Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create KMS signer for web3py EVM chain transactions #30

Closed
btcookies opened this issue Sep 7, 2021 · 6 comments
Closed

Create KMS signer for web3py EVM chain transactions #30

btcookies opened this issue Sep 7, 2021 · 6 comments
Labels
bounty Gitcoin-11 PUBLISHED

Comments

@btcookies
Copy link

btcookies commented Sep 7, 2021
edited by Tritium-VLK
Loading

Background
Badger relies on many keepers to maintain vaults, rebase digg, collect fees, distribute rewards, and other miscellaneous tasks. These keepers are hosted across Kubernetes clusters, most of which are cron jobs that execute on set schedules and then terminate. This architecture requires private keys to be dynamically accessed at execution in order to sign and submit transactions.

Currently we are storing the keys in AWS secrets manager and restricting access to k8s service account IAM roles on a pod by pod basis. At the time of execution, the container makes a get_secret_value request via boto3 to retrieve the secret, decrypts it with kms, and passes the value into web3 to sign and submit transactions. This solution is less than ideal because the private key is able to be accessed by the program, where if code reviews are not diligent could result in the raw key value being logged or transmitted outside of the execution environment.

The proposed solution to this is to use KMS to generate and store private keys and pass transaction objects to KMS where KMS can handle signing without ever exposing the key. Here is a medium article explaining how KMS can be used to sign Ethereum transactions while maintaining the highest levels of security.

Desired Outcome
This bounty is for creating a python solution for signing raw web3py transactions with keys generated by and hosted in KMS. The ideal solution will create a Python module that can be imported to keeper codebases and used alongside web3py to sign transactions. I should be able to submit a transaction object and a kms key arn or id and receive back a signed transaction that can be submitted to the chain. The module should have a full test suite and there should be documentation explaining how it can be tested and used.

We will pay 100 BADGER for the best quality submission with a good readme, working tests, and way to import via pypi. We will pay another 250 BADGER if/when we re successfully able to use it to sign and execute transactions via KMS.

Note that there is an AWS component here. It would be amazing/make it much faster/more likely for us to use your code if you could provide terraform modules to build out keys that worked with it and/or very good documentation on how to setup the AWS side. As you get close to completion, make sure to come to talk to us on our builder discord about integration.

Here's an example of how we're initially thinking it could be used

from ethereum_kms_signer import sign_transaction
from web3 import Web3

web3 = Web3(Web3.HTTPProvider(node_url))
contract = web3.eth.contract(address=address, abi=abi)

tx_obj = contract.functions.function_name().buildTransaction(
     {
          "nonce": nonce,
          "from": address,
     }
)

signed_tx = sign_transaction(tx_obj, "example_kms_key")
tx_hash = signed_tx.hash
web3.eth.send_raw_transaction(signed_tx.rawTransaction)
@gitcoinbot
Copy link

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

This issue now has a funding of 350.0 ETH (1186436.52 USD @ $3389.82/ETH) attached to it.

@colliepixels
Copy link

colliepixels commented Sep 8, 2021 via email

@gitcoinbot
Copy link

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

Work has been started.

These users each claimed they can complete the work by 1 week, 5 days from now.
Please review their action plans below:

1) meetmangukiya has started work.

Python package that allows to sign and send ETH transactions using keys stored in AWS KMS.
2) sejpalkalpesh has started work.

A python package that will sign ETH transactions using AWS KMS without fetching a private key.
3) viswanathkgp12 has started work.

Shall implement ethereum KMS signer

Learn more on the Gitcoin Issue Details page.

@gitcoinbot
Copy link

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

Work for 350.0 BADGER (5509.00 USD @ $15.74/BADGER) has been submitted by:

@gitcoinbot
Copy link

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

Work for 350.0 BADGER (5509.00 USD @ $15.02/BADGER) has been submitted by:

  1. @meetmangukiya

@Tritium-VLK please take a look at the submitted work:

@gitcoinbot
Copy link

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

The funding of 350.0 BADGER (2726.50 USD @ $7.84/BADGER) attached to this issue has been approved & issued to @meetmangukiya.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bounty Gitcoin-11 PUBLISHED
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Tritium-VLK @gitcoinbot @btcookies @colliepixels