Must a Solidity developer know the private keys to the wallet that is tied to a token contract?












3














To deploy a token contract, there must be a wallet address, am I right? Thus, must the coder be managing the wallet (with its private keys) that is used?



I'm looking at the scenario where what if someone outsourced the blockchain coding work to someone that is dishonest and that coder could run away with the tokens, if they know the private keys. Could they?










share|improve this question





























    3














    To deploy a token contract, there must be a wallet address, am I right? Thus, must the coder be managing the wallet (with its private keys) that is used?



    I'm looking at the scenario where what if someone outsourced the blockchain coding work to someone that is dishonest and that coder could run away with the tokens, if they know the private keys. Could they?










    share|improve this question



























      3












      3








      3







      To deploy a token contract, there must be a wallet address, am I right? Thus, must the coder be managing the wallet (with its private keys) that is used?



      I'm looking at the scenario where what if someone outsourced the blockchain coding work to someone that is dishonest and that coder could run away with the tokens, if they know the private keys. Could they?










      share|improve this question















      To deploy a token contract, there must be a wallet address, am I right? Thus, must the coder be managing the wallet (with its private keys) that is used?



      I'm looking at the scenario where what if someone outsourced the blockchain coding work to someone that is dishonest and that coder could run away with the tokens, if they know the private keys. Could they?







      tokens contract-deployment private-key






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 20 at 10:25









      shane

      1,7024730




      1,7024730










      asked Nov 20 at 10:18









      Rachel

      161




      161






















          4 Answers
          4






          active

          oldest

          votes


















          2














          To deploy something, a transaction needs to be signed by a private key. The signing can be done by someone else than the developer, but it gets a bit complicated in my opinion.



          As I see it, you have at least a few different options:



          1) The developer only develops code and you do all the rest (deployment and so on). When code is ready, he gives that to you.



          2) Developer deploys the ready product into a testnet where you can test it. Otherwise same as the first option.



          3) Developer handles all deployments (also to mainnet) in which case he needs some private key (unless he sends you the bytecode, you sign a transaction of it and he continues with that, but that's a bit complicated approach). If wanted, developer can then assign whatever ownership status to accounts which your control.



          I guess all of the options are used in real life and I can't tell you which ones are the most common / best.



          In general, I would not give the developer the final ownership of the contracts in mainnet so he would only get paid after ownership has been transferred to you.






          share|improve this answer





























            2














            Short answer: no need to worry if you are the one signing the deployment transaction, you don't need developers for that.




            1. Developers code and test with their wallets.


            2. They give you the code and you deploy it with your wallet.



            An easier way to do this, they can get the deployment code, ask you to sign it, they can deploy it themselves, but the transaction will have been sent by you. Be careful on what you sign though, they could give you a fake transaction.






            share|improve this answer

















            • 1




              To expand on it, if your contract has functionality that can only be used by the owner, there is usually an updateOwner function which would allow them to relegate you full control of that functionality
              – Enrique Alcazar
              Nov 20 at 10:45



















            1














            This is very debatable, since it is highly dependent on the contract code. In your contract code you can create an owner only function, that only the wallet (basically a private key) can execute but that wouldn't fix your stolen private keys.



            The other way is to implement a 2 out of 3 blessings system that requires that a minimum of 2 accounts out of 3 on ethereum to give their blessings in order to a particular function to be executed, and that can give you more power over the private keys pirate.



            You can check DAO's Contracts and papers, they did implement many mechanisms to deal with this kind of situations.






            share|improve this answer





























              0














              In order to deploy a contract, you need a private key. There is a public address associated with this private key that must have ETH in it in order to deploy the contract.



              Contracts can be written in such a way that either does or does not depend on the 'owner', or the person who created the contract. In the case of a token, it is not required that there be a specific owner, but the tokens must be distributed to the correct parties upon deployment.



              You should never outsource work and provide a private key to your contractor. The best solution would be to have the person who is doing the work deliver to you a complete contract that you can simply deploy with your private key.






              share|improve this answer





















                Your Answer








                StackExchange.ready(function() {
                var channelOptions = {
                tags: "".split(" "),
                id: "642"
                };
                initTagRenderer("".split(" "), "".split(" "), channelOptions);

                StackExchange.using("externalEditor", function() {
                // Have to fire editor after snippets, if snippets enabled
                if (StackExchange.settings.snippets.snippetsEnabled) {
                StackExchange.using("snippets", function() {
                createEditor();
                });
                }
                else {
                createEditor();
                }
                });

                function createEditor() {
                StackExchange.prepareEditor({
                heartbeatType: 'answer',
                autoActivateHeartbeat: false,
                convertImagesToLinks: false,
                noModals: true,
                showLowRepImageUploadWarning: true,
                reputationToPostImages: null,
                bindNavPrevention: true,
                postfix: "",
                imageUploader: {
                brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
                contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
                allowUrls: true
                },
                onDemand: true,
                discardSelector: ".discard-answer"
                ,immediatelyShowMarkdownHelp:true
                });


                }
                });














                draft saved

                draft discarded


















                StackExchange.ready(
                function () {
                StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fethereum.stackexchange.com%2fquestions%2f62675%2fmust-a-solidity-developer-know-the-private-keys-to-the-wallet-that-is-tied-to-a%23new-answer', 'question_page');
                }
                );

                Post as a guest















                Required, but never shown

























                4 Answers
                4






                active

                oldest

                votes








                4 Answers
                4






                active

                oldest

                votes









                active

                oldest

                votes






                active

                oldest

                votes









                2














                To deploy something, a transaction needs to be signed by a private key. The signing can be done by someone else than the developer, but it gets a bit complicated in my opinion.



                As I see it, you have at least a few different options:



                1) The developer only develops code and you do all the rest (deployment and so on). When code is ready, he gives that to you.



                2) Developer deploys the ready product into a testnet where you can test it. Otherwise same as the first option.



                3) Developer handles all deployments (also to mainnet) in which case he needs some private key (unless he sends you the bytecode, you sign a transaction of it and he continues with that, but that's a bit complicated approach). If wanted, developer can then assign whatever ownership status to accounts which your control.



                I guess all of the options are used in real life and I can't tell you which ones are the most common / best.



                In general, I would not give the developer the final ownership of the contracts in mainnet so he would only get paid after ownership has been transferred to you.






                share|improve this answer


























                  2














                  To deploy something, a transaction needs to be signed by a private key. The signing can be done by someone else than the developer, but it gets a bit complicated in my opinion.



                  As I see it, you have at least a few different options:



                  1) The developer only develops code and you do all the rest (deployment and so on). When code is ready, he gives that to you.



                  2) Developer deploys the ready product into a testnet where you can test it. Otherwise same as the first option.



                  3) Developer handles all deployments (also to mainnet) in which case he needs some private key (unless he sends you the bytecode, you sign a transaction of it and he continues with that, but that's a bit complicated approach). If wanted, developer can then assign whatever ownership status to accounts which your control.



                  I guess all of the options are used in real life and I can't tell you which ones are the most common / best.



                  In general, I would not give the developer the final ownership of the contracts in mainnet so he would only get paid after ownership has been transferred to you.






                  share|improve this answer
























                    2












                    2








                    2






                    To deploy something, a transaction needs to be signed by a private key. The signing can be done by someone else than the developer, but it gets a bit complicated in my opinion.



                    As I see it, you have at least a few different options:



                    1) The developer only develops code and you do all the rest (deployment and so on). When code is ready, he gives that to you.



                    2) Developer deploys the ready product into a testnet where you can test it. Otherwise same as the first option.



                    3) Developer handles all deployments (also to mainnet) in which case he needs some private key (unless he sends you the bytecode, you sign a transaction of it and he continues with that, but that's a bit complicated approach). If wanted, developer can then assign whatever ownership status to accounts which your control.



                    I guess all of the options are used in real life and I can't tell you which ones are the most common / best.



                    In general, I would not give the developer the final ownership of the contracts in mainnet so he would only get paid after ownership has been transferred to you.






                    share|improve this answer












                    To deploy something, a transaction needs to be signed by a private key. The signing can be done by someone else than the developer, but it gets a bit complicated in my opinion.



                    As I see it, you have at least a few different options:



                    1) The developer only develops code and you do all the rest (deployment and so on). When code is ready, he gives that to you.



                    2) Developer deploys the ready product into a testnet where you can test it. Otherwise same as the first option.



                    3) Developer handles all deployments (also to mainnet) in which case he needs some private key (unless he sends you the bytecode, you sign a transaction of it and he continues with that, but that's a bit complicated approach). If wanted, developer can then assign whatever ownership status to accounts which your control.



                    I guess all of the options are used in real life and I can't tell you which ones are the most common / best.



                    In general, I would not give the developer the final ownership of the contracts in mainnet so he would only get paid after ownership has been transferred to you.







                    share|improve this answer












                    share|improve this answer



                    share|improve this answer










                    answered Nov 20 at 10:24









                    Lauri Peltonen

                    4,5212323




                    4,5212323























                        2














                        Short answer: no need to worry if you are the one signing the deployment transaction, you don't need developers for that.




