generate and sign the message with nonce

[novaknole]

Hi Richard @ricmoo

let payload = ethers.utils.defaultAbiCoder.encode(["address", "uint256"], [address, 'nonceHere']); // NOTE number `nonceHere`
let payloadHash = ethers.utils.keccak256(payload);
let signature = await wallet.signMessage(ethers.utils.arrayify(payloadHash));

I have the above code.

Now, in the smart contract, I got the ecrecover stuff.

I am wondering what I can put instead of nonceHere so that replay attacks would never happen. I don't want to be storing something on my own server so that whenever I generate new random nonce, i check if i already got generated on my server.

What would be the ethers.js way of so secure mechanism in this case ?

[ricmoo]

It depends a lot on your use case, but if this is for signing in, a common technique might be to use the current timestamp, which can also be verified by a server when checking the signature to make sure old signatures are not used, and that the signing occurred within some timeframe.

[novaknole]

@ricmoo

So basically, users on discord ping discord bot and discord generates a signature. User then takes this signature and calls smart contract with the signature parameter.

Idea is that I don't want to tell users to also pass timestamp or any other parameters.

can't UUIDs be used ? but in that case, collisions could happen in a way that userA generates the signature , and then userB also generates the same signature through discord bot.

Any ideas ?

[ricmoo]

You can use random number, but it depends on your threat model and what you are trying to achieve. Two different addresses with the same nonce will produce two different signatures though.