2

I'm creating my first Ethereum contract with truffle. I want the web application to be usable without MetaMask so I was wondering if it is a good idea to run my own private node and to connect from the frontend like this:

this.web3 = new Web3(new Web3.providers.HttpProvider('http://my-public-ip:8545'));

Are there any security risks with this approach ?

4

1 回答 1

8

I'm answering my own question because it seems that a lot of people are doinig the same mistake that I did and lose their ether !

  1. I did setup publicly accessible node like this:

    geth --mine --nodiscover --maxpeers 0 --networkid 1 --rpc --rpccorsdomain "*" --rpcaddr "my-public-ip" --rpcapi="db,eth,net,web3,personal,web3"

  2. I created new ethereum account that is going to be my "contract owner" account

  3. I transfered small amount of ether in the "contract owner" account so I can have enough gas to deploy my new contract
  4. I did setup truffle to connect to my ethereum node
  5. I used truffle console to unlock my account
  6. I got error "Error: exceeds block gas limit"

At this point I was confused because I saw that on etherscan I have about 10USD worth of ether in my account that should be enough to deploy my contract

I checked etherscan again and I saw "outgoing" transaction draining all my money from the ethereum address

After some research, this is how the money was stolen:

  1. A bot found out about my public ethereum node
  2. It connected to it and requested the account list + account balances
  3. It started sending "sendTransaction" requests non stop
  4. When I unlocked my account on the public node to deploy my contract - the bot that was using the same node also got access to my account and it transfered the funds from my account

I'm writing this to prevent other developers from doing the same mistake. The bot address is: https://etherscan.io/address/0x957cd4ff9b3894fc78b5134a8dc72b032ffbc464#comments

There are tons of comments from people that got their ether stolen from them. And I'm not talking about my 10USD, so far the bot has stolen:

ETH Balance:    37,070.060208365548676156 Ether
ETH USD Value:  $16,642,974.23 (@ $448.96/ETH)

This should be on StackOverflow because I got to this situation while following tutorials around the web and nobody explained the risks and what may happen

于 2017-12-06T09:50:00.347 回答