Can one contract own tokens of another one

if I got it right smart contracts do not have a private key, so they can not sign transactions. The first transaction is signed buy the user and if a contract calls another contract and so on, those transactions are also signed buy the user. So, what if we have two ERC20 contracts A and B and B holds some A tokens.

contract A{
//balance of contract B

function transfer(address _to, uint256 _value) public {
        _transfer(msg.sender, _to, _value);

contract B{
    //address this=0xE4e5a16C8fx207a07f7df98e3a85e2067feacB9w

What if some user pretend to to be a contract B calling contract A? I mean he will sign the sequence of transactions where the last one would not come from the contract B, but contract A will think so.

It will look like this:

  data: "0xa9059cbb000000000000000000000000cf2ee9c0dccd39aac2fd44b744270f50f8af13b00000000000000000000000000000000000000000000000000000000000000064",
  from: "0xE4e5a16C8fx207a07f7df98e3a85e2067feacB9w ",//address B
  gas: 210000,
  gasPrice: 1,
  nonce: "24",
  to: "0xa6d90569018967c5esc7d056f74eg4hc3j8ae93" //address A

If he do so, it is possible for him, using function transfer in contract A and passing in it his own address to steal tokens from contract B balance in contract A.

So am I right and this is really possible or I made a mistake somewhere? And if it is possible, how in this case a contract can own tokens of other contracts?

1 answer

  • answered 2018-03-13 23:21 smarx

    Yes, contracts can own tokens.

    The transaction you specified won't work; you can't just pick a from address. A transaction is sent from an externally owned account (EOA), meaning an account that has a private key. And only the person with that private key can sign such a transaction. See if this blog post helps: