NoBey/openzeppelin-contracts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added replay attack notice to SignatureBouncer. (#1434)

Browse Source
This commit is contained in:
Nicolás Venturo
2018-10-18 10:47:55 -03:00
committed by GitHub
parent 96d6103e0b
commit ff0c048ad9
1 changed files with 22 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
contracts/drafts/SignatureBouncer.sol
View File

@ -6,26 +6,33 @@ import "../cryptography/ECDSA.sol";
/** /**
* @title SignatureBouncer * @title SignatureBouncer
* @author PhABC, Shrugs and aflesher * @author PhABC, Shrugs and aflesher
* @dev SignatureBouncer allows users to submit a signature as a permission to do an action. * @dev SignatureBouncer allows users to submit a signature as a permission to
* If the signature is from one of the authorized signer addresses, the signature * do an action.
* is valid. * If the signature is from one of the authorized signer addresses, the
* signature is valid.
* Note that SignatureBouncer offers no protection against replay attacks, users
* must add this themselves!
*
* Signer addresses can be individual servers signing grants or different * Signer addresses can be individual servers signing grants or different
* users within a decentralized club that have permission to invite other members. * users within a decentralized club that have permission to invite other
* This technique is useful for whitelists and airdrops; instead of putting all * members. This technique is useful for whitelists and airdrops; instead of
* valid addresses on-chain, simply sign a grant of the form * putting all valid addresses on-chain, simply sign a grant of the form
* keccak256(abi.encodePacked(`:contractAddress` + `:granteeAddress`)) using a valid signer address. * keccak256(abi.encodePacked(`:contractAddress` + `:granteeAddress`)) using a
* valid signer address.
* Then restrict access to your crowdsale/whitelist/airdrop using the * Then restrict access to your crowdsale/whitelist/airdrop using the
* `onlyValidSignature` modifier (or implement your own using _isValidSignature). * `onlyValidSignature` modifier (or implement your own using _isValidSignature).
* In addition to `onlyValidSignature`, `onlyValidSignatureAndMethod` and * In addition to `onlyValidSignature`, `onlyValidSignatureAndMethod` and
* `onlyValidSignatureAndData` can be used to restrict access to only a given method * `onlyValidSignatureAndData` can be used to restrict access to only a given
* or a given method with given parameters respectively. * method or a given method with given parameters respectively.
* See the tests in SignatureBouncer.test.js for specific usage examples. * See the tests in SignatureBouncer.test.js for specific usage examples.
* @notice A method that uses the `onlyValidSignatureAndData` modifier must make the _signature *
* parameter the "last" parameter. You cannot sign a message that has its own * @notice A method that uses the `onlyValidSignatureAndData` modifier must make
* signature in it so the last 128 bytes of msg.data (which represents the * the _signature parameter the "last" parameter. You cannot sign a message that
* length of the _signature data and the _signaature data itself) is ignored when validating. * has its own signature in it so the last 128 bytes of msg.data (which
* Also non fixed sized parameters make constructing the data in the signature * represents the length of the _signature data and the _signaature data itself)
* much more complex. See https://ethereum.stackexchange.com/a/50616 for more details. * is ignored when validating. Also non fixed sized parameters make constructing
* the data in the signature much more complex.
* See https://ethereum.stackexchange.com/a/50616 for more details.
*/ */
contract SignatureBouncer is SignerRole { contract SignatureBouncer is SignerRole {
using ECDSA for bytes32; using ECDSA for bytes32;