0%
SupportWallet Services
Best practices to limit Gas Manager spend

Best practices to limit Gas Manager spend

Written by Author headshotKilliane Menand
Published on December 16, 20242 min read

Gas Manager Policy Configurations

Alchemy’s Gas Manager provides you with various methods to configure spend limits and allowlists / blocklists that are eligible for sponsorship. These can be configured either on our dashboard or via our Gas Manager Admin API endpoints.

  1. Configure Max Spend Per UO: You can configure the maximum amount of USD that can be spent by a single user operation (maxSpendPerUoUsd)

  2. Configure Max Spend Per Account: You can configure the maximum amount of USD that can be spent by a single sender (maxSpendPerSender)

  3. Configure Allowlists / Blocklists: You can configure the list of addresses that are allowed / blocked to receive sponsorship via senderAllowlist and senderBlocklist

  4. Configure Max Spend per Policy: You can configure the maximum amount of USD that can be spent by the Gas Manager for your policy.

Protect your API keys and Policy IDs

We highly recommend following good security practices to protect your API key and policy IDs in your application code. Here are some best practices to protect your Alchemy API key:

  1. Use Alchemy provider level settings: Alchemy allows you to configure and restrict the IP addresses or domains that can use the key. More information on this can be found here.

  2. Use secret management tools: Keep your API keys and policy IDs secret using secret management tools like AWS Secrets Manager, Azure Key Vault, HashiCorp Vault or Google Secret Manager. Leaking this information could allow malicious actors to send unauthorized transactions that will be billed to your account.

  3. Encrypt your keys over network requests: Ensure that your API key / policy ID is encrypted over network requests. If your frontend requires access to an API, use a backend proxy to relay requests securely. Avoid logging API keys or policy IDs in their raw form. You can find more information on how to use JWTs for API requests here.

Build with Sybil resistance in mind

A Sybil attack is a type of security threat where a single entity creates and controls multiple fake identities or nodes to manipulate or disrupt a network. In order to protect your application from Sybil attacks, you could:

  1. Implement identity verification: To make it harder for a malicious user / bot to send multiple sponsorship requests from different user accounts, you could implement identity verification mechanisms via social login / phone number or use a simple proof of human approach like Captcha.

Was this article helpful?
Share:

Related FAQs

Wallet Services
How to Fix Gas Manager Errors
How to understand Gas Manager errors and resolve them.
Wallet Services
How to Fix Precheck failed Errors
How to resolve precheck failed error
Wallet Services
Best Practice Guide on How to implement User Operation Retries
Ensure User Operations (UOs) land successfully by implementing wait and retry mechanisms. Handle network fluctuations with React Hooks, retry configurations, and gas multipliers to avoid underpriced UOs, rejected transactions, and gas manager issues.
Banner background image

Not finding what you need?

Open a Support Ticket