0

I'm a product manager not a Blockchain coder, looking for a 2nd opinion and some general good practice advice. I have one question in bold, the rest is background.

Background:

  • We have an app in development that will write user's information into a Smart Contract on the ETH blockchain.
  • The SC's we deploy contain information only, no Ether.
  • Each user has their own SC which stores only that users specific information.
  • Our App allows the user to edit and update this information and then upload the changes, encrypted, into their own SC.
  • The user's SC address is 'tied' (sorry for lack of correct terminology) to their own Ether wallet.
  • I see on Etherscan (Ropsten) there is a Contract Creator address which is a constant for all the SC's our App creates.
  • I'm assuming that the contract creator address is unique to us, it is code we've created and as such it deploys only our Smart Contracts on behalf of our Application.
  • I was hoping that each SC address would be known only to its owner and us only. Now I see that anyone can access this information.

My Concerns:

  • Should there be an exploitable flaw in our code then a bad actor has a list of contract addresses to attack.

  • The worst-case risk to us is that a bad-actor could access each users data in an unencrypted state if a flaw exists in our publicly accessible code.

  • The Bad-Actor then uses that flaw and the list of smart contract addresses they can get from Etherscan to download multiple users data.

My Question

Are these realistic concerns?

  • If so what general directions can we look at to mitigate these risks
  • If so is there a way I can obscure the Creator address in Etherscan without other negative consequences

The developers are outsourced 3rd parties and excellent people to work with. But Im looking for an alternate opinion than just theirs at this time as a double check.

Apologies if the information Ive provided is confusing or incomplete.

Thanks in advance for your time.

Adam Daniel
  • 13
  • 4

1 Answers1

0

I was hoping that each SC address would be known only to its owner and us only. Now I see that anyone can access this information.

As you have addressed here, data regarding the blockchain (i.e. transaction hashes, contract addresses, and user addresses) is transparently available. This is by-design with Ethereum and allows for the traceability aspect of the ledger.

Furthermore, smart contract data is potentially available to any actor in the Ethereum network. However, that is based upon the following:

  1. In order to access the smart contract data, an actor would require the contract ABI. This interface allows code to be written to interact with the smart contract methods. Now, it is helpful to understand that this ABI could hypothetically be easily reverse-generated with enough details of how your DApp interacts with the existing smart contract.
  2. If your smart contract logic has exploitable flaws, a malicious actor on the network could take advantage of this. This is why contracts should be well-written and unit tested with near (if not) 100% code coverage. You should also identify the potential actors in each contract scenario and be sure your test cases appropriately cover these scenarios.

If so what general directions can we look at to mitigate these risks

Given the contract scenario you have described, if the only actor who should have access to these user data smart contracts is the user them self, then you simply need to apply something akin to a function modifier to your smart contract logic. In the linked example, access to the smart contract data is restricted to a single specific Ethereum user address.

If so is there a way I can obscure the Creator address in Etherscan without other negative consequences

Sure. It sounds like you're currently using a single account to deploy the smart contracts, hence the creator address is constant. (Side note: I'm not sure why you're deploying the contract on behalf of the user with this account, it sounds like the user should be deploying their own smart contract). Regardless, you could simply create a new proxy user address each time you deploy the smart contract. However, I don't see any benefit to doing so and this would just be an example of security through obscurity.

Ben
  • 2,441
  • 1
  • 12
  • 16
  • Ben, many thanks for taking the time to provide this insight. It is greatly appreciated. Your input has given me a lot to consider. To answer one of your questions, our application deploys the SC on behalf of the User. Is it possible for our App to still do this on behalf of the User but make the Users account the creator address? If so this is what I shall ask the developers to put in place. Thanks so much for your help. – Adam Daniel Jan 07 '19 at 15:19
  • @AdamDaniel, This depends upon how you have your application wired up. If the user is authenticating with the application via their Ethereum account, the application could essentially deploy the contract for the user and thus the "creator address" would be the user's address. The alternative to this would be to have a service utilize an Ethereum account "you" (as the application developer) own that handles all the deployment of contracts. However, in your situation the first scenario seems to be the most applicable and beneficial. – Ben Jan 07 '19 at 16:55
  • 1
    once again many thanks. I have a feeling to get where I wish to be is going to need some code changes, not the first time Ive said that :) Many thanks. – Adam Daniel Jan 08 '19 at 11:40