Must a Solidity developer know the private keys to the wallet that is tied to a token contract?











up vote
2
down vote

favorite












To deploy a token contract, there must be a wallet address, am I right? Thus, must the coder be managing the wallet (with its private keys) that is used?



I'm looking at the scenario where what if someone outsourced the blockchain coding work to someone that is dishonest and that coder could run away with the tokens, if they know the private keys. Could they?










share|improve this question




























    up vote
    2
    down vote

    favorite












    To deploy a token contract, there must be a wallet address, am I right? Thus, must the coder be managing the wallet (with its private keys) that is used?



    I'm looking at the scenario where what if someone outsourced the blockchain coding work to someone that is dishonest and that coder could run away with the tokens, if they know the private keys. Could they?










    share|improve this question


























      up vote
      2
      down vote

      favorite









      up vote
      2
      down vote

      favorite











      To deploy a token contract, there must be a wallet address, am I right? Thus, must the coder be managing the wallet (with its private keys) that is used?



      I'm looking at the scenario where what if someone outsourced the blockchain coding work to someone that is dishonest and that coder could run away with the tokens, if they know the private keys. Could they?










      share|improve this question















      To deploy a token contract, there must be a wallet address, am I right? Thus, must the coder be managing the wallet (with its private keys) that is used?



      I'm looking at the scenario where what if someone outsourced the blockchain coding work to someone that is dishonest and that coder could run away with the tokens, if they know the private keys. Could they?







      tokens contract-deployment private-key






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 20 at 10:25









      shane

      1,6693630




      1,6693630










      asked Nov 20 at 10:18









      Rachel

      111




      111






















          4 Answers
          4






          active

          oldest

          votes

















          up vote
          1
          down vote













          To deploy something, a transaction needs to be signed by a private key. The signing can be done by someone else than the developer, but it gets a bit complicated in my opinion.



          As I see it, you have at least a few different options:



          1) The developer only develops code and you do all the rest (deployment and so on). When code is ready, he gives that to you.



          2) Developer deploys the ready product into a testnet where you can test it. Otherwise same as the first option.



          3) Developer handles all deployments (also to mainnet) in which case he needs some private key (unless he sends you the bytecode, you sign a transaction of it and he continues with that, but that's a bit complicated approach). If wanted, developer can then assign whatever ownership status to accounts which your control.



          I guess all of the options are used in real life and I can't tell you which ones are the most common / best.



          In general, I would not give the developer the final ownership of the contracts in mainnet so he would only get paid after ownership has been transferred to you.






          share|improve this answer




























            up vote
            1
            down vote













            This is very debatable, since it is highly dependent on the contract code. In your contract code you can create an owner only function, that only the wallet (basically a private key) can execute but that wouldn't fix your stolen private keys.



            The other way is to implement a 2 out of 3 blessings system that requires that a minimum of 2 accounts out of 3 on ethereum to give their blessings in order to a particular function to be executed, and that can give you more power over the private keys pirate.



            You can check DAO's Contracts and papers, they did implement many mechanisms to deal with this kind of situations.






            share|improve this answer




























              up vote
              1
              down vote













              Short answer: no need to worry if you are the one signing the deployment transaction, you don't need developers for that.




              1. Developers code and test with their wallets.


              2. They give you the code and you deploy it with your wallet.



              An easier way to do this, they can get the deployment code, ask you to sign it, they can deploy it themselves, but the transaction will have been sent by you. Be careful on what you sign though, they could give you a fake transaction.






              share|improve this answer

















              • 1




                To expand on it, if your contract has functionality that can only be used by the owner, there is usually an updateOwner function which would allow them to relegate you full control of that functionality
                – Enrique Alcazar
                Nov 20 at 10:45


















              up vote
              0
              down vote













              In order to deploy a contract, you need a private key. There is a public address associated with this private key that must have ETH in it in order to deploy the contract.



              Contracts can be written in such a way that either does or does not depend on the 'owner', or the person who created the contract. In the case of a token, it is not required that there be a specific owner, but the tokens must be distributed to the correct parties upon deployment.



