Three hackers have come up in two days with an innovative project that connects the ethereum blockchain to Google systems, allowing you to send eth to an email address and through that email address to another one.
The demo showcased at ETHWaterloo on Sunday makes the process sound far too easy.
You just deposit your eth to your chosen email address through Metamask and now your email address has your eth, secured by Google’s authorization systems.
Now, presuming you are signed into Google with your email address, you can send your eth by just a click that goes through Google’s OAuth verification.
The above screenshot is difficult to see in detail, but after clicking sign, it redirects to accounts.google.com. Meaning it kind of has nothing to do with the blockchain at this point, it’s just Google keeping accounts.
The eth that was sent to the new email address – without the sender going through the blockchain – was withdrawn by the receiver by goin through the MetaMask and thus the ethereum network.
Meaning what they have created is an open-ish database (3 billion users) that acts kind of like a second layer where accounts are changing, but not on the blockchain until “settlement.”
The team says they “hacked the Google OAuth nonce field to allow users to sign their sheetcoin transactions which allows us to make sure it’s really you (and google) who wants to move that sheetcoin.”
They call it sheetcoin because this was meant as a jab “that points out how many ERC-20s have an owner account with admin privileges.”
After the DAO hack, the vast majority of smart contracts added a super-key that can over-ride user on-chain balances in that smart contract as was most famously illustrated when Bancor over-rode accounts after a hack.
The point being made is that if you have that power, you might as well use Google Sheets, which they didn’t think you could do, but it’s precisely what this team has done.
Sunny Aggarwal, a member of the winning team and a Computer Sciences student at UC Berkeley, says:
“The sheet has a private key variable, and it signs the [withdrawal transaction]. It acts as an oracle, but the key is we don’t want to steal people’s money. So what we do is; on the ethereum side we also verify the user did make a request to withdraw those funds.
So we actually verify the OAuth signatures on ethereum. These are RSA encoded, it’s expensive, but people love sheetcoin, they’re not going to withdraw that often anyways.”
The way they verify is by building-in a wallet into Google Sheets View, so there’s a connection to the blockchain through which they verify the signatures, but they say they need to add “the trustless RSA signature recovery so that no one can run off with anyone else’s money.”
They say they’ve developed a system that allows you to “deploy an identity contract and then recover it using Google Sign-In,” with this all just a proof of concept built in a weekend hackathon.
It won a prize, however, and it’s arguably the top project to come out of this year’s ETHWaterloo hackathon over the weekend.
Yet it is clearly a fairly centralized semi-custodian solution with quite a bit of trust involved, but for small amounts of $20 it could be a somewhat fun way of introducing people to internet money.