SpankChain Development Update 001 — October 3, 2017

This is the first in what will be a series of regular development updates to keep you all, our community members and fans, abreast of our progress.

The SpankChain dev team has been hard at work preparing for our upcoming ICO. Please note that we have pushed back the ICO date 1 week to Tuesday, October 31st.

Boba Fett, last of the Mandalorians, has come for the bug bounty.

State Channels Auction Bug Bounty

As most of you know, we have been developing a novel and sophisticated state channels auction for our ICO. Over the weekend we did a full review of the contract and the unit tests (all 490 of them) and we believe that the contract is stable. At this point we are ready to invite the Ethereum developer community to help us look for any lurking vulnerabilities in our code, and so yesterday we announced a $50K bug bounty program. The post also has an overview of how the auction works, for the curious.

Chainsaw. It “saw” the “chain”. It also splits the “logs”. Get it?

Chainsaw

A few days ago we open sourced our chainsaw module, which makes it easy to extract Ethereum logs. We developed it primarily because web3.eth.filter doesn’t work on remote nodes, but also because web3.eth.filter forces you to create a new event listener for every single event you want to track, which can get cumbersome. We are using it internally for listening on events emitted by our state channels auction, and plan to integrate it with our payment channels implementation soon.

Example flow for signing typed offchain data in MetaMask.

EIP 712 — personal_signTypedData

A few weeks ago the 0x team proposed a new web3 method called personal_signTypedData which addresses a critical security flaw in how signing offchain data works in web3 today. Today, dapps that ask users to sign offchain data go through a 2-step process where the data is first hashed with web3.utils.keccak256, and then the hash is signed with web3.eth.personal.sign. In insecure browser environments, having these steps be separate leaves room for malicious client-side javascript to replace the hash sent to the signing function. In the worst case scenario, an attacker could inject a hash of a valid ethereum transaction that sends them all your money.

Because we plan to have buyers sign offchain bids as part of our state channels auction, we made implementing a solution to this problem a priority. The solution is to combine the hashing and signing steps into a single web3 function, and so we sent pull requests to web3 to include this new function and implemented a standalone version as part of the MetaMask signature flow. Buyers in our auction will be able to easily confirm the data fields they are signing without fear of tampering, and no one else should have problem for the rest of time. Yay!

State Channels Auction — Next Steps

We are in the nearly done with the state channels auction system. The database components is complete, and the UI, server, and integration tests are nearly complete as well. We are making progress on all fronts and expect to be 100% done by mid next week. Once we are, we plan to do a few mainnet beta tests to ensure the security and correctness of our implementation. Be sure to sign up for our email list on spankchain.com if you are interested in participating!

SpankChain.com v3

We are putting the finishing touches on a website revamp which should go live in the next few days. It will provide more information about the SpankChain platform, the SPANK token model, and the upcoming token launch. Stay tuned!

Connect with SpankChain

To learn more about SpankChain please visit our website, follow us on Twitter, and join our growing Discord community.