Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[@kadena/client] check the transaction body after sign with sign protocol #801

Open
2 of 3 tasks
javadkh2 opened this issue Aug 21, 2023 · 1 comment
Open
2 of 3 tasks

Comments

@javadkh2
Copy link
Collaborator

javadkh2 commented Aug 21, 2023

Please confirm the following:

Is your feature request related to a problem?

The sign protocol allows a wallet to create a transaction object from the requested data. As far as I know, this protocol exists because we want wallets to have control over certain some properties, such as gas price and gas limit. However, in terms of security, it's crucial to restrict the wallet from making changes to other aspects.

check the sign api: https://kadena-io.github.io/signing-api/#/definitions/SigningRequest

I believe we should inspect the created transaction to ensure that nothing important has been altered. For example, a wallet should not be able to modify the code section or capabilities.

Describe the solution you'd like

We can have a helper like confirmTransaction that accept both request and created transaction and write it after the sign function like

const signedTx = sign(inputTx)
confirmTransaction(inputTx, signedTx) // throws exception if signedTx changed something important in the inputTx

Describe alternatives you've considered

removing the sign protocol completely in favor of quicksign api
I believe that, in the long term, it would be a better decision. If we require certain information from the wallet, such as gas price or limit, the wallet could expose relevant APIs. However, this approach requires further discussions with other parties.

Do you have any additional context?

No response

Participation

  • I am willing to submit a pull request for this feature request.
@javadkh2 javadkh2 added the enhancement New feature or request label Aug 21, 2023
@javadkh2 javadkh2 changed the title check the transaction body after sign with sign check the transaction body after sign with sign protocol Aug 21, 2023
@alber70g alber70g changed the title check the transaction body after sign with sign protocol [@kadena/client] check the transaction body after sign with sign protocol Aug 21, 2023
@github-actions
Copy link
Contributor

This issue is stale because it is open for 60 days with no activity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants