perawallet / pera-wallet

Source code for Pera Wallet, simply the best Algorand wallet.
https://perawallet.app
Other
190 stars 60 forks source link

Please support sign LSIG from SDK #102

Closed emg110 closed 1 year ago

emg110 commented 1 year ago

Signing Logic Sigs is a must for Web3 wallets! Please support it!

pbennett commented 1 year ago

LSIGs are the signature and are supported in atomic transaction groups passed through to Pera. Do you mean Delegated Signatures ? These are insanely dangerous. dApps shouldn't be using these nor normalizing their use. Users could trivially sign away all rights to their account by signing a 1 line TEAL program.

emg110 commented 1 year ago

Hey buddy! MG here! As it is clearly written I know the transactions are supported but I exactly meant the SIGNING of LOGIC SIGNATURES (signLogicSig() method which is available in MyAlgo wallet connect API) by Pera and if it is going to be supported or just dropped because it is dangerous (which is not a good reason for not supporting that method IMHO! For example, if you just create an LSIG for non-critical transactions like calling ABI methods with no payments or close out or... then they can be a very good tool to reduce the number of annoying signatures users get asked to provide while working with dApp.

pbennett commented 1 year ago

A regular lsig is by definition, already signed. These work just fine w/ Pera. Delegated signatures are crazy dangerous though and I don't think should be something signable by user wallets unless they popped up MASSIVE warnings (like alarm bells going off sort of thing) because users will never be able to look at the TEAL and verify its something safe to sign control of their keys over to that TEAL.

emg110 commented 1 year ago

I completely agree with informing users and warnings and stuff but yet again the feature is there and like a knife can be used both to kill or to perform surgery! That does not make it unnecessary! It just needs more caution by developers and I 100% agree with you on that. Now back to the question, is this sensitive feature going to be supported as it is available on SDKs and also MYAlgo Wallet? Or just will be ignored and dropped because it can be dangerous as well? I just want to know the strategy and plan regarding this from Pera, so that as a Dev I can have my own plan based on the response! Million thanks for your answers dear Patrick!

taylanpince commented 1 year ago

Hello, this feature is currently not available in the mobile Algo SDK. So we don't have a way of integrating it. It's also not a big priority for us to support it, for the same reasons @pbennett highlighted above. If we do implement it, delegated signatures will probably contain a massive warning essentially telling the user to not sign it.

Our view on this is that delegated signatures should not be used. We are urging all developers to move away from this dangerous model.