Chat with Facu from about Wido Batches and it's security model

Conversation between Facu, Product Manager at, and Roman from Wido about the security of Wido Batches

Wido has been collaborating with for a few months now. The yearn team is truly special when it comes to helping and knowledge sharing. One example is Facu, Product Manager at yearn, who recently reached out to Wido with questions and feedback on security around Wido Batches. We would like to share it with you in this post.

Wido Batches lets you save up to 90% in gas by batching your transaction with others and splitting the gas fee. It's currently available for and we plan to add support for more protocols soon. You can learn how gas savings work for USDC vault migration here.

Facu: Hey ser how are you. I have been following your progress, it's really cool!

Hey Facu, good to hear from you. We are seeing a lot of interest in Wido Batches. Last week, 8 people only paid 15$ in gas for migrating their yvUSDC into the new vault. This transaction would normally cost over $100 in gas.

Facu: I've just realised that the owner of the contract that does the migrations is an EOA, is that correct?

Note: Link to the contract Facu mentions

Note 2: EOA stands for externally-owned account

Yes, this is correct. The only thing the EOA can do with users funds is to run the batch migration.

Facu: So is it possible for the contract owner to take control of users' funds?

That is not possible since Wido contracts do not hold users' funds. Users are in possession of their tokens all the time. The only thing the EOA can do is execute the batch, which requires valid signatures from the users. It cannot withdraw funds, change the receiver of the tokens or even update amounts. The tokens are swapped in a single transaction and Wido never holds user tokens.

Facu: So what about those methods in the contract? Can the EOA withdraw user's tokens?

Screenshot from Etherscan

For every batch Wido executes, it takes a small amount of tokens for reimbursing transaction cost paid in ETH by the EOA. Only those tokens are owned by the contract.

The methods mentioned above are for withdrawing those reimbursed tokens.

Facu: All cool then but what about the signatures with permit?

Signatures we store are only valid for the specific transaction the user signed for. We are unable to change any parameter like the amount, the token the user is sending, or the output token.

Facu: Oh ok, that's cool then. I have been following your progress, it's really cool :). Keep building ser 💪

Thank you ser!

This article was written in collaboration with Facu and has been published with Facu's permission. Thanks, Facu!