Security Question - Cloud Signed Messages

Moralis
#1

I am in need of a way to sign messages from a cloud function from a trusted signer and have been able to get it working. My only concern is security for this type of operation. I have put a private key in the config and require master key to be used for it.

Here is my code:

Moralis.Cloud.define("SignMessage", async (request) => {
	const web3 = await Moralis.ethersByChain("0x13881");
  	const config = await Moralis.Config.get({ useMasterKey: true });
  	const signer = config.get("TrustedSigner");
    const trustedSigner = new web3.ethers.Wallet(signer);
    const msg = web3.ethers.utils.solidityKeccak256(['uint256', 'address'], [request.params.battleId, request.params.winner]);
    const signedMessage = await trustedSigner.signMessage(web3.ethers.utils.arrayify(msg));
  	return signedMessage;
});

How secure would the private key be in this case? Is there better solutions to achieve this through moralis?

#2

this would not be the best solution, you should take extra security measures in this case like having a way to revoke that private key in case that it is compromised

#3

From the contract we do have a way to change the trusted signer address in the case the PK is compromised. Which we could then also change the PK to be for that new address in our Moralis config. Is there any better solutions for server sided signed messages?

There are several steps in the contract before this signed message can be used. So even if compromised, it would have very limited capabilities.

Essentially users queue in our smart contract, when two get matched they engage in a β€œbattle”, which is done off-chain. Then when one player wins, we sign a message to allow them to claim victory. Only one of the two players that is in a specific battle is capable of using each signed message.

#4

a better solution would be to use a different server that only you have access to it