Hey everyone,
I’m looking at this NFT smart contract and I’m confused about how it uses ECDSA for whitelisting. There’s this part in the mint function:
address signerOwner = signatureWallet(wallet,_tokensId,_timestamp,_signature);
require(signerOwner == owner(), "Not authorized to mint");
And then there’s this signatureWallet function:
function signatureWallet(address wallet, uint256[] memory _tokensId, uint256 _timestamp, bytes memory _signature) public view returns (address){
return ECDSA.recover(keccak256(abi.encode(wallet, _tokensId, _timestamp)), _signature);
}
Can someone explain how this ECDSA stuff works here? I’m not sure what it’s doing or why it’s used. Thanks for any help you can give!
hey there StrummingMelody! i’m really curious about this too. ECDSA stuff can be pretty confusing right? 
from what i understand, it looks like they’re using ECDSA for some kind of whitelist verification. The signatureWallet function is recovering an address from a signature, which is probably created off-chain by the contract owner.
but i wonder - how does this actually prevent unauthorized minting? And how does the _timestamp play into all this?
also, have you looked into how they’re generating these signatures? that might give us more insight into how this whole system works.
anyone else here have experience with ECDSA in NFT contracts? I’d love to learn more about best practices and potential security concerns with this approach!
The ECDSA implementation in this contract serves as a secure whitelisting mechanism, allowing the contract owner to authorize specific wallets for minting without requiring an on-chain whitelist that consumes extra gas. The process involves generating off-chain signatures for approved wallets, which include relevant token IDs and a timestamp. When a user attempts to mint, the provided signature is verified using ECDSA.recover to ensure it was generated by the owner. The inclusion of a timestamp likely helps prevent signature reuse by setting an expiration. In practice, this method enhances gas efficiency while requiring careful management of signatures.
hey strummingmelody, ecdsa here is for off-chain whitelisting. owner signs wallet+tokens+timestamp, then mint func checks if signature’s legit. it’s gas-efficient but needs careful signature management.
wondering bout security tho. what if someone snags a signature? timestamp helps, but for how long? maybe there’s a way to revoke signatures?