Please provide the following details too when asking for help in this category:
SDK Version: 7.0.4
Platform: Web
Please provide the Web3Auth initialization and login code snippet below:
const web3auth = await getWeb3Auth();
await web3auth.init();
const privateKey = (await web3auth.provider.request({
method: 'eth_private_key',
})) as string;
console.log({ privateKey });
For example, a scammer can create a web app, and then trick users into depositing their money to the compromised accounts.
Is there anything we can do to prevent the use of it or make consent for suspicious configurations?
vjgee
October 19, 2023, 9:34am
2
@michael1 Welcome Aboard!
Your feedback has been forwarded to our team and we will get back with further updates.
any news? @vjgee this is critical
Hey @michael1
This is a feature for the dApp to implement. As the Web3Auth keys are app scoped, ie. change wrt each app. Also private key provider is only available in the app frontend.
So even if a scammer tries to implement an app using Web3Auth, they can only get private key specific to their app, in which, until the user adds funds there’s no benefit of private key export. If the user adds funds, they trust the app.
@yashovardhan thanks for your response.
Btw, I changed to MPC Wallet implementation, since there is no possibility of requesting a private key by the developers, it is good to go.
One question is if user wants to export their private key using MPC Wallet, how to do it?
pepper
October 27, 2023, 5:33am
6
Hello @michael1
you can use this function.
public async _UNSAFE_exportTssKey(): Promise<string> {
if (!this.state.factorKey) throw new Error("factorKey not present");
if (!this.state.signatures) throw new Error("signatures not present");
const exportTssKey = await this.tKey._UNSAFE_exportTssKey({
factorKey: this.state.factorKey,
authSignatures: this.state.signatures,
selectedServers: [],
});
return exportTssKey.toString("hex", FIELD_ELEMENT_HEX_LEN);
}
Also, here’s more detail information about unsafe exportTssKey, previously other guy asked similar question before, so that you can refer.
I’m a bit confused. In the docs, you say that when using the MPC Core Kit, you can’t reconstruct a user’s private key on the frontend but I’m seeing this code snipped on your React Firebase MPC CoreKit examples:
<button onClick={async () => uiConsole(await coreKitInstance._UNSAFE_exportTssKey())} className="card">
[CAUTION] Export TSS Private Key
</button>
When you click the button, you can then get a user’s private key that can then be exported from the application and impor…