Is it safe to store signed messages offchain?

I noticed on opensea that whenever I list a NFT, I have to sign a message (unknown message) and it is stored on opensea servers (as per the XHR)

and used later to mint and confirm the transaction.

Is this safe? Is storing a signed message in traditional database safe? what if someone gets hold of the signed message? won’t it be able to create a transaction on my behalf? costing me money and generating an NFT that I didn’t intend to generate?

It is safe to sign that message sent to you in Open Sea.

The message is already signed. It is stored. Block chains are open to the public.

It cannot create the tx on your behalf because it doesn’t have access to your wallet.

I highly recommend starting with the basics of understanding blockchains. I know NFTs are the flashy new tech, but there is a decade of information, technology, and knowledge that you should run through first.

Once I sign the message, where is it stored? It’s definitely not stored on the block chain, cause if it was, I would be paying for it.

my assumption is that opensea acts as a relayer until the trxn is executed onchain.

Good luck.

So when I create a new Item on opensea
OpenSea web app sends a POST request to
with the following meta
“exchange”: “0x5206e78b21ce315ce284fb24cf05e0585a93b1d9”,
“maker”: “0x4b4c03aa5cc0d6d0d8216600000c95286766e5b5”,
“taker”: “0x0000000000000000000000000000000000000000”,
“makerRelayerFee”: “250”,
“takerRelayerFee”: “0”,
“makerProtocolFee”: “0”,
“takerProtocolFee”: “0”,
“makerReferrerFee”: “0”,
“feeMethod”: 1,
“feeRecipient”: “0x5b3256965e7c3cf26e11fcaf296dfc8807c01073”,
“side”: 1,
“saleKind”: 0,
“target”: “0xee45b41d1ac24e9a620169994deb22739f64f231”,
“howToCall”: 0,
“calldata”: “0xf242432a0000000000000000000000004b4c03aa5cc0d6d0d8216615807c95286766e5b500000000000000000000000000000000000000000000000000000000000000004b4c03aa5cc0d6d0d8216615807c95286766e5b5000000000000040000000001000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000a00000000000000000000000000000000000000000000000000000000000000000”,
“replacementPattern”: “0x000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000”,
“staticTarget”: “0x0000000000000000000000000000000000000000”,
“staticExtradata”: “0x”,
“paymentToken”: “0x0000000000000000000000000000000000000000”,
“quantity”: “1”,
“basePrice”: “100000000000000”,
“extra”: “0”,
“listingTime”: “1620046435”,
“expirationTime”: “0”,
“salt”: “36776231497135101909753608611438777234281770259793535791838678230584081080104”,
“metadata”: {
“asset”: {
“id”: “34057769318866170372284585028002476124188730457198868474403863682394003341313”,
“address”: “0xee45b41d1ac24e9a620169994deb22739f64f231”,
“quantity”: “1”
“schema”: “ERC1155”
“v”: 28,
“r”: “0xd87bca24cd3757f6cb1bd9280055bbc41e0fb4ca9cb8098fbf33a32e0e94595a”,
“s”: “0x4a3a56d324ef85eb45ea31a4e98cf20441b95e6043931abfd6b9e4a4dabb0eb7”,
“hash”: “0x4663d7558a535a5151fd65dc0e64bb16ef002b4a0b2fcba3aa9032d31e1db396”

This makes it clear that
0x5206e78b21ce315ce284fb24cf05e0585a93b1d9 is the Wayvern Exchange contract
0x4b4c03aa5cc0d6d0d8216600000c95286766e5b5 is the maker (i.e seller/me)
2.5% is the relayer fee (relayer is opensea)

and the hash of this meta info is what I sign and is relayed off-chain (similar to 0x protocol) by opensea until the transaction is executed on-chain

@Yoshiko please correct me if I’ve got this wrong

(Ps. @Yoshiko Sorry if I offended you in any way… just trying to understand this :slight_smile: Thanks for the links above :hugs: )

I think it is okay to store signed message offchain, but the key point is that you should know what message you have signed.

That is exactly what I’ve been trying to figure out in the case of opensea (since, as a user, it doesn’t really tell me what is it that I’m signing)

I think we can consider this sorted for now!

Hope my above message helps anyone wondering what is that hash you are signing when listing an asset on opensea

1 Like