0

I have a frontend in JavaScript and a backend in Java. I let the user sign a raw transaction with his private key in the frontend with web3js. Afterwards the signed transaction is returned to the Java backend and the backend broadcasts the transaction via a parity instance.

I am afraid of hackers, who can manipulate the raw transaction within their browser in JavaScript, before signing it. In this way they could change the amount that is being sent. Is there a way to extract the amount which will be sent from a signed transaction with web3j?

If yes, I could check that value again before broadcasting the signed transaction.

If its important somehow, it is a token transaction, not an ETH transaction.

TylerH
  • 20,799
  • 66
  • 75
  • 101
Phil
  • 595
  • 1
  • 3
  • 14

1 Answers1

0

Well this requires a bit of cryptography understanding.

In private / public key pair cryptography, "signing" is basically the only case where you encrypt with the private key and you decrypt with the pub key. If you manage to decrypt it means the signature is valid because whoever that pub key belongs too, it's definitely who signed the content.

So, if you have the pub key you can decrypt a "signed" transaction.

Now, if you are worried about hackers and security, holding keys on the client side and in memory is not good practice. So if this is a serious project you might want to revisit your approach.

ehanoc
  • 2,187
  • 18
  • 23
  • Thank you for the response. In my project I do not want to have control over the wallets of the user. The user should be the only one who controls it. That's why I generate a high quality salt and store it in my DB. The user generates a strong password in his browser. After that the user can obtain the salt from the API combines it within his browser with the salt and this results in the private key. His password is never transferred over the network. If the database is hacked, the attacker does not get the private keys of the users. I think its not bad practice doing it like this, don't you? – Phil Jul 04 '19 at 12:16