Currently Ethereum has two address format
Users accounts(EOA) and contract accounts
If you want to validate that a contract is not calling your contract refer this
https://ethereum.stackexchange.com/questions/50238/tx-origin-to-block-contracts-from-call-my-game
Note:extcodesize is vulnerable and was exploited in case of FOMO3D
Also Note:there is no way to know if unique person is calling a contract or automated bot
I can create a python script to make multiple accounts and call your contract and your contract will still think my all accounts as unique people
If you want unique human call then should use web of trust
Aug 31, 2019, 5:29 PM
or allow only verified humans from HumanityDao to call your contract methods
Aug 31, 2019, 5:29 PM
Nice, I will try this in a near future. I will use a method to whitelist voters at the moment but your info looks pretty interesting
But, i think I did no explain my problem very well because of my bad english.
Imagine I have the method vote(uint candidate, address from) where from parameter is the public address of the person who vote. I need a mechanism to ensure that the from is a legit public address. By legit I mind the person who vote has the corresponding private key. The problem here is that a "proxy" does the request to the smart contract. Actually I send the private key to the proxy and build a singing transaction.
Imagine I have the method vote(uint candidate, address from) where from parameter is the public address of the person who vote. I need a mechanism to ensure that the from is a legit public address. By legit I mind the person who vote has the corresponding private key. The problem here is that a "proxy" does the request to the smart contract. Actually I send the private key to the proxy and build a singing transaction.
Aug 31, 2019, 6:32 PM
Proxy is your back-end server right
Aug 31, 2019, 6:34 PM
Yes, I have build a restful api
And use python as bakend
Actually it is working but as I told you I need to provide the private key on every call I need to do a transaction
Aug 31, 2019, 6:35 PM
I m not understanding what you are saying
Do you mean that you ask for private key for every transaction from user again and again?
Do you mean that you ask for private key for every transaction from user again and again?
Aug 31, 2019, 6:37 PM
Yes, it is an Rest API
{
"account": "string",
"candidates": [
{
"description": "string",
"name": "string"
}
],
"description": "string",
"name": "string",
"pkey": "string"
}
"account": "string",
"candidates": [
{
"description": "string",
"name": "string"
}
],
"description": "string",
"name": "string",
"pkey": "string"
}
This would be the body of the request
Wait, wrong endpoint
To vote is this
{
"account": "string",
"pkey": "string"
}
"account": "string",
"pkey": "string"
}
Aug 31, 2019, 6:39 PM
Well have you thought about using signed messages instead of asking users private key and passing it in requests?
Aug 31, 2019, 6:40 PM
Are plaintext messages?
Aug 31, 2019, 6:40 PM
Asking users private key is not good design
Aug 31, 2019, 6:40 PM
Can I send using json?
sign messages will be the best
And at that way I will ensure the user is legit
Aug 31, 2019, 6:41 PM
Yep plus no need for users private key shared
Aug 31, 2019, 6:41 PM
but if you want to sign something there is no options but private key, right?
Sep 1, 2019, 9:41 PM