              You should never outsource work and provide a private key to your contractor. The best solution would be to have the person who is doing the work deliver to you a complete contract that you can simply deploy with your private key.






              share|improve this answer





















                Your Answer








                StackExchange.ready(function() {
                var channelOptions = {
                tags: "".split(" "),
                id: "642"
                };
                initTagRenderer("".split(" "), "".split(" "), channelOptions);

                StackExchange.using("externalEditor", function() {
                // Have to fire editor after snippets, if snippets enabled
                if (StackExchange.settings.snippets.snippetsEnabled) {
                StackExchange.using("snippets", function() {
                createEditor();
                });
                }
                else {
                createEditor();
                }
                });

                function createEditor() {
                StackExchange.prepareEditor({
                heartbeatType: 'answer',
                convertImagesToLinks: false,
                noModals: true,
                showLowRepImageUploadWarning: true,
                reputationToPostImages: null,
                bindNavPrevention: true,
                postfix: "",
                imageUploader: {
                brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
                contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
                allowUrls: true
                },
                onDemand: true,
                discardSelector: ".discard-answer"
                ,immediatelyShowMarkdownHelp:true
                });


                }
                });














                 

                draft saved


                draft discarded


















                StackExchange.ready(
                function () {
                StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fethereum.stackexchange.com%2fquestions%2f62675%2fmust-a-solidity-developer-know-the-private-keys-to-the-wallet-that-is-tied-to-a%23new-answer', 'question_page');
                }
                );

                Post as a guest















                Required, but never shown

























                4 Answers
                4






                active

                oldest

                votes








                4 Answers
                4






                active

                oldest

                votes









                active

                oldest

                votes






                active

                oldest

                votes








                up vote
                1
                down vote













                To deploy something, a transaction needs to be signed by a private key. The signing can be done by someone else than the developer, but it gets a bit complicated in my opinion.



                As I see it, you have at least a few different options:



                1) The developer only develops code and you do all the rest (deployment and so on). When code is ready, he gives that to you.



                2) Developer deploys the ready product into a testnet where you can test it. Otherwise same as the first option.



                3) Developer handles all deployments (also to mainnet) in which case he needs some private key (unless he sends you the bytecode, you sign a transaction of it and he continues with that, but that's a bit complicated approach). If wanted, developer can then assign whatever ownership status to accounts which your control.



                I guess all of the options are used in real life and I can't tell you which ones are the most common / best.



                In general, I would not give the developer the final ownership of the contracts in mainnet so he would only get paid after ownership has been transferred to you.






                share|improve this answer

























                  up vote
                  1
                  down vote













                  To deploy something, a transaction needs to be signed by a private key. The signing can be done by someone else than the developer, but it gets a bit complicated in my opinion.



                  As I see it, you have at least a few different options:



                  1) The developer only develops code and you do all the rest (deployment and so on). When code is ready, he gives that to you.



                  2) Developer deploys the ready product into a testnet where you can test it. Otherwise same as the first option.



                  3) Developer handles all deployments (also to mainnet) in which case he needs some private key (unless he sends you the bytecode, you sign a transaction of it and he continues with that, but that's a bit complicated approach). If wanted, developer can then assign whatever ownership status to accounts which your control.



                  I guess all of the options are used in real life and I can't tell you which ones are the most common / best.



                  In general, I would not give the developer the final ownership of the contracts in mainnet so he would only get paid after ownership has been transferred to you.






                  share|improve this answer























                    up vote
                    1
                    down vote










                    up vote
                    1
                    down vote









                    To deploy something, a transaction needs to be signed by a private key. The signing can be done by someone else than the developer, but it gets a bit complicated in my opinion.



                    As I see it, you have at least a few different options:



                    1) The developer only develops code and you do all the rest (deployment and so on). When code is ready, he gives that to you.



                    2) Developer deploys the ready product into a testnet where you can test it. Otherwise same as the first option.



                    3) Developer handles all deployments (also to mainnet) in which case he needs some private key (unless he sends you the bytecode, you sign a transaction of it and he continues with that, but that's a bit complicated approach). If wanted, developer can then assign whatever ownership status to accounts which your control.



                    I guess all of the options are used in real life and I can't tell you which ones are the most common / best.



                    In general, I would not give the developer the final ownership of the contracts in mainnet so he would only get paid after ownership has been transferred to you.






                    share|improve this answer












                    To deploy something, a transaction needs to be signed by a private key. The signing can be done by someone else than the developer, but it gets a bit complicated in my opinion.



                    As I see it, you have at least a few different options:



                    1) The developer only develops code and you do all the rest (deployment and so on). When code is ready, he gives that to you.



                    2) Developer deploys the ready product into a testnet where you can test it. Otherwise same as the first option.



                    3) Developer handles all deployments (also to mainnet) in which case he needs some private key (unless he sends you the bytecode, you sign a transaction of it and he continues with that, but that's a bit complicated approach). If wanted, developer can then assign whatever ownership status to accounts which your control.



                    I guess all of the options are used in real life and I can't tell you which ones are the most common / best.



