Conversation between Facu, Product Manager at yearn.finance, and Roman from Wido about the security of Wido Batches
Wido has been collaborating with yearn.finance for a few months now. The yearn team is truly special when it comes to helping and knowledge sharing. One example is Facu, Product Manager at yearn, who recently reached out to Wido with questions and feedback on security around Wido Batches. We would like to share it with you in this post.
Wido Batches lets you save up to 90% in gas by batching your transaction with others and splitting the gas fee. It's currently available for yearn.finance and we plan to add support for more protocols soon. You can learn how gas savings work for USDC vault migration here.
Hey Facu, good to hear from you. We are seeing a lot of interest in Wido Batches. Last week, 8 people only paid 15$ in gas for migrating their yvUSDC into the new vault. This transaction would normally cost over $100 in gas.
Note: Link to the contract Facu mentions
Note 2: EOA stands for externally-owned account
Yes, this is correct. The only thing the EOA can do with users funds is to run the batch migration.
That is not possible since Wido contracts do not hold users' funds. Users are in possession of their tokens all the time. The only thing the EOA can do is execute the batch, which requires valid signatures from the users. It cannot withdraw funds, change the receiver of the tokens or even update amounts. The tokens are swapped in a single transaction and Wido never holds user tokens.
For every batch Wido executes, it takes a small amount of tokens for reimbursing transaction cost paid in ETH by the EOA. Only those tokens are owned by the contract.
The methods mentioned above are for withdrawing those reimbursed tokens.
Signatures we store are only valid for the specific transaction the user signed for. We are unable to change any parameter like the amount, the token the user is sending, or the output token.
Thank you ser!
This article was written in collaboration with Facu and has been published with Facu's permission. Thanks, Facu!