I am using the ethersjs when I connect to web3.
And I have a question about the getSigner()
method below.
https://docs.ethers.io/v5/api/providers/jsonrpc-provider/#JsonRpcProvider-getSigner
Does this mean that if I pass someone else's ethereum address as an argument, I can create an object that will be signed by that address?
for example:
const provider = new ethers.providers.JsonRpcProvider('https://mainnet.infura.io/v3/{INFURA_API}')
const signer = provider.getSigner(SOME_RANDOM_ETH_ADDRESS)
const instance = new ethers.Contract(contractAddress, abi, signer)
const tx = await instance.transfer(MALICIOUS_ADDRESS, 10000000000000000)
My impression is that this could be a security issue, but why is this safe?
Best Answer
Backends like Metamask, Geth, Parity (and many more) have an RPC interface that allows an external application to interact with them using
eth_signTransaction
orpersonal_signTransaction
RPC methods, while not giving access to private keys to the application. The application has to prepare an unsigned transaction object and send it to the provider. And in response, the provider returns back the signature, which the application can then broadcast to the network (some providers can also broadcast the transaction).Providers that support managing multiple accounts or HD wallets, require the application to specify an address usually using the
from
key, when sending a transaction object to the provider.The
provider.getSigner(address)
in ethers.js, takes in an address and creates a JsonRpcSigner instance, which uses the appropriate methods infrom
field when submitting a transaction. If you just pass in any random eth address whose private key is not with the provider, the provider will attempt if it has in its accounts, else it will just give you some error. I just checked with Metamask, and it gives this error:Invalid parameters: must provide an Ethereum address.
. It can be different for different providers.