Approved Calls
Overview
This policy provides an additional security layer, by having the sender first submit the transaction's data for off-chain validation before it can be sent your protocol's smart contract.
Protected Attack Vector
This policy protects against attacks that are difficult (or impossible) to detect on-chain by integrating advanced off-chain security checks. One such example is detecting a transaction that will cause a bridge imbalance across two (or more) separate networks.
How It Works
Before sending a transaction to the blockchain, your DApp needs to send the transaction data to a Signer API.
If the transaction passes all checks performed by the Signer API, a secure signature will be returned.
The DApp can now submit this signature to the policy by calling the
approveCallsViaSignature()
method.Finally, the DApp can now submit the original transaction and it will be allowed to go through.
Coming Soon: We're building a DApp SDK to make this integration seamless for DApps.
Setup Instructions
Deploy your own version of this policy (see Source Code).
Add the newly deployed policy to the Firewall (you can do this Globally or Per-Method, see Policy Administration).
That's it!
If you're just getting started, we recommend you use Ironblocks' Signer API
Step By Step Example
Before submitting your transaction to the blockchain, send it to a Signer API to get a secure signature:
The
response
object has the following interface:
NOTE: Your response will have a
Status Code 200
whether it's approved or rejected , as long as it was validly transmitted and received.
Once you receive the signature you can register your signature with the policy, which will allow the original transaction to pass when submitted on-chain. You do this by calling the
approveCallsViaSignature()
method on the policy.
Properties
approvedCalls
mapping
(address => bytes32[])
maps a sender (tx.origin
) to it's signed call hashes
approvedCallsExpiration
mapping
(address => uint256)
maps a sender to most recent timestamp of an approved call
Methods
approveCallsViaSignature()
function approveCallsViaSignature(bytes32[] calldata _callHashes, uint256 expiration, address txOrigin, uint nonce, bytes memory signature)
function approveCallsViaSignature(bytes32[] calldata _callHashes, uint256 expiration, address txOrigin, uint nonce, bytes memory signature)
Approves a call via a secure signature (from the Signer API)
_callHashes
bytes32[] calldata
the call hashes to approve
expiration
uint256
the expiration time of these approved calls
txOrigin
address
the transaction origin of the approved hashes
nonce
uint
used internally to prevent replay attacks
signature
bytes memory
the signature of the signer with the above parameters
Security Lifecycle
This policy runs during the Firewall's Pre-Execution hook.
Source Code
On our GitHub repository: ApprovedCallsPolicy.sol
Last updated