Currently when you configure a minipool - you have to provide a withdrawal address for when you decide to stop your minipool.
This is currently a form field - that has some sanity checking in place.
People could however fill out a wrong address here. If the user does not have access to this wallet he will not be able to withdraw his stake - potentially losing funds.
Rocketpool solves this with a metamask + signature implementation on their website.
Proposed solution
Make the form field of the withdrawal address disabled by default and put a "connect wallet" button next to it.
When the user connects to his wallet - the button changes to "Sign" with a subtitle saying "to fill in withdrawal address - sign a message using metamask"
When the user hits the "Sign button" he gets a metamask popup asking him to sign a message "Sign to confirm withdrawal address 0x....." - after the signature was created - the client verifies the validity of the signature & fills out the address.
Underneath the field is a link "fill out address manually" - when clicked this enables editing the field (for those who don't have metamask - or are uncapable of signing the message , for example if the withdrawal wallet is not imported in your MetaMask)
TODO
[ ] make the field read-only / disabled by default + a link that forces it to be enabled.
[ ] Implement a Metamask connect button (using an existing React library) in the form - with a connect button next to the field
[ ] a "sign" button going through the flow as described above (send eth_sign to metamask) + verify signature
[ ] when signature correct - fill out the address and change the button to "clear" - hitting clear clears the field & starts over.
Context
Currently when you configure a minipool - you have to provide a withdrawal address for when you decide to stop your minipool. This is currently a form field - that has some sanity checking in place. People could however fill out a wrong address here. If the user does not have access to this wallet he will not be able to withdraw his stake - potentially losing funds. Rocketpool solves this with a metamask + signature implementation on their website.
Proposed solution
Make the form field of the withdrawal address disabled by default and put a "connect wallet" button next to it. When the user connects to his wallet - the button changes to "Sign" with a subtitle saying "to fill in withdrawal address - sign a message using metamask"
When the user hits the "Sign button" he gets a metamask popup asking him to sign a message "Sign to confirm withdrawal address 0x....." - after the signature was created - the client verifies the validity of the signature & fills out the address.
Underneath the field is a link "fill out address manually" - when clicked this enables editing the field (for those who don't have metamask - or are uncapable of signing the message , for example if the withdrawal wallet is not imported in your MetaMask)
TODO