                        1. Developers code and test with their wallets.


                        2. They give you the code and you deploy it with your wallet.



                        An easier way to do this, they can get the deployment code, ask you to sign it, they can deploy it themselves, but the transaction will have been sent by you. Be careful on what you sign though, they could give you a fake transaction.






                        share|improve this answer

















                        • 1




                          To expand on it, if your contract has functionality that can only be used by the owner, there is usually an updateOwner function which would allow them to relegate you full control of that functionality
                          – Enrique Alcazar
                          Nov 20 at 10:45
















                        2














                        Short answer: no need to worry if you are the one signing the deployment transaction, you don't need developers for that.




                        1. Developers code and test with their wallets.


                        2. They give you the code and you deploy it with your wallet.



                        An easier way to do this, they can get the deployment code, ask you to sign it, they can deploy it themselves, but the transaction will have been sent by you. Be careful on what you sign though, they could give you a fake transaction.






                        share|improve this answer

















                        • 1




                          To expand on it, if your contract has functionality that can only be used by the owner, there is usually an updateOwner function which would allow them to relegate you full control of that functionality
                          – Enrique Alcazar
                          Nov 20 at 10:45














                        2












                        2








                        2






                        Short answer: no need to worry if you are the one signing the deployment transaction, you don't need developers for that.




                        1. Developers code and test with their wallets.


                        2. They give you the code and you deploy it with your wallet.



                        An easier way to do this, they can get the deployment code, ask you to sign it, they can deploy it themselves, but the transaction will have been sent by you. Be careful on what you sign though, they could give you a fake transaction.






                        share|improve this answer












                        Short answer: no need to worry if you are the one signing the deployment transaction, you don't need developers for that.




                        1. Developers code and test with their wallets.


                        2. They give you the code and you deploy it with your wallet.



                        An easier way to do this, they can get the deployment code, ask you to sign it, they can deploy it themselves, but the transaction will have been sent by you. Be careful on what you sign though, they could give you a fake transaction.







                        share|improve this answer












                        share|improve this answer



                        share|improve this answer










                        answered Nov 20 at 10:42









                        Enrique Alcazar

                        316111




                        316111








                        • 1




                          To expand on it, if your contract has functionality that can only be used by the owner, there is usually an updateOwner function which would allow them to relegate you full control of that functionality
                          – Enrique Alcazar
                          Nov 20 at 10:45














                        • 1




                          To expand on it, if your contract has functionality that can only be used by the owner, there is usually an updateOwner function which would allow them to relegate you full control of that functionality
                          – Enrique Alcazar
                          Nov 20 at 10:45








                        1




                        1




                        To expand on it, if your contract has functionality that can only be used by the owner, there is usually an updateOwner function which would allow them to relegate you full control of that functionality
                        – Enrique Alcazar
                        Nov 20 at 10:45




                        To expand on it, if your contract has functionality that can only be used by the owner, there is usually an updateOwner function which would allow them to relegate you full control of that functionality
                        – Enrique Alcazar
                        Nov 20 at 10:45











                        1














                        This is very debatable, since it is highly dependent on the contract code. In your contract code you can create an owner only function, that only the wallet (basically a private key) can execute but that wouldn't fix your stolen private keys.



                        The other way is to implement a 2 out of 3 blessings system that requires that a minimum of 2 accounts out of 3 on ethereum to give their blessings in order to a particular function to be executed, and that can give you more power over the private keys pirate.



                        You can check DAO's Contracts and papers, they did implement many mechanisms to deal with this kind of situations.






                        share|improve this answer


























                          1














                          This is very debatable, since it is highly dependent on the contract code. In your contract code you can create an owner only function, that only the wallet (basically a private key) can execute but that wouldn't fix your stolen private keys.



                          The other way is to implement a 2 out of 3 blessings system that requires that a minimum of 2 accounts out of 3 on ethereum to give their blessings in order to a particular function to be executed, and that can give you more power over the private keys pirate.



                          You can check DAO's Contracts and papers, they did implement many mechanisms to deal with this kind of situations.






                          share|improve this answer
























                            1












                            1








                            1






                            This is very debatable, since it is highly dependent on the contract code. In your contract code you can create an owner only function, that only the wallet (basically a private key) can execute but that wouldn't fix your stolen private keys.



                            The other way is to implement a 2 out of 3 blessings system that requires that a minimum of 2 accounts out of 3 on ethereum to give their blessings in order to a particular function to be executed, and that can give you more power over the private keys pirate.



