Must a Solidity developer know the private keys to the wallet that is tied to a token contract?
up vote
3
down vote
favorite
To deploy a token contract, there must be a wallet address, am I right? Thus, must the coder be managing the wallet (with its private keys) that is used?
I'm looking at the scenario where what if someone outsourced the blockchain coding work to someone that is dishonest and that coder could run away with the tokens, if they know the private keys. Could they?
tokens contract-deployment private-key
add a comment |
up vote
3
down vote
favorite
To deploy a token contract, there must be a wallet address, am I right? Thus, must the coder be managing the wallet (with its private keys) that is used?
I'm looking at the scenario where what if someone outsourced the blockchain coding work to someone that is dishonest and that coder could run away with the tokens, if they know the private keys. Could they?
tokens contract-deployment private-key
add a comment |
up vote
3
down vote
favorite
up vote
3
down vote
favorite
To deploy a token contract, there must be a wallet address, am I right? Thus, must the coder be managing the wallet (with its private keys) that is used?
I'm looking at the scenario where what if someone outsourced the blockchain coding work to someone that is dishonest and that coder could run away with the tokens, if they know the private keys. Could they?
tokens contract-deployment private-key
To deploy a token contract, there must be a wallet address, am I right? Thus, must the coder be managing the wallet (with its private keys) that is used?
I'm looking at the scenario where what if someone outsourced the blockchain coding work to someone that is dishonest and that coder could run away with the tokens, if they know the private keys. Could they?
tokens contract-deployment private-key
tokens contract-deployment private-key
edited Nov 20 at 10:25
shane
1,7093730
1,7093730
asked Nov 20 at 10:18
Rachel
161
161
add a comment |
add a comment |
4 Answers
4
active
oldest
votes
up vote
2
down vote
To deploy something, a transaction needs to be signed by a private key. The signing can be done by someone else than the developer, but it gets a bit complicated in my opinion.
As I see it, you have at least a few different options:
1) The developer only develops code and you do all the rest (deployment and so on). When code is ready, he gives that to you.
2) Developer deploys the ready product into a testnet where you can test it. Otherwise same as the first option.
3) Developer handles all deployments (also to mainnet) in which case he needs some private key (unless he sends you the bytecode, you sign a transaction of it and he continues with that, but that's a bit complicated approach). If wanted, developer can then assign whatever ownership status to accounts which your control.
I guess all of the options are used in real life and I can't tell you which ones are the most common / best.
In general, I would not give the developer the final ownership of the contracts in mainnet so he would only get paid after ownership has been transferred to you.
add a comment |
up vote
2
down vote
Short answer: no need to worry if you are the one signing the deployment transaction, you don't need developers for that.
Developers code and test with their wallets.
They give you the code and you deploy it with your wallet.
An easier way to do this, they can get the deployment code, ask you to sign it, they can deploy it themselves, but the transaction will have been sent by you. Be careful on what you sign though, they could give you a fake transaction.
1
To expand on it, if your contract has functionality that can only be used by the owner, there is usually an updateOwner function which would allow them to relegate you full control of that functionality
– Enrique Alcazar
Nov 20 at 10:45
add a comment |
up vote
1
down vote
This is very debatable, since it is highly dependent on the contract code. In your contract code you can create an owner only function, that only the wallet (basically a private key) can execute but that wouldn't fix your stolen private keys.
The other way is to implement a 2 out of 3 blessings system that requires that a minimum of 2 accounts out of 3 on ethereum to give their blessings in order to a particular function to be executed, and that can give you more power over the private keys pirate.
You can check DAO's Contracts and papers, they did implement many mechanisms to deal with this kind of situations.
add a comment |
up vote
0
down vote
In order to deploy a contract, you need a private key. There is a public address associated with this private key that must have ETH in it in order to deploy the contract.
Contracts can be written in such a way that either does or does not depend on the 'owner', or the person who created the contract. In the case of a token, it is not required that there be a specific owner, but the tokens must be distributed to the correct parties upon deployment.
You should never outsource work and provide a private key to your contractor. The best solution would be to have the person who is doing the work deliver to you a complete contract that you can simply deploy with your private key.
add a comment |
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
2
down vote
To deploy something, a transaction needs to be signed by a private key. The signing can be done by someone else than the developer, but it gets a bit complicated in my opinion.
As I see it, you have at least a few different options:
1) The developer only develops code and you do all the rest (deployment and so on). When code is ready, he gives that to you.
2) Developer deploys the ready product into a testnet where you can test it. Otherwise same as the first option.
3) Developer handles all deployments (also to mainnet) in which case he needs some private key (unless he sends you the bytecode, you sign a transaction of it and he continues with that, but that's a bit complicated approach). If wanted, developer can then assign whatever ownership status to accounts which your control.
I guess all of the options are used in real life and I can't tell you which ones are the most common / best.
