In the moralis docs it is specified that it’s not recommended to sign transactions in a cloud function with a private key. However my use case does require this, so I was wondering, what are some security measures that can be taken to prevent someone compromising the private key and to not exploit the smart contract.
My use case is as follows:
I’m implementing an erc-20 token that holders of an NFT earn each day. I want to handle the logic of computing the reward off chain to save on gas costs. The app would give the user a signature from a specific wallet which they can use in the smart contract to claim their tokens. The smart contract checks the signature as well as the signed data (for example that the msg.sender was used in the signed data) and then updates the users balance. Now the biggest risk would be that someone compromises the private key on the cloud and generates a signature to claim infinite tokens for themselves. Any idea how to secure this and makes this chance as low as possible?
The reason to handle the logic off chain is that it takes too much gas to claim the tokens by providing each nft id of a holder. A person holding 250 NFTs would need to provide 250 tokens which would make the transaction use between 0.3 and 0.7 eth in gas at worst.