Security News
GitHub Removes Malicious Pull Requests Targeting Open Source Repositories
GitHub removed 27 malicious pull requests attempting to inject harmful code across multiple open source repositories, in another round of low-effort attacks.
defender-relay-client
Advanced tools
There are 2 modules included in this package:
npm install defender-relay-client
yarn add defender-relay-client
Defender Relay Client enables creating, reading, and updating relayers and their associated API keys.
To get started, instantiate RelayClient
:
import { RelayClient } from 'defender-relay-client';
const relayClient = new RelayClient({ apiKey: API_KEY, apiSecret: API_SECRET });
Create a new relayer:
const requestParameters = {
name: 'MyNewRelayer',
network: 'rinkeby',
minBalance: BigInt(1e17).toString(),
policies: {
whitelistReceivers: ['0xAb5801a7D398351b8bE11C439e05C5B3259aeC9B'],
},
};
await relayClient.create(requestParameters);
Create its associated API key:
await relayClient.createKey('58b3d255-e357-4b0d-aa16-e86f745e63b9');
Fetch data for a single relayer:
await relayClient.get('58b3d255-e357-4b0d-aa16-e86f745e63b9');
All relayers in your account:
await relayClient.list();
All API keys associated with an individual relayer:
await relayClient.listKeys('58b3d255-e357-4b0d-aa16-e86f745e63b9');
await relayClient.update('58b3d255-e357-4b0d-aa16-e86f745e63b9', { name: 'Test 2' });
await relayClient.deleteKey('58b3d255-e357-4b0d-aa16-e86f745e63b9', 'j3bru93-k32l-3p1s-pp56-u43f675e92p1');
Note: second argument to deleteKey
is the keyId
(contains hyphens), not the apiKey
. This can be fetched via the listKeys
method above and is also available in the response on key creation.
Deletion of a relayer (not just a key) is only available via the Defender console.
Defender Relay Signer lets you send transactions to any supported network using private relayers. Each relayer has its own secure private key, and a set of API keys. You can send transactions via your relayers by POSTing to the Defender HTTP API, or using this library.
This library also includes an ethers.js signer and a web3.js provider, that uses the Relay to sign and broadcast its transactions.
Start by creating a new relayer using either the Defender console or API for a network of your choice. Write down the API key and secret. Then use them to create a new Relayer
instance in your code:
import { Relayer } from 'defender-relay-client';
const relayer = new Relayer({ apiKey: API_KEY, apiSecret: API_SECRET });
And use the relayer instance to send a transaction:
const tx = await relayer.sendTransaction({
to: '0x6b175474e89094c44da98b954eedeac495271d0f',
value: '0x16345785d8a0000',
data: '0x5af3107a',
speed: 'fast',
gasLimit: 100000,
});
The sendTransaction
call returns once the transaction has been signed by the relayer. To monitor the transaction status, see Querying below.
Instead of the usual gasPrice
or maxFeePerGas
/maxPriorityFeePerGas
, the Relayer may also accept a speed
parameter that can be one of safeLow
, average
, fast
, or fastest
. These values are mapped to actual gas prices when the transaction is sent or resubmitted and vary depending on the state of the network.
If speed
is provided, the transaction would be priced according to the EIP1559Pricing
relayer policy.
NOTE: Mainnet gas prices and priority fees are calculated based on the values reported by EthGasStation, EtherChain, GasNow, BlockNative, and Etherscan. In Polygon and its testnet, the gas station is used. In other networks, gas prices are obtained from a call to eth_gasPrice
or eth_feeHistory
to the network.
The returned transaction object tx
will have the following shape:
interface RelayerTransactionBase {
transactionId: string; // Defender transaction identifier
hash: string; // Ethereum transaction hash
to: string;
from: string;
value?: string;
data?: string;
speed: 'safeLow' | 'average' | 'fast' | 'fastest';
gasLimit: number;
nonce: number;
status: 'pending' | 'sent' | 'submitted' | 'inmempool' | 'mined' | 'confirmed' | 'failed';
chainId: number;
validUntil: string;
}
interface RelayerLegacyTransaction extends RelayerTransactionBase {
gasPrice: number;
}
interface RelayerEIP1559Transaction extends RelayerTransactionBase {
maxPriorityFeePerGas: number;
maxFeePerGas: number;
}
type RelayerTransaction = RelayerLegacyTransaction | RelayerEIP1559Transaction;
The relayer
object also has a query
function that returns a transaction object as described above. This method receives the transactionId
, not the transaction hash
:
const latestTx = await relayer.query(tx.transactionId);
Alternatively, the relayer
can also be used to list
the latest transactions sent, optionally filtering by status and creation time.
const since = await relayer.list({
since: new Date(Date.now() - 60 * 1000),
status: 'pending', // can be 'pending', 'mined', or 'failed'
limit: 5,
});
Defender will update the transaction status
every minute, marking it as confirmed
after 12 confirmations. The transaction information will be stored for 30 days.
The query
function is important to monitor the transaction status, since Defender may choose to resubmit the transaction with a different gas price, effectively changing its hash. This means that, if you monitor your transaction only via getTransactionReceipt(tx.hash)
calls to a node, you may not get the latest info if it was replaced.
Defender may replace a transaction by increasing its gas price if it has not been mined for a period of time, and the gas price costs have increased since the transaction was originally submitted. Also, in a case where a transaction consistently fails to be mined, Defender may replace it by a no-op (a transaction with no value or data) in order to advance the sender account nonce.
You can use the relayer methods replaceTransactionById
or replaceTransactionByNonce
to replace a transaction given its nonce or transactionId (not hash) if it has not been mined yet. You can use this to increase the speed of a transaction, or replace your tx by an empty value transfer (with a gas limit of 21000) to cancel a transaction that is no longer valid.
