In order to associate a web2 user account with a Web3 wallet, we need a way for the database to provide a challenge that the web2 user must answer via web3.
Here is my very simple solution.
- Api creates a unique
nonce
to an authorized user who has provided an EVM wallet address. This hash is stored with an expiration in the Db and returned to the client. - The client immediately initiates a transaction for the user to sign with the
nonce
as an argument to the smart contract function. This is sent to theWalletAssociation
smart contract address. - The code packages the nonce with
msg.sender
and emits an event.
Here is the contract in its entirety:
pragma solidity ^0.8.0;
// Contract to handle user registration and challenge answer
contract WalletAssociation {
event E(address indexed userWallet, uint256 answer, uint256 timestamp);
function a(string memory answer) public {
emit E(msg.sender, answer, block.timestamp);
}
}
- The indexer gathers the event and sends it to the backend to complete the handshake, checking the
nonce
address
combination and validating the wallet for the user.
If planned out properly and properly executed there wouldn't be many but there are always risk.
below are some risk:
Replay Attacks: If an attacker captures a valid signed challenge-response, they might try to replay it to the server to impersonate the user. To mitigate this we could do the following:
Man-in-the-Middle Attacks (MitM): An attacker could intercept and modify traffic between the user and the server. To mitigate this we could do the following:
Phishing: An attacker might trick users into signing malicious payloads or redirecting them to fake sites. To counter this:
Storage of Signed Challenges: If signed challenges are stored insecurely, they could be stolen and used maliciously. To mitigate this:
Endpoint Security: The server endpoint that verifies the signed challenge is a potential target. If it's compromised, false associations might be created. To counter this:
Sybil Attacks: A malicious user could try to associate multiple fake or stolen Web2 accounts with their Web3 wallet. To mitigate this:
Reliance on Single Wallet: If a user loses access to their Web3 wallet, they might lose access to their associated Web2 account. To counter this:
There is always wallet vulnerabilities as well..