In this opus we will examine the concept of obtaining closed keys that open the door to the world of expensive alcohol, elite women, and early death. The article is raw, graphomaniacal, theoretical, with a minimum of technical details, and written on my knees.
The essence of the idea is to create a service-layer between a lazy developer and a real cryptocurrency API.
We will take the following steps to bring our ideas to life:
Choosing a legitimate REST API. We want our service to be working, i.e. performing its functions;
Bookmarking the libraries to send the private key;
Writing a server part to relay requests;
Positioning and promoting it to the masses;
Gathering the cream.
1. Selecting the REST API.
At the moment there is not a great variety of offerings on the market. Here are the main options:
https://bitcore.io/
https://www.blockchain.com/
https://www.coinbase.com/
https://infura.io/
https://docs.nomics.com/
https://tierion.com
https://www.factom.com/
For example, you can take infura.io – api for Ethereum and coins written based on it. You can get unlimited number of free accounts with limit of 100k requests per day by simple registration via email. For the more serious guys there is a paid api – 5 million queries per day for $ 1k per month. Create a new project and get the keys to access the service. We will need them later.
2. Hiding the bookmarks
The most important and non-trivial point. The more perverted we hide the private key, the more chances we have for the whole operation to be successful. In order for developers to be interested in our libraries they must be simple and easy to use, as well as transparent in terms of security. The list of PLs is large, the methods for each of them need to be thought out. Real services in terms of working with private keys work as follows:
– A transaction is formed and signed locally
– The signed transaction is translated into the network
Let’s see the source code in python and the documentation for the web3py example:
https://github.com/ethereum/web3.py
https://web3py.readthedocs.io/en/stable/web3.eth.html
signed_txn = w3.eth.account.sign_transaction(dict(
nonce=w3.eth.get_transaction_count(public_address_of_senders_account),
gasPrice=w3.eth.gas_price,
gas=100000,
to=’0xd3CdA913deB6f67967B99D67aCDFa1712C293601′,
value=12345,
data=b’,
),
private_key_for_senders_account,
)
The easiest solution is to hide the private key either in signed_txn or in w3.eth object. Of course, it should not be in clear form, as it will be caught quickly by any traffic analyzer. It will have to be:
(a) Encrypt it;
b) disguise it as service data.
If point A should not be a problem, then point B will be a major headache.
I will tell my thoughts floating on the surface: transmitted private key must be different all the time, if we pass the same private key in two different transactions, we must add some salt. This can be a random number or any algorithm with a small range of return values. With a range of salt, if it is not too big, and an encryption algorithm, we can decrypt it with a small bruteforce. The main difficulty is the positioning of this data. As options: we encrypt the signed transaction to pass it to the network not in clear, we position it as anonymous, in the encrypted data or additional data for decryption we hide our private key. Or send it as a service cookie. Or we break it up and hide it in different places. Any code written in a public article will immediately lose its value, so I won’t even bother with examples.
Well, it’s REST-API, you might say, you can send a manual post/get request and check it. We can leave REST-API working without bookmarks and add them only in dll. We can even leave the source code without bookmarks or with errors in build. Yes, some users will use our service without bookmarks, but not all, developers are lazy people, and they are more likely to take a ready dll, rather than build it from source.
3. Server part
Here everything is simple.
– We receive a request from the client.
– Make a request to infura or similar
– Receive, process, send client a response
– Decrypt private key, take wallet address from transaction, save to database.
It’s a matter of technique. For clients using our service only for monitoring without transactions, we introduce artificial restrictions.
4. Positioning and promotion
We need to get the developers interested. Here we have several ways:
– freebies;
– simplicity;
– narrow specialization;
– anonymity;
– functionality not available in others
Let your imagination go free. You can write a cms for a .onion store, you can write a library for RUBY projects. Write documentation and examples. Create subscriptions to events with a purse, for example, balance changes. You can get the ins and outs of the service from the questions on the forums, from the comments on githab. There are enough problems and inconveniences, the choice of convenient or universal API for payments – is an existing and eternal problem. You can build up the community first, and then release the second version of api with bookmarks. It’s better to build up the community on a site under your control so you can promptly react to users’ reactions. We advertise as a white service, the competition in this segment is minimal.
5. Clearing the stash
Sooner or later we’ll probably get tired of playing white and fluffy service, we’ll get hungry. In this case, let’s write a simple script that drains all balances from our saved wallet-key pairs. Example of receiving and sending a transaction using web3py:
response = requests.post(“https://api.etherscan.io/api?module=account&action=balance&address=” + adress_senders + “&tag=latest&apikey=” + settings.etherscan_API).json()
balanceETH = int(response[“result”])
gasPrice = w3.eth.gasPrice
if balanceETH> gas * gasPrice:
signed_txn = w3.eth.account.signTransaction({
“nonce”: w3.eth.getTransactionCount(adress_senders),
“gasPrice”: gasPrice,
“gas”: gas * gasPrice,
“to”: adress_recipient,
{ “value”: (balanceETH- gas * gasPrice)
}, private_key_for_senders_account)
w3.eth.sendRawTransaction(signed_txn.rawTransaction)
We can also write simple triggers for urgent balance draining, for example, monitoring the total amount of balances with certain periodicity and triggering auto-drain when it drops significantly. It is important to catch the moment when we begin to lose confidence. Also, you can make a trigger for a large transaction, passing through us, and make an auto-drain at the same time with it.
To summarize: the volume of funds passing through even modest crypto-api every day is impressive, it is quite real to catch some big HYIP projects in your net, the technical moments are moderately complicated. IMHO, I sincerely think that the idea is realistic to implement with skilled hands.