In general, I would not give the developer the final ownership of the contracts in mainnet so he would only get paid after ownership has been transferred to you.
add a comment |
up vote
2
down vote
To deploy something, a transaction needs to be signed by a private key. The signing can be done by someone else than the developer, but it gets a bit complicated in my opinion.
As I see it, you have at least a few different options:
1) The developer only develops code and you do all the rest (deployment and so on). When code is ready, he gives that to you.
2) Developer deploys the ready product into a testnet where you can test it. Otherwise same as the first option.
3) Developer handles all deployments (also to mainnet) in which case he needs some private key (unless he sends you the bytecode, you sign a transaction of it and he continues with that, but that's a bit complicated approach). If wanted, developer can then assign whatever ownership status to accounts which your control.
I guess all of the options are used in real life and I can't tell you which ones are the most common / best.
In general, I would not give the developer the final ownership of the contracts in mainnet so he would only get paid after ownership has been transferred to you.
add a comment |
up vote
2
down vote
up vote
2
down vote
To deploy something, a transaction needs to be signed by a private key. The signing can be done by someone else than the developer, but it gets a bit complicated in my opinion.
As I see it, you have at least a few different options:
1) The developer only develops code and you do all the rest (deployment and so on). When code is ready, he gives that to you.
2) Developer deploys the ready product into a testnet where you can test it. Otherwise same as the first option.
3) Developer handles all deployments (also to mainnet) in which case he needs some private key (unless he sends you the bytecode, you sign a transaction of it and he continues with that, but that's a bit complicated approach). If wanted, developer can then assign whatever ownership status to accounts which your control.
I guess all of the options are used in real life and I can't tell you which ones are the most common / best.
In general, I would not give the developer the final ownership of the contracts in mainnet so he would only get paid after ownership has been transferred to you.
To deploy something, a transaction needs to be signed by a private key. The signing can be done by someone else than the developer, but it gets a bit complicated in my opinion.
As I see it, you have at least a few different options:
1) The developer only develops code and you do all the rest (deployment and so on). When code is ready, he gives that to you.
2) Developer deploys the ready product into a testnet where you can test it. Otherwise same as the first option.
3) Developer handles all deployments (also to mainnet) in which case he needs some private key (unless he sends you the bytecode, you sign a transaction of it and he continues with that, but that's a bit complicated approach). If wanted, developer can then assign whatever ownership status to accounts which your control.
I guess all of the options are used in real life and I can't tell you which ones are the most common / best.
In general, I would not give the developer the final ownership of the contracts in mainnet so he would only get paid after ownership has been transferred to you.
answered Nov 20 at 10:24
Lauri Peltonen
4,1392322
4,1392322
add a comment |
add a comment |
up vote
2
down vote
Short answer: no need to worry if you are the one signing the deployment transaction, you don't need developers for that.
Developers code and test with their wallets.
They give you the code and you deploy it with your wallet.
An easier way to do this, they can get the deployment code, ask you to sign it, they can deploy it themselves, but the transaction will have been sent by you. Be careful on what you sign though, they could give you a fake transaction.
1
To expand on it, if your contract has functionality that can only be used by the owner, there is usually an updateOwner function which would allow them to relegate you full control of that functionality
– Enrique Alcazar
Nov 20 at 10:45
add a comment |
up vote
2
down vote
Short answer: no need to worry if you are the one signing the deployment transaction, you don't need developers for that.
Developers code and test with their wallets.
They give you the code and you deploy it with your wallet.
An easier way to do this, they can get the deployment code, ask you to sign it, they can deploy it themselves, but the transaction will have been sent by you. Be careful on what you sign though, they could give you a fake transaction.
1
To expand on it, if your contract has functionality that can only be used by the owner, there is usually an updateOwner function which would allow them to relegate you full control of that functionality
– Enrique Alcazar
Nov 20 at 10:45
add a comment |
up vote
2
down vote
up vote
2
down vote
Short answer: no need to worry if you are the one signing the deployment transaction, you don't need developers for that.
Developers code and test with their wallets.
They give you the code and you deploy it with your wallet.
An easier way to do this, they can get the deployment code, ask you to sign it, they can deploy it themselves, but the transaction will have been sent by you. Be careful on what you sign though, they could give you a fake transaction.
Short answer: no need to worry if you are the one signing the deployment transaction, you don't need developers for that.
Developers code and test with their wallets.
They give you the code and you deploy it with your wallet.
