Using WAX permissions to create a custom Warsaken claim-only keypair

Within the world of cybersecurity, one of the key controls that we can employ to protect ourselves is Least Privilege; this principle dictates that we must perform activities with the minimal permissions possible. It's for the same reason that we don't use our owner keys on WAX to perform day-to-day actions, however even the active key can do basically everything with our account.

Fortunately WAX, and other chains derived from EOSIO, give us all of the tools we need to carve out a set of permissions that allow us to interact with dApps safely and with minimal risk of compromise by bad actors.

The EOSIO Documentation provides all of the information you need to create custom permissions, however it lacks a practical guide to how to implement these on WAX.

The steps in this article apply equally to all EOSIO based blockchains, virtually any dApp and non-custodial wallets a however the guide deals directly WAX, Warsaken and Anchor Wallet.

Pre-requisites

1. Anchor Wallet for Desktop and Mobile - other wallets may support it but it's untested,custodal wallets like WaxCloudWallet, other wallets are untested but assuming you are allowed to add permissions you can use them.
2. Active keys for an existing account added to your wallet.
3. A mobile device you wish to be able to claim from.
4. You should be in a secure area where no one can see your screen.

Step 1: Create new Keys on Anchor Desktop

1. From Anchor Wallet, navigate to Tools → Manage Keys → Generate Key Pairs.
2. Click Generate Key Pair (x2).
3. Click Save Keys to Wallet.

You should have two new keys once you have completed this step:

Step 2: Enable "unsafe" / "dangerous" transactions

Note: by enabling this setting, it is possible that you could replace the active key on your account with an invalid one, meaning you would need to reset your active key with your owner key. Do not change this setting if you feel at all uncomfortable with this risk

1. From Anchor Wallet, navigate to settings (cogs in top right hand corner)
2. Scroll down and ensure that Allow dangerous transactions in URI signer is set to "Allow dangerous transactions".

Step 3: Add a custom permission

1. Access https://waxblock.io/ and login with Anchor Wallet.
2. Go to Wallet → Manage keys and permissions.
3. Click on Advanced
4. Fill out the fields exactly as follows:
   a. Permission Name: wsknclaim
   b. Parent: active (default)
   c. Threshold: 1 (default)
5. Click Add New and paste in the Public Key from Anchor Wallet into the Public Key box. Leaving the other fields at their defaults.
6. Click Add New Permission and sign the transaction to create the new permission.

Step 4: Add Keys to Mobile - (Android, iOS, iPadOS)

1. On your Mobile Open the Anchor Wallet App.
2. Tap Add Account then Import Account.
3. Tap Scan QR code
4. On your desktop click the down arrow and select Export Private Key
   
5. Tap the small QR code icon on the right hand side of the private key, and click Show QR Code.
6. Scan the QR code with Anchor Mobile.
7. After a few seconds it should list your new account:
   
8. Tap it then tap Import Account then Done when prompted.

Step 5: Link Required Auths to the Permission

1. Back on https://waxblock.io/ navigate to Wallet → Keys and Permissions → Link Auth and add the following two auths:
2. The ability to login to Warsaken is controlled by the warsaken::auth action:
   a. Permission: select wsknclaim from the dropdown
   b. Contract Name: warsaken
   c. Contract Action: select auth from the dropdown
3. The ability to claim on Warsaken is controlled by the warsaken::claim action:
   a. Permission: select wsknclaim from the dropdown
   b. Contract Name: warsaken
   c. Contract Action: select claim from the dropdown
4. Click Link Auth and sign the transaction.

After completing this step the Current Permissions on your account should look like this:

Final Steps and Cleaning Up

You can now proceed to login to Warsaken with your custom permission safe in the knowledge the only thing that can be done is login to Warsaken and claim.

Step 4 can be repeated on multiple devices if desired, for example a tablet, this gives you some resilience in case you lose your phone or your battery is flat.

I recommend removing the private keys from Anchor Desktop, although this is not strictly required it does avoid accidentally re-using the keys which would potentially expose other accounts to attack if your phone was compromised.

I also advise Disabling "dangerous" transactions:

• From Anchor Wallet, navigate to settings (cogs in top right hand corner)
  Scroll down and ensure that Allow dangerous transactions in URI signer is set to "Disable dangerous transactions".

Other Warsaken Activities and their Contract Actions

This section is for reference only, and not required to perform a Warsaken Claim.

Other actions in Warsaken require different sets of auths to complete, for example:

• Buying WAX Packs (WAXPAX) requires:
  • warsaken::cart to add items to the shopping cart.
  • warsaken::purchase to initiate a purchase.
  • eosio.token::transfer to transfer WAX to warsaken.
• Buying LOOT Packs (LOOTPAX) requires:
  • warsaken::cart to add items to the shopping cart.
  • warsaken::purchase to initiate a purchase.
  • warsaken::transfer to transfer LOOT to warsaken.
• Opening Packs, Redeeming Loot and Mystery Vouchers requires:
  • atomicassets::createoffer to add items to the shopping cart.
  • createoffer is a risky permission as any NFT can be transferred not just Warsaken NFTs
• Redeeming Codes requires:
  • warsaken::redeem to add items to the shopping cart.