                    In general, I would not give the developer the final ownership of the contracts in mainnet so he would only get paid after ownership has been transferred to you.







                    share|improve this answer












                    share|improve this answer



                    share|improve this answer










                    answered Nov 20 at 10:24









                    Lauri Peltonen

                    4,0842322




                    4,0842322






















                        up vote
                        1
                        down vote













                        This is very debatable, since it is highly dependent on the contract code. In your contract code you can create an owner only function, that only the wallet (basically a private key) can execute but that wouldn't fix your stolen private keys.



                        The other way is to implement a 2 out of 3 blessings system that requires that a minimum of 2 accounts out of 3 on ethereum to give their blessings in order to a particular function to be executed, and that can give you more power over the private keys pirate.



                        You can check DAO's Contracts and papers, they did implement many mechanisms to deal with this kind of situations.






                        share|improve this answer

























                          up vote
                          1
                          down vote













                          This is very debatable, since it is highly dependent on the contract code. In your contract code you can create an owner only function, that only the wallet (basically a private key) can execute but that wouldn't fix your stolen private keys.



                          The other way is to implement a 2 out of 3 blessings system that requires that a minimum of 2 accounts out of 3 on ethereum to give their blessings in order to a particular function to be executed, and that can give you more power over the private keys pirate.



                          You can check DAO's Contracts and papers, they did implement many mechanisms to deal with this kind of situations.






                          share|improve this answer























                            up vote
                            1
                            down vote










                            up vote
                            1
                            down vote









                            This is very debatable, since it is highly dependent on the contract code. In your contract code you can create an owner only function, that only the wallet (basically a private key) can execute but that wouldn't fix your stolen private keys.



                            The other way is to implement a 2 out of 3 blessings system that requires that a minimum of 2 accounts out of 3 on ethereum to give their blessings in order to a particular function to be executed, and that can give you more power over the private keys pirate.



                            You can check DAO's Contracts and papers, they did implement many mechanisms to deal with this kind of situations.






                            share|improve this answer












                            This is very debatable, since it is highly dependent on the contract code. In your contract code you can create an owner only function, that only the wallet (basically a private key) can execute but that wouldn't fix your stolen private keys.



                            The other way is to implement a 2 out of 3 blessings system that requires that a minimum of 2 accounts out of 3 on ethereum to give their blessings in order to a particular function to be executed, and that can give you more power over the private keys pirate.



                            You can check DAO's Contracts and papers, they did implement many mechanisms to deal with this kind of situations.







                            share|improve this answer












                            share|improve this answer



                            share|improve this answer










                            answered Nov 20 at 10:27









                            Kaki Master Of Time

                            1,06417




                            1,06417






















                                up vote
                                1
                                down vote













                                Short answer: no need to worry if you are the one signing the deployment transaction, you don't need developers for that.




                                1. Developers code and test with their wallets.


                                2. They give you the code and you deploy it with your wallet.



                                An easier way to do this, they can get the deployment code, ask you to sign it, they can deploy it themselves, but the transaction will have been sent by you. Be careful on what you sign though, they could give you a fake transaction.






                                share|improve this answer

















                                • 1




                                  To expand on it, if your contract has functionality that can only be used by the owner, there is usually an updateOwner function which would allow them to relegate you full control of that functionality
                                  – Enrique Alcazar
                                  Nov 20 at 10:45















                                up vote
                                1
                                down vote













                                Short answer: no need to worry if you are the one signing the deployment transaction, you don't need developers for that.




                                1. Developers code and test with their wallets.


                                2. They give you the code and you deploy it with your wallet.



                                An easier way to do this, they can get the deployment code, ask you to sign it, they can deploy it themselves, but the transaction will have been sent by you. Be careful on what you sign though, they could give you a fake transaction.






                                share|improve this answer

















                                • 1




                                  To expand on it, if your contract has functionality that can only be used by the owner, there is usually an updateOwner function which would allow them to relegate you full control of that functionality
                                  – Enrique Alcazar
                                  Nov 20 at 10:45













                                up vote
                                1
                                down vote










                                up vote
                                1
                                down vote









                                Short answer: no need to worry if you are the one signing the deployment transaction, you don't need developers for that.




                                1. Developers code and test with their wallets.


                                2. They give you the code and you deploy it with your wallet.



                                An easier way to do this, they can get the deployment code, ask you to sign it, they can deploy it themselves, but the transaction will have been sent by you. Be careful on what you sign though, they could give you a fake transaction.






                                share|improve this answer












                                Short answer: no need to worry if you are the one signing the deployment transaction, you don't need developers for that.




