Open 0x4007 opened 6 days ago
@whilefoo maybe you can set up a Cloudflare Worker to be the backend for this idea? I have the client code almost ready
Since we know the app_secret and the user's ID, I think an additional password would ensure that even we can't access their wallet. For example the user calls the API endpoint which generates a salt (hash), then the user's browser/app derives a new salt using the previous salt and user's password. Using this method also ensures that if the app_secret ever gets leaked, the attackers can't access the users' wallets.
Protecting
app_secret
:
- Must remain confidential on the server.
- Rotate the secret periodically and manage salts accordingly.
We can't rotate the secret otherwise we will effectively generate a new wallet for all users and they will lose access to their previous wallet.
- Compute
salt = HMAC_SHA256(app_secret, github_user_id)
on the server.
HMAC_SHA256 is not suitable for this since it's meant to be used for message signature and verification, a plain SHA256 will do.
What's the intended flow after the user claims the reward? Since this is intended for users that are not familiar with crypto, how will they off-ramp the reward?
Off ramp in the near future: payment cards
Mid term: some hacks using stripe/paypal etc
In the long term: we can offer fiat banking, leveraging a partnership of some sort, but it seems like that comes with a ton of strings attached so we will see where we are at connections wise and financially.
Do you have a repo for it? This issue seems to be in the wrong repo
Using GitHub User ID with a Server-Side Secret
Overview:
Approach:
Steps:
Security Considerations:
Advantages:
Implementing Device-Specific Keys:
Conclusion:
Implementation Steps
Server-Side Setup:
app_secret
.Salt Derivation:
salt = HMAC_SHA256(app_secret, github_user_id)
on the server.Client-Side Key Generation:
device_id
on the client (e.g., UUID stored in local storage).device_salt = HMAC_SHA256(salt, device_id)
device_salt
to derive the private key.Gnosis Safe Integration:
device_id
(i.e., the master key).Claiming Rewards:
User Experience Enhancements:
Security Considerations
app_secret
:device_id
and derived keys securely.device_id
is generated, and the device key is added to their Gnosis Safe.device_id
) to add the new device key as an owner if the Safe's threshold requires it.