Code Monkey home page Code Monkey logo

ethtx's Introduction

ethtx - a microservice to generate Ethereum addressess and sign Ethereum transactions

What's the point?

ethtx is a small, stateless and portable microservice for generating Ethereum addresses and signing Ethereum transactions without the dedicated Ethereum node. It comes extremely handy when you need to create Ethereum addresses (private/public key pair) or sign Ethereum transactions using a programming language that doesn't have the required crypto libraries.

Also it improves the security, because you don't need to call the remote Ethereum RPC node and send your private keys to it in order to just generate a new Ethereum address or sign your transaction.

That way the private keys won't ever leave the local host where your service or software is running.

ethtx consumes minimum of system resources and can be run on the local host together with your service or even desktop software.

How it works?

It works as a HTTP service. You POST parameters and get a JSON response.

What crypto libraries does ethtx use? Is it safe?

ethtx is using geth's implentation directly by importing the corresponding source packages directly from the go-ethereum project.

How it generates the private keys? Any implementation of such crucial part should be seriously reviewed.

ethtx derives key generation directly from go-ethereum sources. It doesn't add anything else to it. Please check the sources.

Tell me more.

So far the following methods are supported:

generateAddress

Generates a new Ethereum address (private/public keypair):

Input parameters:

none

Curl example:
curl -X POST \
  http://ethtx-address:8070/generateAddress
Response:
{
    "address": "0x2cBD5C1D45DCcCD5147BED0314379c6b50c3e8a5",
    "privKey": "0xc3c4a14597d9ca779f730df5716c58321e46bc55d6559d8ba2932f0da04e1dbe",
    "pubKey": "0x7cbd2cd558251149285fc379fecbf030a92be3b6f2c793ae5c3a7dfefe4076da, 0xff5365976d4c8cddb531bf9dcb19963d8e03bebfcac713bca7017886ef5be7ab"
}
Output:

address : a new freshly generated Ethereum address.

privKey : the private key for this address. Be careful with it and NEVER save it unencrypted.

pubKey : the public key for this address. Consists of two parts, if you need the public key, just concatenate this two parts.

signTx

Signs a transaction and returns it in RLP coding, ready to be sent to the Ethereum network via a full node, or a 3rd party service like Infura or Etherscan

Input parameters:

chainId : (integer) your network chain ID. Use 1 for the production network and any other custom one for your own private networks.

privKey : (string), the private key used to sign this transaction. Do not use 0x prefix for the private key.

sendTo : (string), the Ethereum address to send this transaction to. Use 0x prefix for the destination address.

amount : (float), the amount of ETH to send. For example, 23.33323

amountWei : (integer), if you don't want to pass the amount in ETH, put 0 in amount above, and use the amount in wei here. For example, 30000000000000000

gasLimit : (integer), gas limit for this transaction, for example, 21000

gasPrice : (integer), gas price in wei for this transaction, for example, 20000000000

nonce : (integer), nonce value for this transaction. Use eth_getTransactionCount to get the nonce before signing this transaction. Without the valid nonce, your transaction won't be relayed to the network and will be stuck.

Curl example:
curl -X POST \
  http://ethtx-address:8070/signTx \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d 'chainId=88882&privKey=c3c4a14597d9ca779f730df5716c58321e46bc55d6559d8ba2932f0da04e1dbe&sendTo=0x3822e05392f097cf03ba3227cc16b73ceb0ee305&amount=0.1&gasLimit=21000&gasPrice=20000000000&nonce=1'
Output:

result : if it is ok then signedTx contains the signed transaction.

signedTx : signed transaction ready to be sent to the Ethereum network by any available means.

Response:
{
    "result": "ok",
    "signedTx": "0xf86f018504a817c800825208943822e05392f097cf03ba3227cc16b73ceb0ee30588016345785d8a000080830300afa0ab96c871bf77e8f2a67b744fbec7138a45f7a706a3cdd758989f3b49da30299ba05eb9343eb000e620e62c31769d6a5e5ac8c191f3afa2f9c934d541520e4340f9"
}

What platforms are supported?

Any that Go can compile for.

What is required?

Just Go.

How do I install ethtx?

The go get command will automatically fetch all dependencies required, compile the binary and place it in your $GOPATH/bin directory.

go get github.com/stunndard/ethtx

How do I configure it?

Read ethtx.yml . Tune it for your needs.

---
  Gzip: true
  Other:
    listen: ":8070"
    redactLogs: True

redactLogs will hide the private keys from the logs. By default ethtx will write the logs to the standard output. You can hide that or redirect to files, as usual.

How do I run it?

Just run the binary

    ./ethtx

You can run it inside tmux or screen or you can write a systemd config for it to run as daemon.

ethtx's People

Contributors

stunndard avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar

ethtx's Issues

Potential ReDoS Vulnerability or Inefficient Regular Expression in Project: Need for Assessment and Mitigation

Hello,

I am writing to report a potential Regular Expression Denial of Service (ReDoS) vulnerability or Inefficient Regular Expression in the project. This issue arises when specially crafted input strings are used in the context of distributed, high-volume requests, potentially leading to a denial-of-service attack.

Location of Issue:

The vulnerability is related to a regular expression used in the following validation file, which may result in significantly prolonged execution times under certain conditions.

ethtx/vendor/gopkg.in/kataras/iris.v6/vendor/github.com/Unknwon/com/html.go

Line 47 in 65fc491

re := regexp.MustCompile(`(?s)<(?:style|script)[^<>]*>.*?</(?:style|script)>|</?[a-z][a-z0-9]*[^<>]*>|<!--.*?-->`)

PoC Files and Comparisons:

// Proof of concept
filename := os.Args[1]
content, err := ioutil.ReadFile(filename)
re := regexp.MustCompile("(?s)<(?:style|script)[^<>]*>.*?</(?:style|script)>|</?[a-z][a-z0-9]*[^<>]*>|<!--.*?-->")
re.ReplaceAllString(string(content), "")

PoC Files Here:
poc.zip

To evaluate the performance of this inefficient regular expression matching with varying input contents, the following commands can be executed within the PoC folder:

time ./poc AttackString10MB.txt
# real    72m38.173s
# user    72m30.083s
# sys     0m5.653s
time ./poc RandomString10MB.txt
# real    0m0.029s
# user    0m0.016s
# sys     0m0.026s
time ./poc AttackString1MB.txt
# real    0m54.028s
# user    0m53.917s
# sys     0m0.088s
time ./poc RandomString1MB.txt
# real    0m0.011s
# user    0m0.007s
# sys     0m0.011s

The significant difference in processing time between random strings and malicious strings highlights the potential effectiveness of this regex for malicious exploitation. And as string length grows, the nonlinear increase in processing time reflects potentially greater risks.

Proposed Solution:

A possible mitigation strategy could include limiting the input length to prevent excessive processing times. If the corresponding function or feature is not in use, it is recommended to clean up risky third-party packages or code content to prevent malicious exploitation through methods such as code injection.

Additional Considerations:

Historically, it was believed that using regex engines with non-backtracking implementations (such as those in Rust or Go) would not lead to ReDoS vulnerabilities. However, recent studies have shown that this is not always the case. I recommend an assessment of how this issue might impact this project.

Thank you for your attention to this matter. Your evaluation and response to this potential security concern would be greatly appreciated.

Best regards,

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.