Is it considered secure at all to use passwords and private keys in the code of smart contract?

Question

Basically something like:

function transfer(address to, string privkey)
{
if(privkey == "cd33434343...")
{
msg.sender.transfer(this.balance);
}
}

The above is obviously flawed since the privkey is in string when the if conditions checks it so someone can read the .sol sourcecode (if on etherscan...). But what if it's just argument of a function? I mean since arguments are passed in bytes and sites like etherscan will show the passed in transaction history in bytes then can those bytes get deciphered to the real private key or is it impossible in unless it's a very common private key ("rainbow table like attack")?

Using private key directly is public and can be read by everyone. But if you want to verify the ownership of any wallet, then you can use Ecrecover, which verifies the any address, if that user signs a message in Client side. https://ethereum.stackexchange.com/questions/1777/workflow-on-signing-a-string-with-private-key-followed-by-signature-verificatio — Yogesh - EtherAuthority.io, Dec 22 '19 at 12:30

score 2 · Accepted Answer · answered Dec 21 '19 at 15:50

Any data, smart contract manipulates with inside on-chain transactions, should be considered public. This includes contract initialization byte code, constructor paramerters, contract deployed byte code, any parameters passed to contract in on-chain transactions, and any data returned by the contract in such transactions. Also any data that ever appeared in memory or stack during on-chain smart contract execution etc.

Thus, smart contract cannot deal on-chain with any private data, such as private keys or passwords. However, it may deal with hashs of private data, or zero-knowledge proofs about private data, or some other non-private information derived from private data.

Is it considered secure at all to use passwords and private keys in the code of smart contract?

1 Answers1