0

I'm developing a game on top of Ethereum which combines NFT's and some cool RPG gameplay dynamics. My doubt is that, for as far as I know, every function in the contract can be called from outside from anyone.

That makes me wonder, for instance my game is planned to reward players by giving them NFT's if they do some in-game stuff, like quests or fights. The function I thought it could look like this:

function rewardPlayer(address memory newOwner,string memory tokenURI){
    //Pseudocode
    _mint();
    _setTokenURI(tokenURI);
    transferOwnership(newOwner);
}

Obviously, my biggest concern is that someone could come and call this method giving its own address, awarding himself with rewards.

So, I need a manner to avoid this. I thought of generating a encrypted key which only allows to be executed with it, but, how does Solidity decrypt keys? Is it even possible? Is it any better way?

Thanks in advance :)

Jarvan Jarvencio
  • 111
  • 2
  • Everything on the blockchain is public, if you use a secret be aware that once a transaction is public anyone can front run them when they reach the pending pool. I'd ask myself who will call rewardPlayer?, which conditions has to be satisfied to earn a reward? – Ismael Aug 25 '21 at 04:16
  • @Ismael Hey Ismael thanks for answering, I thought in some ideas to fix this some are complex but could work, but also I thought of using a secret key which will be set to a private variable to the contract and then each "protected function" would need the key in order to work. When you say it can be front run what do you mean? You mean that someone can take the transaction and see the data u sending? With the key into it? – Jarvan Jarvencio Aug 25 '21 at 07:28
  • There's no such things as private variables in the EVM, all data is public, with a full node you could use getStorageAt to read any data from a contract https://ethereum.stackexchange.com/questions/5865/what-does-web3-eth-getstorageat-return. Yes, front run is taking a transaction from the pending pool and sending from a different account with higher gas price so it will mine faster. – Ismael Aug 25 '21 at 14:40
  • @Ismael I see, then I will quit the idea of the key, I was thinking another alternatives like relating user address to quest Id for instance and dont let anyone other than that user to do the action, what do you think about? – Jarvan Jarvencio Aug 25 '21 at 19:38
  • That's a possible design, storing level per user so they can obtain the rewards after achieving certain level. – Ismael Aug 26 '21 at 02:53
  • @Ismael But first I need to store the users connected to the dApp in the SC as first step, like registered ones, I know this is pretty easy but do you know any guide or w/e to achieve it? Thanks again – Jarvan Jarvencio Aug 26 '21 at 06:53
  • @Ismael btw, it may sound a little too aggresive, but would you join our team as mentor of us? Your knowledge could be very helpful – Jarvan Jarvencio Aug 26 '21 at 09:32
  • Thanks for the offering but I don't have much free time, and I prefer to spend it here, there are plenty of questions. – Ismael Aug 26 '21 at 23:52

1 Answers1

0

Id make the function callable by one wallet only (using onlyOwner for example), and handle the rest of the logic to figure out what the parameters should be on the website directly. The drawback is that you'd have to pay the gas fees yourself.

Foxxxey
  • 4,307
  • 1
  • 6
  • 22