How to sign transactions
After calling a crafting endpoint, the API returns an unsigned Ethereum transaction payload. This payload must be signed before it can be broadcast to the network.
Signing is fully handled by your application. The Stakely Staking API never has access to private keys.
The signing concepts and examples described in this section apply to all Ethereum staking flows supported by the API, regardless of the specific staking method used.
Below are common signing approaches supported by Ethereum tooling.
Signing with a private key
Signing with Ethers JS using a Private Key:
This approach uses Ethereum JavaScript libraries to sign transactions locally with a private key.
The crafted transaction payload returned by the API is passed to the signer, which produces a valid Ethereum signature. The resulting signed transaction can then be broadcast to the network.
This method is typically used in backend services, scripts, or environments where private keys are managed directly by the application.
It involves the use of the Ethers JavaScript library, which allows developers to interact with the Ethereum virtual machine directly from a JavaScript application. To sign a transaction, a developer typically imports the SDK, creates a transaction object, and then uses a private key to sign this object. This signing process is crucial as it verifies the identity of the transaction initiator and ensures the transaction cannot be altered without the initiator's consent.
Complete with your own wallet private key or seed at .env
ETHEREUM_WALLET_PRIVATE_KEY=
ETHEREUM_RPC=
ETHEREUM_WALLET_ADDRESS=
EVM_CHAIN_ID=
const { Common, Chain, Hardfork } = require('@ethereumjs/common')
const Transaction = require('@ethereumjs/tx');
const { RLP } = require('@ethereumjs/rlp');
const ethUtil = require('ethereumjs-util');
const { ethers } = require("ethers");
const path = require('path');
require('dotenv').config({ path: path.join(__dirname, './../.env') })
const accountFrom = {
address: process.env.ETHEREUM_WALLET_ADDRESS,
privateKey: process.env.ETHEREUM_WALLET_PRIVATE_KEY,
rpcEndpoint: process.env.ETHEREUM_RPC,
chainId: process.env.EVM_CHAIN_ID
};
const common = new Common({ chain: accountFrom.chainId })
const signUnsignedTxWithPk = async ({serialized_tx_hex, raw_tx_hex_hash}) => {
const serializedTxBytes = ethers.getBytes(serialized_tx_hex);
const rawTxHexHashWithoutPrefix = raw_tx_hex_hash.substring(2);
const txObject = Transaction.TransactionFactory.fromSerializedData(serializedTxBytes, { common });
const txJson = txObject.toJSON();
let num = BigInt(txJson.nonce);
const nonceNormalized = num === 0n ? num : txJson.nonce;
const params = [nonceNormalized, txJson.gasPrice, txJson.gasLimit, txJson.to, txJson.value, txJson.data];
const rawTransaction = RLP.encode(params);
const privateKeyBuffer = Buffer.from(accountFrom.privateKey, 'hex');
const txHashBytes = Buffer.from(rawTxHexHashWithoutPrefix, 'hex');
const signResult = ethUtil.ecsign(txHashBytes, privateKeyBuffer, Number(accountFrom.chainId));
const rBuff = signResult.r;
const sBuff = signResult.s;
const r = rBuff.toString('hex');
const s = sBuff.toString('hex');
const v = signResult.v;
return { r, s, v};
}
// Get serialized_tx_hex and raw_tx_hex_hash from stake action response (reference at doc models StakeActionResponseDTO)
const signature = await signUnsignedTxWithPk({serialized_tx_hex, raw_tx_hex_hash})
// With the Signature you need to pass it to the /prepare endpoint
// Check api reference
- Get the
serialized_tx_hexandraw_tx_hex_hashfrom any of the Stake actions - Pass it to the signer code explaind below
- Once you have the signature proceed calling
action/prepare
Signing using external custodians or MPC wallets
Transactions can also be signed using external custodians or MPC-based wallets. In this setup, private keys are never exposed to the application and signing is delegated to the external signing service.
Fireblocks
Fireblocks is an example of a third-party custodian that can be used to sign Ethereum transactions generated by the Stakely Staking API.
The crafted transaction payload is submitted to Fireblocks through its API. Fireblocks performs the signing operation within its secure environment and returns a signed transaction, which can then be broadcast to the blockchain network.
The following code example demonstrates this flow using the Fireblocks JavaScript/TypeScript SDK.
Complete with your own Fireblocks credentials at .env
FIREBLOCKS_API_SECRET=
FIREBLOCKS_API_KEY=
FIREBLOCKS_BASE_URL=
FIREBLOCKS_VAULT_ID=
const { FireblocksSDK, TransactionOperation, PeerType, TransactionStatus } = require("fireblocks-sdk")
const apiSecret = process.env.FIREBLOCKS_API_SECRET;
const apiKey = process.env.FIREBLOCKS_API_KEY;
const baseUrl = process.env.FIREBLOCKS_BASE_URL;
const vaultId = process.env.FIREBLOCKS_VAULT_ID;
const fireblocks = new FireblocksSDK(apiSecret, apiKey, baseUrl);
const waitForTxCompletion = async (fbTx) => {
try {
let tx = fbTx;
while (tx.status != TransactionStatus.COMPLETED) {
if (
tx.status == TransactionStatus.BLOCKED ||
tx.status == TransactionStatus.FAILED ||
tx.status == TransactionStatus.CANCELLED
) {
throw Error(`Fireblocks signer: the transaction has been ${tx.status}`);
} else if (tx.status == TransactionStatus.REJECTED) {
throw Error(
`Fireblocks signer: the transaction has been rejected, make sure that the TAP security policy is not blocking the transaction`,
);
}
tx = await fireblocks.getTransactionById(fbTx.id);
}
return await fireblocks.getTransactionById(fbTx.id);
} catch (err) {
throw new Error("Fireblocks signer (waitForTxCompletion): " + err);
}
}
const signWithFb = async (unsigned_tx_hash_hex) => {
const assetId = "ETH";
const rawTxHexHashWithoutPrefix = rawTxHexHash.substring(2);
const tx = {
assetId: assetId,
operation: TransactionOperation.RAW,
source: {
type: PeerType.VAULT_ACCOUNT,
id: vaultId
},
note: "Sign transaction from stakely staking api",
"extraParameters": {
"rawMessageData": {
"messages": [
{
"content": rawTxHexHashWithoutPrefix
}
]
}
}
};
const fbTx = await fireblocks.createTransaction(tx);
const result = await waitForTxCompletion(fbTx);
const signature = result.signedMessages[0].signature;
const v = 27 + signature.v;
const r = '0x'+signature.r;
const s = '0x'+signature.s;
return { r, s, v};
}
// Get raw_tx_hex_hash from stake action response (reference at doc models StakeActionResponseDTO)
const signature_hex = await signWithFb(raw_tx_hex_hash);
// With the Signature you need to pass it to the /prepare endpoint
// Check api reference
Steps:
- Get the
unsigned_tx_hash_hexfrom any of the Stake actions - Pass it to the signer code explaind below
- Once you have the signature proceed calling
action/prepare