register_identity function allows the registration of any valid user from GitHub, even if they are not the actual owner.

kudos-ink / contracts

Kudos Ink - Encode Hackathon Winning project

https://www.youtube.com/watch?v=zw07lCW639w

2 stars 1 forks source link

register_identity function allows the registration of any valid user from GitHub, even if they are not the actual owner. #6

Open leapalazzolo opened 9 months ago

leapalazzolo commented 9 months ago

We need to enhance the registration process for GitHub users, which we use to map account IDs. Currently, there's a vulnerability where anyone can register any GitHub user, posing a risk of 'identity theft.' This situation prevents the real user from utilizing the solution effectively since they won't be able to claim the rewards. Even though we talked in the past about paying a small amount of money when registering a new identity this may not fix the problem.

Some quick solutions:

Use verifiable credentials
Enable manual registration by maintainers through a specific role
Get the wallet from the issue itself without prior registration

ipapandinas commented 9 months ago

I agree 🙌

We could simplify the process by eliminating the need for identity registration and instead have contributors directly include their public address in the description of their pull request (PR). We could suggest a template for this. Once the PR is approved, a proof of contribution is recorded in the contract, but it remains unclaimable at this stage. Contributors will only be able to claim their due when the issue is officially closed. A significant benefit of this approach is the flexibility. For example incentives can be share among multiple contributors working on the same issue.

Let name service providers manage identities, it's not our fight 🤘

leapalazzolo commented 9 months ago

I like the idea.

We can consider having both implementations/templates:

Manual registration by maintainers (likely suitable for projects with specific freelancers, not open to everyone).
Address added in the PR without prior registration.

Regarding the implementation, we could use PR templates to obtain the addresses or use a bot to register specific information in the contribution from the issue (using a command like /bot register_address 0x...0 0x...1).

ipapandinas commented 9 months ago

After some investigation Phala Phat contracts can be used as oracles to properly register Github handles as identities. This is implemented in this workshop.