adrianmcli
commented
4 years ago Well we would not be able to sign it with a key that we don't have. It would be up to the protocols to do that. And of course, if MakerDAO or Compound comes to us and says they want to do it, I see no reason not to entertain their proposal.
Nothing in this world is completely trustless, it's all a matter of degree. I need to emphasize that, like most libraries, this one is also a tool of convenience. If the requisite "trust" here is untenable, then you might want to replace all of the ABIs and addresses with hardcoded values before you push to production.
The included contracts in this repo rely on trust, namely that the ABI and contract address actually match the correct contracts and not a scam contract.
While you are able to self-curate some contracts in this library by hand, this approach cannot scale for when there are many different contracts from many different authors.
Do you think it would be wise to add a feature which allows you to add your own contract to legos, with the underlying contract object (ABI + contract address) being canonicalised and signed by a valid authority such as the contract deployer or the SSL certificate of the contract issuer e.g. makerdao.cdp.com?