                            You can check DAO's Contracts and papers, they did implement many mechanisms to deal with this kind of situations.






                            share|improve this answer












                            This is very debatable, since it is highly dependent on the contract code. In your contract code you can create an owner only function, that only the wallet (basically a private key) can execute but that wouldn't fix your stolen private keys.



                            The other way is to implement a 2 out of 3 blessings system that requires that a minimum of 2 accounts out of 3 on ethereum to give their blessings in order to a particular function to be executed, and that can give you more power over the private keys pirate.



                            You can check DAO's Contracts and papers, they did implement many mechanisms to deal with this kind of situations.







                            share|improve this answer












                            share|improve this answer



                            share|improve this answer










                            answered Nov 20 at 10:27









                            Kaki Master Of Time

                            1,133218




                            1,133218























                                0














                                In order to deploy a contract, you need a private key. There is a public address associated with this private key that must have ETH in it in order to deploy the contract.



                                Contracts can be written in such a way that either does or does not depend on the 'owner', or the person who created the contract. In the case of a token, it is not required that there be a specific owner, but the tokens must be distributed to the correct parties upon deployment.



                                You should never outsource work and provide a private key to your contractor. The best solution would be to have the person who is doing the work deliver to you a complete contract that you can simply deploy with your private key.






                                share|improve this answer


























                                  0














                                  In order to deploy a contract, you need a private key. There is a public address associated with this private key that must have ETH in it in order to deploy the contract.



                                  Contracts can be written in such a way that either does or does not depend on the 'owner', or the person who created the contract. In the case of a token, it is not required that there be a specific owner, but the tokens must be distributed to the correct parties upon deployment.



                                  You should never outsource work and provide a private key to your contractor. The best solution would be to have the person who is doing the work deliver to you a complete contract that you can simply deploy with your private key.






                                  share|improve this answer
























                                    0












                                    0








                                    0






                                    In order to deploy a contract, you need a private key. There is a public address associated with this private key that must have ETH in it in order to deploy the contract.



                                    Contracts can be written in such a way that either does or does not depend on the 'owner', or the person who created the contract. In the case of a token, it is not required that there be a specific owner, but the tokens must be distributed to the correct parties upon deployment.



                                    You should never outsource work and provide a private key to your contractor. The best solution would be to have the person who is doing the work deliver to you a complete contract that you can simply deploy with your private key.






                                    share|improve this answer












                                    In order to deploy a contract, you need a private key. There is a public address associated with this private key that must have ETH in it in order to deploy the contract.



                                    Contracts can be written in such a way that either does or does not depend on the 'owner', or the person who created the contract. In the case of a token, it is not required that there be a specific owner, but the tokens must be distributed to the correct parties upon deployment.



                                    You should never outsource work and provide a private key to your contractor. The best solution would be to have the person who is doing the work deliver to you a complete contract that you can simply deploy with your private key.







                                    share|improve this answer












                                    share|improve this answer



                                    share|improve this answer










                                    answered Nov 20 at 10:24









                                    shane

                                    1,7024730




                                    1,7024730






























                                        draft saved

                                        draft discarded




















































                                        Thanks for contributing an answer to Ethereum Stack Exchange!


                                        • Please be sure to answer the question. Provide details and share your research!

                                        But avoid



                                        • Asking for help, clarification, or responding to other answers.

                                        • Making statements based on opinion; back them up with references or personal experience.


                                        To learn more, see our tips on writing great answers.





                                        Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


                                        Please pay close attention to the following guidance:


                                        • Please be sure to answer the question. Provide details and share your research!

                                        But avoid



                                        • Asking for help, clarification, or responding to other answers.

                                        • Making statements based on opinion; back them up with references or personal experience.


                                        To learn more, see our tips on writing great answers.




                                        draft saved


                                        draft discarded














                                        StackExchange.ready(
                                        function () {
                                        StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fethereum.stackexchange.com%2fquestions%2f62675%2fmust-a-solidity-developer-know-the-private-keys-to-the-wallet-that-is-tied-to-a%23new-answer', 'question_page');
                                        }
                                        );

                                        Post as a guest















                                        Required, but never shown





















































                                        Required, but never shown














                                        Required, but never shown












                                        Required, but never shown







                                        Required, but never shown

































                                        Required, but never shown














                                        Required, but never shown












                                        Required, but never shown







                                        Required, but never shown







                                        Popular posts from this blog

                                        How to change which sound is reproduced for terminal bell?

                                        Can I use Tabulator js library in my java Spring + Thymeleaf project?

                                        Title Spacing in Bjornstrup Chapter, Removing Chapter Number From Contents