Commit 0a0cbdf6 authored by Kegan's avatar Kegan
Browse files

Restructured docs

parent ce5df6ad
# Steam<->ETH Linking Contract
Problem: we need a way to get a player's NFTs from DayZ
Solution: If we know the players ETH wallet, and can validate that on chain, we can extract their SteamIDs.
## Validating Steam Accounts on Chain
We need a mechanism that stores our SteamID on chain and relates this to our ETH wallet.
To achieve this we'll use a mapping of Wallet->SteamID
## Remaining Anonymous
One key aspect of the blockchain is the ability for wallet holders to remain anonymous. Having a smart contract that identifies your steam account really breaks this feature, and would lead to a lot of users not willingly participating.
In order to remain anonymous, we need to:
1. Hash the SteamID value
2. Hash the Wallet value
In this fashion, the data stored on chain is Hash<->Hash. Therefore, it would be impossible to extrapolate a steam account from a wallet or the reverse of that.
This does, however, limit our actions of the contract to simply validating an account link.
### Anonyminity flaw
Calling LinkAccount creates a potential exposure. If an attacker dumped every call to LinkAccount, they could pre-hash the target's SteamID and compare that to the calling data of each transaction to find the original caller.
This could be done with Bloxy (to dump transactions) and `web3.toAscii(transactionID.input)` to dump the input SteamID hash.
This flaw is even more serious as the caller to LinkAccount must be the account we're linking the steamid to, otherwise it would be impossible to validate ETH wallet ownership.
## Putting it together
We need a few key functions
1. `LinkAccount` which will set the steamid hash associated with our account.
2. `Verify` which will validate an eth wallet and steam id are linked.
LinkAccount should hash the caller's wallet and map it to the hashed steamid input argument
Verify should extract the mapped wallet steamid link and compare it with the inputs to ensure a match
## Vulnerabilities
Smart contracts have no real reason to link themselves to a steam account & therefore should be blocked from the LinkAccount method.
- Any way to solve this flaw in the anonyminity process?
- If we can't solve the anonyminity, why are we wasting gas hashing the linker's ETH wallet?
\ No newline at end of file
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment