Message Signing

In order to submit a transaction to the Kima blockchain, the user must sign a message containing the transaction details. This message is signed by the user's wallet and then included in data submitted to the Kima Transaction Backend /submit endpoint.

Message Structure

The message is a string that is signed by the user's wallet. It contains the following information:

• Allowance amount: in whole tokens i.e. 10.23 not 10230000

• Origin token symbol

• Origin chain symbol: see the list of chain symbols in the Supported Assets section

• Target address

• Target chain symbol

Template:

I approve the transfer of {allowanceAmount} {originSymbol} from {originChain} to {targetAddress} on {targetChain}.

Example

Get the message to sign by calling the /submit/fees endpoint and selecting the appropriate version based on whether the user is paying fees from the origin or target chain.

To sign the message, the user's wallet must be connected and the message must be passed to the wallet client sign function. The following is an example of how to sign the message on EVM chains using Viem.

import { Address } from "viem";
import { avalanche } from "viem/chains";

// however these are obtained in your app
import {  getUserWalletAddress, fetchFeeData, getUserFeeChoice } from "../utils";

const walletAddress = getUserWalletAddress()
const feeData = await fetchFeeData()
const isFeeFromOrigin = getUserFeeChoice() // boolean
const message = isFeeFromOrigin
  ? feeData.transactionValues.feeFromOrigin.message
  : feeData.transactionValues.feeFromTarget.message

const walletClient = createWalletClient({
    account: walletAddress as Address,
    chain: avalanche,
    transport: custom(window.ethereum),
})

 const signature = await walletClient.signMessage({
    account: walletAddress as Address,
    message
})

This signature will be passed to the options param of the /submit endpoint.

Why sign a message?

Signing a messge significantly improves security in the following ways:

• The signature is cryptographically verifiable as coming from the user's wallet. This is proof that the user has authorized the transaction.

• The transaction details cannot be modified without invalidating the signature. This prevents a "man in the middle" attack where the destination address is changed to the attacker's address.