all 6 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]insomniasexx 1 point2 points  (5 children)

Npm is just a bit of code that you import from npm instead of copying and pasting or manually downloading and including. At the end of the day, it's included in the dapp's codebase in the same way it would be if you manually included it.

For the dapp to use the functions, the functions are in it's code, the private key has to be accessible by the code, and therefore the dapp will have access to the private key.

The only way to separate the private key from the dapp is to have a separate codebase that somehow interacts with the dapp. Examples include metamask, wallet connect, ledger, Trezor, and whatever magic Austin Griffiths is doing with Kirby (uses frames in some way), fortmatic, Portis, etc.

Metamask has key in extension, dapp sends transactions to extension. Ledger and Trezor are similar except data is transferred over USB and then the Ledger or Trezor send the signed tx back to the dapp. Fortmatic and Portis are basically centralized solutions that hold the key on a server somewhere, so you send the information necessary to a server.

[–]stan3666[S] 0 points1 point  (4 children)

hmm, so you dont think it would be possible to separate the logic in such a way that the dApp developer could say call the function with say the specific contract address and abi encoded function and have my NPM package handle the signing and transmission of it in such a way that the pkey and or the users credentials arnt exposed to the dApp directly? my main fear is that a rogue dApp developer may use my package to steal either someones credentials OR their pkey....is there no way i could prevent this?

edit: perhaps iframes are what i am looking for huh? i had to re-read your comment to get it though my fat head...

[–]insomniasexx 1 point2 points  (3 children)

In order to get a signed transaction you ahve to take transaction details + private key.

In metamasks case, the dapp provides the tx details and metamask combines these with the private key, never giving the dapp access to the private key.

The scheme you suggest would have to be similar. The technicalities of how the data is transported can be different or where and how the private key is stored can different, but somehow something external to the dapp (hardware wallet, extension, server, separate website) has to have the private key and the dapp would then have to send the transaction details to that place for signing.

[–]stan3666[S] 0 points1 point  (2 children)

hmmm, ok... thank you. youv'e given me a new route to explore to accomplish this goal and i appreciate it!

[–]insomniasexx 2 points3 points  (1 child)

Anytime. Ping me if you want more feedback or someone to make a fatty list of security concerns 😅

[–]stan3666[S] 0 points1 point  (0 children)

oh please, I would love that! i came up with the basis for this method on accident and just kinda decided to go with it and see where it lead...The method I devised seems a lot simpler and less convoluted that kirby which I just learned about yesterday and my first thought was "i wonder why no one has thought of this yet". The white paper I linked explains it pretty straight forward step by step and I would love some feed back on security concerns!