 1 --rpc --rpccorsdomain "*" --rpcaddr "my-public-ip" --rpcapi="db,eth,net,web3,personal,web3"
I created a new Ethereum account that is going to be my "contract owner" account
I transferred a small amount of ether into the "contract owner" account so I would have enough gas to deploy my new contract
I did setup truffle to connect to my Ethereum node
I used truffle console to unlock my account
I got the error "Error: exceeds block gas limit"
At this point I was confused, because I saw that on etherscan I have about 10USD worth of ether in my account. That should be enough to deploy my contract.
I checked etherscan again, and I saw "outgoing" transactions draining all my money from the Ethereum address. This is how the money was stolen:
A bot found out about my public Ethereum node
It connected to it and requested the account list + account balances
It started sending sendTransaction requests non stop
When I unlocked my account on the public node to deploy my contract - the bot that was using the same node also got access to my account and it transferred the funds from my account
Related
I am new to smart contract development. I would like to create a mobile app that can connect to solidity, but I am not sure how.
There is a lot of documentation on how to connect to web applications but not on the mobile app. So I am guessing there must be some server-side application in the middle? Because it needs to connect to Metamask and the browser.
How do I properly connect smart contracts, a client-mobile app, and a server-side app that is able to connect to Metamask?
You most of the time want to directly interact with the smart contract from the mobile device after s/he has connected the app with metamask(or other wallet application) especially to create a new transaction on the blockchain. Most of the time there is only a server-side middleware for processing a lot of blockchain data for performance gain.
So from the device app you would - get blockchain data + create new tx + call a smart contract that changes the state of the smart contract
From backend you would generally only get data that requires intensive processing and/or required to cache the data on db for performance gain.
So depending on which platform you are developing your mobile app, you would look for a web3 library to connect to the wallet and interact with deployed smart contract. Easiest would be if you use a JS-based platform (like React Native) cause web3 js is one of the matured ones among all the web3 libraries.
I am working on the back-end for a multi-coin wallet and I have provided support for NEAR protocol using near-api-js but I'm stuck on setting a helper url for the mainnet network. I initially used https://helper.nearprotocol.com but it seems it's a helper url for generating accounts on testnet. I switched to https://helper.mainnet.near.org but accounts cannot be generated using this helper. Is there any other way accounts can be generated on the mainnet network using the near-api-js sdk?
You have to fund accounts on mainnet to be able to create them. On testnet helper basically is running a faucet to fund accounts, it’s not available on mainnet.
What you can do to create .near accounts is to call create_account method, see example here https://github.com/near/near-wallet/blob/1fc30e26019613db0091683886615e5d4e903873/src/utils/wallet.js#L359
I've developed a case study based on Hyperledger Fabric using the fabric-chaincode-evm in order to develop Solidity smart contract.
Using chaincode-evm there's the Fab3 proxy in the middle between Application and Fabric Network that map the Fabric User with an ethereum address generated on the fly.
There's a way to run transaction of an ERC20 token over a public Blockchain(Ethereum) starting from my private fabric chaincode(smart contract) ?
There's some way to change the eth address generated by Fab3 proxy with my own eth address, or linking Metamask for example.
I have created participants using the node CLI and Business Network Connection. I have also assigned them with an identity.
Now; is it possible to use this identity to launch the composer-rest-server as this participant? E.g. could this be turn into a card that I can import and use? I have the userSecret saved.
see answer here -> How to create participant , there identities via rest api that generated by composer rest server without importing cards via /importwallets?
for more detail.
But yes - you can use that BUSINESS NETWORK card (eg. like: restadmin#my-network) as the 'identity' (because the identity's cert/key are part of the BN card that connects the business network, when you use it to launch your REST server instance). So that would be an administrative id that's used to launch a REST server.
Then (therafter), any standard blockchain identities could come along and USE the REST API client (eg. after authenticating, etc etc) - that's why you've stood up the REST server instance :0-) - each REST client user, will connect to the REST server with their own BN cards (and again, containing its own identity cert/key, and which is mapped to a participant in the Composer business network) and that user's card would be imported into the users REST API Wallet to then use to interact with the deployed business network as that identity.
Say I want to create a Bitcoin exchange or an e-wallet service and make it as secure as possible. Assuming the nature of the service results in more Bitcoin deposits coming in then Bitcoin leaving the system out, yet the need to allow instant withdrawals of Bitcoins out of the service, I thought of the following scheme or scenario.
Create on a separate computer a list of 1000 Bitcoin addresses using Multibit. Transfer those 1000 public keys to DB on web server using a USB, to a table holding a pool of free/non-used addresses. When a member creates an account I assign a free Bitcoin deposit address to make member account funding possible. Since the private key for these 1000 deposit addresses is not on the web server or DB (generated on another computer and only public keys were imported using USB) I am pretty much secure that all funds coming into the system as deposits are safe.
When a member wishes to trade with another member, I simply maintain my own balance accounting system, by creating tables and logging transfers from one member account to another.
When a member wishes to withdraw his Bitcoins, I will use a Hot wallet which would only accept requests from the web server IP address, check my internal accounting system to make sure member has enough balance left and make payments from the hot wallet to whatever external Bitcoin address withdrawal has been requested to. By making sure I keep no more than, say, 5% of overall balance on the hot wallet, any security breach will not result in 100% loss of site funds.
How secure is this scheme? Would you suggest I do things otherwise?
Yes, you can use such scheme, but make sure you're keeping those private keys for 1000 wallets in secure place. I would recommend encrypting all of those initial 1000 private keys with some master password which you'll never forget. Also think about storing those keys on offline storage/computer - you can use those offline storage to sign transactions in the emergent cases when you'll need to access those wallets.