If I got it right smart contracts do not have a private key, so they can not sign transactions. The first transaction is signed buy the user and if a contract calls another contract and so on, those transactions are also signed buy the user. So, what if we have two ERC20 contracts A and B and B holds some A tokens.
contract A{
....
//balance of contract B
balanceOf[0xE4e5a16C8fx207a07f7df98e3a85e2067feacB9w]=500;
function transfer(address _to, uint256 _value) public {
_transfer(msg.sender, _to, _value);
}
....
}
contract B{
//address this=0xE4e5a16C8fx207a07f7df98e3a85e2067feacB9w
}
What if some user pretend to to be a contract B calling contract A? I mean he will sign the sequence of transactions where the last one would not come from the contract B, but contract A will think so.
It will look like this:
{
data: "0xa9059cbb000000000000000000000000cf2ee9c0dccd39aac2fd44b744270f50f8af13b00000000000000000000000000000000000000000000000000000000000000064",
from: "0xE4e5a16C8fx207a07f7df98e3a85e2067feacB9w ",//address B
gas: 210000,
gasPrice: 1,
nonce: "24",
to: "0xa6d90569018967c5esc7d056f74eg4hc3j8ae93" //address A
}
If he do so, it is possible for him, using function transfer in contract A and passing in it his own address to steal tokens from contract B balance in contract A.
So am I right and this is really possible or I made a mistake somewhere? And if it is possible, how in this case a contract can own tokens of other contracts?