// Cancel a transaction with nonce 42 by sending a zero-value transfer to replace it
const tx = await relayer.replaceTransactionByNonce(42, {
to: '0x6b175474e89094c44da98b954eedeac495271d0f',
value: '0x00',
data: '0x',
speed: 'fastest',
gasLimit: 21000,
});
You can also replace by nonce using the ethers.js
and web3.js
adapters listed below.
You can sign any hex string (0x123213
) according to the EIP-191 Signed Data Standard (prefixed by \x19Ethereum Signed Message:\n
) using a sign
method of the relayer. Pay attention, that the message has to be a hex string.
const signResponse = await relayer.sign({ message: msg });
Also, you can sign typed data according to the EIP-712 Specification using a signTypedData
method of the relayer by providing both the domainSeparator
and the hashStruct(message)
as parameters. Heads up that both are hashes so they should be 32-bytes long.
const signTypedDataResponse = await relayer.signTypedData({
domainSeparator,
hashStructMessage,
});
Once your data is signed, the following response will be returned:
export interface SignedMessagePayload {
sig: Hex;
r: Hex;
s: Hex;
v: number;
}
You can also use Defender for making arbitrary JSON RPC calls to the network via the call
method. All JSON RPC methods are supported, except for event filters and websocket subscriptions.
const balance = await relayer.call('eth_getBalance', ['0x6b175474e89094c44da98b954eedeac495271d0f', 'latest']);
You can use the defender-relay-client
with ethers.js v5 directly. The package exports a DefenderRelaySigner
signer that is used to send transactions, and a DefenderRelayProvider
provider that is used to make calls to the network through Defender.
Make sure to have ethers
installed in your project, and initialize a new defender signer instance like:
const { DefenderRelayProvider, DefenderRelaySigner } = require('defender-relay-client/lib/ethers');
const { ethers } = require('ethers');
const credentials = { apiKey: API_KEY, apiSecret: API_SECRET };
const provider = new DefenderRelayProvider(credentials);
const signer = new DefenderRelaySigner(credentials, provider, { speed: 'fast' });
You can then use it to send any transactions, such as executing a contract function. The tx
object returned will be a regular ethers.js TransactionResponse
object, with the addition of Defender's transactionId
field.
const erc20 = new ethers.Contract(ERC20_ADDRESS, ERC20_ABI, signer);
const tx = await erc20.functions.transfer(beneficiary, (1e18).toString());
const mined = await tx.wait();
The signMessage
method is supported as well, allowing to sign an arbitrary data with a relayer key.
const signed = await signer.signMessage('Funds are safu!');
The _signTypedData
method is also supported to sign EIP712 messages
const signedEIP712Message = await signer._signTypedData(domain, types, value);
The current implementation of the DefenderRelaySigner
for ethers.js has the following limitations:
ethers.js
, it is not possible to specify the transaction speed
for an individual transaction when sending it. It must be set during the signer construction, and will be used for all transactions sent through it.wait
on the transaction to be mined will only wait for the current transaction hash (see Querying). If Defender Relayer replaces the transaction with a different one, this operation will time out. This is ok for fast transactions, since Defender only reprices after a few minutes. But if you expect the transaction to take a long time to be mined, then ethers' wait
may not work. Future versions will also include an ethers provider aware of this.You can also use the defender-relay-client
with web3.js via a DefenderRelayProvider
which routes all JSON RPC calls through Defender, and uses a Relayer for signing and broadcasting transactions.
const { DefenderRelayProvider } = require('defender-relay-client/lib/web3');
const Web3 = require('web3');
const credentials = { apiKey: API_KEY, apiSecret: API_SECRET };
const provider = new DefenderRelayProvider(credentials, { speed: 'fast' });
const web3 = new Web3(provider);
You can then use the web3
instance to query and send transactions as you would normally do:
const [from] = await web3.eth.getAccounts();
const erc20 = new web3.eth.Contract(ERC20_ABI, ERC20_ADDRESS, { from });
const tx = await erc20.methods.transfer(beneficiary, (1e18).toString()).send();
You can also sign messages using the Relayer key via the sign
method:
const signature = await web3.eth.sign('0xdead', from);
The package also includes two composable lower-level providers, the DefenderRelaySenderProvider
and DefenderRelayQueryProvider
. The former intercepts all sendTransaction
methods and serves them via the Relayer, while the latter uses Defender's JSON RPC interface for all method calls. The DefenderRelayProvider
shown above combines the two.
Note that these web3.js providers currently have the same limitations as the ethers.js one described above.
Defender Autotasks natively support integration with Defender Relay, allowing to send transactions without providing API keys. In your autotask's code, just require('defender-relay-client')
and construct a new relayer instance using the credentials
object injected by the autotask. This will give you a relayer object already configured.
const { Relayer } = require('defender-relay-client');
exports.handler = async function (event) {
const relayer = new Relayer(event);
const txRes = await relayer.sendTransaction({
to: '0xc7dd3ff5b387db0130854fe5f141a78586f417c6',
value: 100,
speed: 'fast',
gasLimit: '1000000',
});
console.log(txRes);
return txRes.hash;
};
Can I use this package in a browser?
This package is not designed to be used in a browser environment. Using this package requires sensitive API KEYS that should not be exposed publicly.
FAQs
There are 2 modules included in this package:
We found that defender-relay-client demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 8 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
GitHub removed 27 malicious pull requests attempting to inject harmful code across multiple open source repositories, in another round of low-effort attacks.
Security News
RubyGems.org has added a new "maintainer" role that allows for publishing new versions of gems. This new permission type is aimed at improving security for gem owners and the service overall.
Security News
Node.js will be enforcing stricter semver-major PR policies a month before major releases to enhance stability and ensure reliable release candidates.