                                1. Developers code and test with their wallets.


                                2. They give you the code and you deploy it with your wallet.



                                An easier way to do this, they can get the deployment code, ask you to sign it, they can deploy it themselves, but the transaction will have been sent by you. Be careful on what you sign though, they could give you a fake transaction.







                                share|improve this answer












                                share|improve this answer



                                share|improve this answer










                                answered Nov 20 at 10:42









                                Enrique Alcazar

                                321110




                                321110








                                • 1




                                  To expand on it, if your contract has functionality that can only be used by the owner, there is usually an updateOwner function which would allow them to relegate you full control of that functionality
                                  – Enrique Alcazar
                                  Nov 20 at 10:45














                                • 1




                                  To expand on it, if your contract has functionality that can only be used by the owner, there is usually an updateOwner function which would allow them to relegate you full control of that functionality
                                  – Enrique Alcazar
                                  Nov 20 at 10:45








                                1




                                1




                                To expand on it, if your contract has functionality that can only be used by the owner, there is usually an updateOwner function which would allow them to relegate you full control of that functionality
                                – Enrique Alcazar
                                Nov 20 at 10:45




                                To expand on it, if your contract has functionality that can only be used by the owner, there is usually an updateOwner function which would allow them to relegate you full control of that functionality
                                – Enrique Alcazar
                                Nov 20 at 10:45










                                up vote
                                0
                                down vote













                                In order to deploy a contract, you need a private key. There is a public address associated with this private key that must have ETH in it in order to deploy the contract.



                                Contracts can be written in such a way that either does or does not depend on the 'owner', or the person who created the contract. In the case of a token, it is not required that there be a specific owner, but the tokens must be distributed to the correct parties upon deployment.



                                You should never outsource work and provide a private key to your contractor. The best solution would be to have the person who is doing the work deliver to you a complete contract that you can simply deploy with your private key.






                                share|improve this answer

























                                  up vote
                                  0
                                  down vote













                                  In order to deploy a contract, you need a private key. There is a public address associated with this private key that must have ETH in it in order to deploy the contract.



                                  Contracts can be written in such a way that either does or does not depend on the 'owner', or the person who created the contract. In the case of a token, it is not required that there be a specific owner, but the tokens must be distributed to the correct parties upon deployment.



                                  You should never outsource work and provide a private key to your contractor. The best solution would be to have the person who is doing the work deliver to you a complete contract that you can simply deploy with your private key.






                                  share|improve this answer























                                    up vote
                                    0
                                    down vote










                                    up vote
                                    0
                                    down vote









                                    In order to deploy a contract, you need a private key. There is a public address associated with this private key that must have ETH in it in order to deploy the contract.



                                    Contracts can be written in such a way that either does or does not depend on the 'owner', or the person who created the contract. In the case of a token, it is not required that there be a specific owner, but the tokens must be distributed to the correct parties upon deployment.



                                    You should never outsource work and provide a private key to your contractor. The best solution would be to have the person who is doing the work deliver to you a complete contract that you can simply deploy with your private key.






                                    share|improve this answer












                                    In order to deploy a contract, you need a private key. There is a public address associated with this private key that must have ETH in it in order to deploy the contract.



                                    Contracts can be written in such a way that either does or does not depend on the 'owner', or the person who created the contract. In the case of a token, it is not required that there be a specific owner, but the tokens must be distributed to the correct parties upon deployment.



                                    You should never outsource work and provide a private key to your contractor. The best solution would be to have the person who is doing the work deliver to you a complete contract that you can simply deploy with your private key.







                                    share|improve this answer












                                    share|improve this answer



                                    share|improve this answer










                                    answered Nov 20 at 10:24









                                    shane

                                    1,6693630




                                    1,6693630






























                                         

                                        draft saved


                                        draft discarded



















































                                         


                                        draft saved


                                        draft discarded














                                        StackExchange.ready(
                                        function () {
                                        StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fethereum.stackexchange.com%2fquestions%2f62675%2fmust-a-solidity-developer-know-the-private-keys-to-the-wallet-that-is-tied-to-a%23new-answer', 'question_page');
                                        }
                                        );

                                        Post as a guest















                                        Required, but never shown





















































                                        Required, but never shown














                                        Required, but never shown












                                        Required, but never shown







                                        Required, but never shown

































                                        Required, but never shown














                                        Required, but never shown












                                        Required, but never shown







                                        Required, but never shown







                                        Popular posts from this blog

                                        Сан-Квентин

                                        Алькесар

                                        Josef Freinademetz