Aug 25, 2022
Zaryab Khan
Smart contract audits in usa
KYC before ICO: KYC is performed before the ICO and all the whitelisted addresses are added into the crowdsale contract.
KYC during ICO: The ICO owner keeps updating the whitelist, as per request, within the duration of the ICO.
KYC using ECRecover: This is the most cost-effective way to whitelist an investor. The ICO owner signs the investor address after the KYC verification and gives this signed data for the investor to include in the transaction.
But we are still a ways away from bringing that dream to fruition.
ECRecover Mechanism
parameter address _to is
Digital signatures are a staple of Public Key Infrastructure that allows anyone to validate the integrity and the source of the signed data. The data is signed using the private key and the public key is required to validate the signature. The ECRecover function in solidity takes in hashed data and the corresponding signature to return the public address of the signer, hence verifying the origin of the signature.
In case of KYC, an owner would verify the identity of a potential contributor either themselves or using a third-party service such as Shufti Pro, Onfido, etc. Once verified, the owner signs the investor’s address and sends it to them. The investor will use this signature when making a contribution to the ICO contract, where this signature will be verified – both where it came from (the owner) and to whom it was addressed (the investor) – before allowing the purchase of tokens.
We’ll use Ethereum-utils.js library’s ecsign function to sign the data, the web3.eth.sign signs data as “\x19Ethereum Signed Message:\n” + message.length + message. Using this function we cannot recover the actual signed address we can only get the signer of the data. But we also need the address which we’ve signed to make sure the intended participant is using the signed data.
var checksumAddress = web3.utils.toChecksumAddress(publicAddress);
var payload = web3.utils.sha3(checksumAddress);
var {v,r,s} = EthJS.Util.ecsign(EthJS.Util.toBuffer(payload),EthJS.Util.toBuffer(privateKey));
var rHex = EthJS.Util.bufferToHex(r);
var sHex = EthJS.Util.bufferToHex(s);
var v = Number(v);
v = 28
r = “0x13f55b8ee0275658b3b5867d4afcce9e042504b71310cf64193dd4a261192fa3”
s = “0x62a5e7243f5e293fc82910923af672397682ce572c86c76d97248ef860d235f6”
</span>
var checksumAddress = web3.utils.toChecksumAddress(publicAddress);
var payload = web3.utils.sha3(checksumAddress);
var {v,r,s} = EthJS.Util.ecsign(EthJS.Util.toBuffer(payload),EthJS.Util.toBuffer(privateKey));
var rHex = EthJS.Util.bufferToHex(r);
var sHex = EthJS.Util.bufferToHex(s);
var v = Number(v);
v = 28
r = “0x13f55b8ee0275658b3b5867d4afcce9e042504b71310cf64193dd4a261192fa3”
s = “0x62a5e7243f5e293fc82910923af672397682ce572c86c76d97248ef860d235f6”
Blockchain Transaction | Blockchain Developer | Block360
Next, we try to contribute using the buy Token function of the contract.
ContractInstance.methods.buyTokens(checksumAddress,v,rHex,sHex).encodeABI()
We use MetaMask to send transaction to the contract including the signature and singed data in the data field.
The transaction is successfully executed. Now using the same signed data from another account.
Metamask Blockchain Transaction | Blockchain Developer | Block360
The transaction is successfully executed.
Blockchain Transaction | Blockchain Developer | Block360
Now using the same signed data from another account.
Blockchain Transaction | Blockchain Developer | Block360
Conclusion:
We have successfully implemented the KYC On-chain mechanism which allows investor whitelisting without having to pay extra gas fee at either side – the investor or the owner.
KYC is necessary for the ICO owner, so that they can prove that the money they’ve collected is legitimate and that none of the funds are related in any way to money laundering activity or terrorism financing etc. The way KYC works in ICOs is that using one way or another, customers are required to provide certain information regarding their identity and citizenship and based on that, it is decided whether or not they are eligible to participate. That eligibility is in the form of a whitelist of addresses that are allowed to buy tokens. The usual KYC mechanisms fall under the following categories: