5

I need a web application backend to be able to make transactions to a smart contract. In order to do this i need to send a transaction on behalf of an account that is authorized by our smart contract. How can i generate these transactions securely?

I read somewhere that using web3.personal.unlockAccount is not a safe approach because it exposes the password when communicating with the node. Is this true? And if so, what is the better approach?

Pål
  • 283
  • 1
  • 7

1 Answers1

4

Unlocking an account on a remote node is unsafe for two reasons:

  • you expose your password,
  • anyone that has access to the node can transfer funds from the unlocked account.

So you should not unlock accounts on a node, unless it cannot be accessed via RPC or only from the localhost.

What you can do instead is that yozu sign the transaction locally and send it as a raw tramsaction to the remote node. There are different questions here on stack exchange that deal with how to do this, for example here.

gisdev_p
  • 1,801
  • 1
  • 9
  • 18
  • Is it safe to unlock an account on a local node running on localhost or will that expose the password as well? And how is the password exposed when unlocking on a remote node? does it send information unencrypted? – Pål Dec 05 '17 at 14:43
  • 1
    It's safe to unlock locally if you do not have the RPC interface enabled, which is the default configuration when you start geth. As far as I know, there is no encryption when you transfer the password to the node. So it is itransferred in plain text. – gisdev_p Dec 05 '17 at 16:32