Search code examples
ethereumgo-ethereummetamask

Expose securely your network to make possible anyone can hit your smart contract

Im implementing a ethereum PoA network using go-ethereum

I have deployed a ERC20 Token on the network, and the idea is that the network must be accessed from any wallet on the internet (i.e metamask, myetherwallet, etc)

The idea for this network is:

  • Having N full nodes that are able to seal blocks (the nodes has the unlocked accounts)
  • Deploy a smart contract that is a ERC20 Token
  • Having one node that expose the network in order to be accessed from any origin, for example, Metamask, MyEtherWallet, a mobile app with a wallet, etc. The idea is that anybody can hit the ERC20 Token if they have the appropiate client.

In order to achive that, i create 2 full nodes that are in charge of sealing the blocks.

I run those nodes like this:

geth --datadir sealer1/  --syncmode 'full' --port 30351 --rpc --rpcaddr 'localhost' --rpcport 8502 --rpcapi='admin,personal,db,eth,net,web3,txpool,miner' --networkid 20 --gasprice '1' -unlock 'someaccount' --password s2/password.txt --mine

As you can see, there are some important things about those nodes:

  1. Unlocks the accounts
  2. Are only accessed from localhost (note the rpcaddres)
  3. Those nodes are miners

If i expose a node like that to the internet (enabling RPC access from any origin) any hacker could send the ether to another account, so, i create a third node, a standard node, that doesnt expose rpc apis but allows connections on port 8545 (in order to be hitted from metamask, myetherwallet, etc)

I run the node with this command:

geth --datadir standard1/ --syncmode 'full' --port 30352 --rpc --rpcport 8545--rpccorsdomain '*' --rpcaddr 'SERVER_PUBLIC_IP' --networkid 20 --gasprice '1'

as you can see this node:

  1. Doesnt unlock account
  2. Allow rpc accesing from any origin
  3. Doesnt expose rpc apis like personal, admin, etc

My questions are:

  • is this aproach secure?
  • Is there another way to allow anyone in the world to use Metamask to hit my smartcontract without open the RPC access on the standard node?

Why i have those questions?

Because there are a lot of places that doesnt recommend open RPC ports, so im not secure if:

  • Dont have a node exposed with unlocked accounts
  • Dont expose critical rpc apis like admin and personal

is enough to expose securely my node.

Here are some issues related with opening RPC access:

https://blog.blockdaemon.com/ethereum-geth-configuration-made-in-ireland-7ba2e876c6e3 https://www.reddit.com/r/ethereum/comments/4z0mvi/ethereum_nodes_with_insecure_rpc_settings_are/

https://www.reddit.com/r/ethereum/comments/3ird55/holy_shit_my_eth_accounts_been_hacked/

https://www.reddit.com/r/ethereum/comments/4jav5u/mist_wallet_has_2_sec_vulnerability_for_rpc/

https://blog.3or.de/internet-wide-ethereum-json-rpc-scans.html

https://www.bokconsulting.com.au/blog/7218-ethers-stolen-from-miner-with-rpc-port-open/

https://blog.ethereum.org/2015/08/29/security-alert-insecurely-configured-geth-can-make-funds-remotely-accessible/

Here the team lead of ethereum recomendation:

Ok, your setup seems insanely dangerous. --rpcaddr=external_address essentially opens up the node to anyone in the world to access it. Forthermore, --rpcapi 'admin,personal,db,eth,net,web3,txpool,miner' permits anyone with access to do absolutely anything. I can imagine someone from the internet is brute forcing the passwords.

https://github.com/ethereum/go-ethereum/issues/17417#issuecomment-413877558

Solution

  • is this approach secure?

    You get the general idea, yes, but there is room for improvement.

    1. First of all, I would never run a node that enables the personal API at the same time using -unlock which permanently makes the account accessible by anyone with access to your node. So imagine, someone has gained access to your node through some other doors, they would be able to immediately spend your funds from that account spawning transactions from localhost. Please, consider either only exposing safe APIs on that node or completely removing the unlock statement.
    2. If you insist having the sealing nodes configurated as stated above, add some hardening. There are multiple options, you can use strong firewall rule sets to block basically everything from the outside network except for the node communications on port 30351. Or, what I would do, is hiding disconnecting this node completely from the public Internet and only wire through the p2p traffic from this node to some other proxy node which is connected to both, your node and the other nodes on the Internet. This could come with drawbacks in network stability though.

    Is there another way to allow anyone in the world to use Metamask to hit my smartcontract without open the RPC access on the standard node?

    Have you considered looking into public PoA networks such as poa.net? This basically allows your users to connect metamask or mycrypto to the already existing infrastructure of POA.