Ethers.js Function – Can jsonRpcProvider.getSigner() Take Any Address?

ethers.js

I am using the ethersjs when I connect to web3.

And I have a question about the getSigner() method below.

https://docs.ethers.io/v5/api/providers/jsonrpc-provider/#JsonRpcProvider-getSigner

Does this mean that if I pass someone else's ethereum address as an argument, I can create an object that will be signed by that address?

for example:

const provider = new ethers.providers.JsonRpcProvider('https://mainnet.infura.io/v3/{INFURA_API}')
const signer = provider.getSigner(SOME_RANDOM_ETH_ADDRESS)
const instance = new ethers.Contract(contractAddress, abi, signer)
const tx = await instance.transfer(MALICIOUS_ADDRESS, 10000000000000000)

My impression is that this could be a security issue, but why is this safe?

Best Answer

Backends like Metamask, Geth, Parity (and many more) have an RPC interface that allows an external application to interact with them using eth_signTransaction or personal_signTransaction RPC methods, while not giving access to private keys to the application. The application has to prepare an unsigned transaction object and send it to the provider. And in response, the provider returns back the signature, which the application can then broadcast to the network (some providers can also broadcast the transaction).

Providers that support managing multiple accounts or HD wallets, require the application to specify an address usually using the from key, when sending a transaction object to the provider.

The provider.getSigner(address) in ethers.js, takes in an address and creates a JsonRpcSigner instance, which uses the appropriate methods in from field when submitting a transaction. If you just pass in any random eth address whose private key is not with the provider, the provider will attempt if it has in its accounts, else it will just give you some error. I just checked with Metamask, and it gives this error: Invalid parameters: must provide an Ethereum address.. It can be different for different providers.

Related Solutions

Ethers.js – How to Change Default Wallet Address in Ethers.js

You can use an HDNode which is defined as:

A Hierarchical Deterministic Wallet represents a large tree of private keys which can reliably be reproduced from an initial seed. Each node in the tree is represented by an HDNode which can be descended into.

When you use this HDNode, you can change the path variable you give it in order to get different private/public key pairs that are derived from this HDNode.

You can learn more about the path variable here. For Ethereum wallets, the default address / private key used is at path: m/44'/60'/0'/0/0. To follow the outlined protocol, for ethereum addresses, you can change the account and/or index fields: m/44'/60'/1'/0/0 m/44'/60'/0'/0/1

let HDNode = require('ethers').utils.HDNode;

let mnemonic = "radar blur cabbage chef fix engine embark joy scheme fiction master release";

let masterNode = HDNode.fromMnemonic(mnemonic);

let standardEthereum = masterNode.derivePath("m/44'/60'/0'/0/0");

console.log(standardEthereum.publicKey);
console.log(standardEthereum.privateKey);

//account 0 index 1
let accountZeroIndexOne = masterNode.derivePath("m/44'/60'/0'/0/1");
console.log(accountZeroIndexOne.publicKey);
console.log(accountZeroIndexOne.privateKey);

[Ethereum] How to ethers.js using infura as provider

Yes, ethers.js has an Infura provider.
Since Infura doesn't provide ethereum accounts you have to manage it your side. Ethers.js has wallets that can be used with any of their providers Wallet and signers.

Best Answer

Related Solutions

Ethers.js – How to Change Default Wallet Address in Ethers.js

[Ethereum] How to ethers.js using infura as provider

Related Topic