An easier way to do this, they can get the deployment code, ask you to sign it, they can deploy it themselves, but the transaction will have been sent by you. Be careful on what you sign though, they could give you a fake transaction.
answered Nov 20 at 10:42
Enrique Alcazar
356110
356110
1
To expand on it, if your contract has functionality that can only be used by the owner, there is usually an updateOwner function which would allow them to relegate you full control of that functionality
– Enrique Alcazar
Nov 20 at 10:45
add a comment |
1
To expand on it, if your contract has functionality that can only be used by the owner, there is usually an updateOwner function which would allow them to relegate you full control of that functionality
– Enrique Alcazar
Nov 20 at 10:45
1
1
To expand on it, if your contract has functionality that can only be used by the owner, there is usually an updateOwner function which would allow them to relegate you full control of that functionality
– Enrique Alcazar
Nov 20 at 10:45
To expand on it, if your contract has functionality that can only be used by the owner, there is usually an updateOwner function which would allow them to relegate you full control of that functionality
– Enrique Alcazar
Nov 20 at 10:45
add a comment |
up vote
1
down vote
This is very debatable, since it is highly dependent on the contract code. In your contract code you can create an owner only function, that only the wallet (basically a private key) can execute but that wouldn't fix your stolen private keys.
The other way is to implement a 2 out of 3 blessings system that requires that a minimum of 2 accounts out of 3 on ethereum to give their blessings in order to a particular function to be executed, and that can give you more power over the private keys pirate.
You can check DAO's Contracts and papers, they did implement many mechanisms to deal with this kind of situations.
add a comment |
up vote
1
down vote
This is very debatable, since it is highly dependent on the contract code. In your contract code you can create an owner only function, that only the wallet (basically a private key) can execute but that wouldn't fix your stolen private keys.
The other way is to implement a 2 out of 3 blessings system that requires that a minimum of 2 accounts out of 3 on ethereum to give their blessings in order to a particular function to be executed, and that can give you more power over the private keys pirate.
You can check DAO's Contracts and papers, they did implement many mechanisms to deal with this kind of situations.
add a comment |
up vote
1
down vote
up vote
1
down vote
This is very debatable, since it is highly dependent on the contract code. In your contract code you can create an owner only function, that only the wallet (basically a private key) can execute but that wouldn't fix your stolen private keys.
The other way is to implement a 2 out of 3 blessings system that requires that a minimum of 2 accounts out of 3 on ethereum to give their blessings in order to a particular function to be executed, and that can give you more power over the private keys pirate.
You can check DAO's Contracts and papers, they did implement many mechanisms to deal with this kind of situations.
This is very debatable, since it is highly dependent on the contract code. In your contract code you can create an owner only function, that only the wallet (basically a private key) can execute but that wouldn't fix your stolen private keys.
The other way is to implement a 2 out of 3 blessings system that requires that a minimum of 2 accounts out of 3 on ethereum to give their blessings in order to a particular function to be executed, and that can give you more power over the private keys pirate.
You can check DAO's Contracts and papers, they did implement many mechanisms to deal with this kind of situations.
answered Nov 20 at 10:27
Kaki Master Of Time
1,06417
1,06417
add a comment |
add a comment |
up vote
0
down vote
In order to deploy a contract, you need a private key. There is a public address associated with this private key that must have ETH in it in order to deploy the contract.
Contracts can be written in such a way that either does or does not depend on the 'owner', or the person who created the contract. In the case of a token, it is not required that there be a specific owner, but the tokens must be distributed to the correct parties upon deployment.
You should never outsource work and provide a private key to your contractor. The best solution would be to have the person who is doing the work deliver to you a complete contract that you can simply deploy with your private key.
add a comment |
up vote
0
down vote
In order to deploy a contract, you need a private key. There is a public address associated with this private key that must have ETH in it in order to deploy the contract.
Contracts can be written in such a way that either does or does not depend on the 'owner', or the person who created the contract. In the case of a token, it is not required that there be a specific owner, but the tokens must be distributed to the correct parties upon deployment.
You should never outsource work and provide a private key to your contractor. The best solution would be to have the person who is doing the work deliver to you a complete contract that you can simply deploy with your private key.
add a comment |
up vote
0
down vote
up vote
0
down vote
In order to deploy a contract, you need a private key. There is a public address associated with this private key that must have ETH in it in order to deploy the contract.
Contracts can be written in such a way that either does or does not depend on the 'owner', or the person who created the contract. In the case of a token, it is not required that there be a specific owner, but the tokens must be distributed to the correct parties upon deployment.
You should never outsource work and provide a private key to your contractor. The best solution would be to have the person who is doing the work deliver to you a complete contract that you can simply deploy with your private key.
In order to deploy a contract, you need a private key. There is a public address associated with this private key that must have ETH in it in order to deploy the contract.
Contracts can be written in such a way that either does or does not depend on the 'owner', or the person who created the contract. In the case of a token, it is not required that there be a specific owner, but the tokens must be distributed to the correct parties upon deployment.
You should never outsource work and provide a private key to your contractor. The best solution would be to have the person who is doing the work deliver to you a complete contract that you can simply deploy with your private key.
answered Nov 20 at 10:24
shane
1,7093730
1,7093730
add a comment |
add a comment |
Thanks for contributing an answer to Ethereum Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fethereum.stackexchange.com%2fquestions%2f62675%2fmust-a-solidity-developer-know-the-private-keys-to-the-wallet-that-is-tied-to-a%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown