How does Web3-Token verify method really work and is it really secure?
I have read how Web3 Auth works and this picture shows it:
It seems that the web3-token.verify method is completely sync and it is a bunch of base64 decode and verify. But hypothetically if I completely re-implement the front end library to mimic the Ethereum API to generate signature with my own public/private key pairs and address. Would I be able to impersonate any address?
As stated in the web3-token package.json, this package implements the EIP-4361 standard (which is currently unfinished in May 2022).
Its actual signature part uses asymmetric cryptography - signing the message with the signer's private key, and verifying the signature with their public key.
The only way to impersonate an address is to bypass the verification and treat the signer as 0x123 on the application level even though they are in fact 0x456. But it's not possible to bypass the math behind the cryptography and sign a message for them if you don't know their private key.
Here's a great article describing the signature mechanics in more depth.
- Calling ownerOf() on an ERC-721 contract via my contract throws "Error: Transaction reverted: function returned an unexpected amount of data"
- Nft Minter Dapp - Unable to mint the nft
- Create random Wallet with connection to a specific provider via ethers.js
- Where does this smart contract send the money?
- Is it possible to get the ABI of a contract without the source code?
- Is it possible to store images on the Ethereum blockchain?
- How to find erc20 tokens balance
- Verifying Ethereum (Web3) signed message in PHP
- How can I re create raw transaction from the transaction receipt to verify v,r,s signature?
- Error: cannot estimate gas; transaction may fail or may require manual gas limit (Sepolia test Network)
- "Migrations" hit an invalid opcode while deploying
- Extracting emitted events (logs) from geth transaction trace (debug_traceCall)
- Merkle tree with level DB log merge tree
- How to Upgrade from ERC-721 to ERC721A in a Web3 Project Using JSON ABI?
- Does the "holy trinity" (Ethereum, Swarm and Whisper) support multimedia streaming?
- Representing NFT wallet addresses in Django model fields
- How can I get the same return value as solidity `abi.encodePacked` in Golang
- How to get ETH or BSC unverified contract ABI
- Get/guess unverified contract's external methods
- Calculate ERC20 token buy/sell tax
- How to store ETH in the Smart Contract?
- Generate Mnemonic Phrase from window.crpyto.subtle.generateKey
- Calling a smart contract without the ABI in Web3.py
- Importing ethers via Hardhat fails despite official testing documentation
- How to calculate sqrtPricex96 for uniswap pool creation?
- Availability of Ethereum Snapshots for Fast Node Sync
- How to Deploy Smart Contract on QBFT Besu network from Metamask?
- Truffle migrate Server Error (on truffle init demo)
- I am not able to use ipfs
- Collect holders of token (proxyble Contract)