Closed Ivshti closed 4 years ago
Issue Status: 1. Open 2. Started 3. Submitted 4. Done
This issue now has a funding of 1000.0 DAI (1000.0 USD @ $1.0/DAI) attached to it as part of the AdExNetwork fund.
Issue Status: 1. Open 2. Started 3. Submitted 4. Done
The funding of this issue was increased to 1800.0 DAI (1800.0 USD @ $1.0/DAI) .
Issue Status: 1. Open 2. Started 3. Submitted 4. Done
Work has been started.
These users each claimed they can complete the work by 1 week, 3 days from now. Please review their action plans below:
1) ridesolo has started work.
I Will learn about DKIM signatures and carry out steps to make the contract 3) bakaoh has started work.
My submission https://github.com/bakaoh/solidity-dkim 4) nionis has started work.
my submission: https://github.com/nionis/solidity-dkim
feel free to poke me on discord for any questions!
Learn more on the Gitcoin Issue Details page.
hello @Ivshti ,
hope you are doing well, I have tested on-chain verification for RSA-SHA256 and RSA-SHA1 with multiple providers and it worked fine since most providers use RSA-SHA256, for RSA-SHA1 I have used a personal mail server to generate the email with RSA-SHA1 the test was also successful
however for ed25519 I'm still working on it, the solidity contract provided as reference does not do the signature verification following my understanding also, do we need to check any kind of data inside the contract like the from field since it should be required to update the password hash for example ? except the hashing itself.
Issue Status: 1. Open 2. Started 3. Submitted 4. Done
Work for 1800.0 DAI (1800.0 USD @ $1.0/DAI) has been submitted by:
@Ivshti please take a look at the submitted work:
Hey everyone (@RideSolo, @bakaoh, @nionis) - we are in the middle of the judging process. You all did a great job! We did not expect to have 3 independent full submissions.
We may run a few days late with the decision - we'll certainly be ready by Friday (15th)
@Ivshti thanks for the feedback
Again, sorry for the delay.
We'll be announcing the results on Monday, stay tuned!
Hello everyone,
What's great: you all implemented working solutions with proper tests! We were very impressed - we certainly didn't expect 3 working solutions.
What's still to be desired: none of the solutions actually checked for a particular From
(sender), which is critical for a password recovery scheme based on this; furthermore, none of the solutions checked if the bodyHash
is actually part of the canonicalizedHeaders
that are getting signed
What we decided: all of the solutions had different advantages. We tried an elaborate points scoring system and you all came close to each other. So we decided, instead of rewarding only one solution, to increase the reward and split it between first/second/third places.
Here are the results:
From
header is a certain value; the code quality was also impressive, given the hard taskHere's what's included in the points scoring system (based on the "submission requirements" and "judging criteria"):
We will be distributing the actual rewards ASAP, it may require some assistance from Gitcoin because of the splitting.
Thanks to everyone involved in this bounty! Once again, you did an awesome job!
We still need more work to turn this into a working PoC, so stay tuned for updates!
thanks @Ivshti, it's so much fun working on this bounty
I'm really glad that I participated to this hackathon, and I will be happy to work further to maintain this project
@Ivshti thank you for taking time to look into it very thoroughly, much appreciated. Please let me know if you would like to collaborate!
@bakaoh I also believe the on-chain parsing implementation is very impressive. Great job!
⚡️ A tip worth 2.75000 ETH (502.25 USD @ $182.64/ETH) has been granted to @ivshti for this issue from @vs77bb. ⚡️
Nice work @ivshti! To redeem your tip, login to Gitcoin at https://gitcoin.co/explorer and select 'Claim Tip' from dropdown menu in the top right, or check your email for a link to the tip redemption page.
Issue Status: 1. Open 2. Started 3. Submitted 4. Done
This Bounty has been completed.
Additional Tips for this Bounty:
⚡️ A tip worth 1100.00000 SAI (1100.0 USD @ $1.0/SAI) has been granted to @ridesolo for this issue from @Ivshti. ⚡️
Nice work @ridesolo! Your tip has automatically been deposited in the ETH address we have on file.
⚡️ A tip worth 750.00000 SAI (750.0 USD @ $1.0/SAI) has been granted to @nionis for this issue from @Ivshti. ⚡️
Nice work @nionis! Your tip has automatically been deposited in the ETH address we have on file.
⚡️ A tip worth 650.00000 SAI (650.0 USD @ $1.0/SAI) has been granted to @bakaoh for this issue from @Ivshti. ⚡️
Nice work @bakaoh! Your tip has automatically been deposited in the ETH address we have on file.
Challenge description:
Since most emails are signed cryptographically through DKIM, and contain enough data to prove who the sender is (from wikipedia: "the From: field must always be signed"), we can use that for recovering Ethereum accounts.
How it would help: it could enable a next-generation UX for dapps where you can sign up with an email/password, without making big security compromises, and with an ability to change your password and recover your account.
Of course, it's not a silver bullet, as you're ultimately trusting your email provider. But trusting the email provider is significantly more realistic for most people than trusting a startup to keep your private key.
The challenge is to build a proof of concept that verifies a real DKIM signature from an email generated by Gmail, via a Solidity smart contract, on-chain, within a reasonable gas limit.
Technical details
We basically need a solidity contract to verify the DKIM-Signature field based on a certain
body
; It needs to check the signature agianst the_domainkey
TXT record for the domain, for which we'll need a key "oracle": for this PoC, it's sufficient to just hardcode the_domainkey
records forgmail.com
and any other large providers, but in the future, we'll need a proper oracle that can read the_domainkey
record for any arbitrary domain.RSA and ed25519 crypto will be needed, which is not supported out of the box but these resources can help:
Submission requirements:
From
header (sender) is a particular email (NOTE: this requirement was omitted at the time of the hackathon launch so you won't be judged based on it)Submission deadline:
Judging criteria:
Judging date:
Bounty
Further bonuses available if it works with multiple signature schemes and multiple email providers.