Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TEP: Wallet registry for dapps #92

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

TEP: Wallet registry for dapps #92

wants to merge 1 commit into from

Conversation

talkol
Copy link

@talkol talkol commented Sep 11, 2022

This standard defines an on-chain registry to hold a list of wallet providers (such as TonKeeper and TonHub) and allows TON dapp clients to query this list before displaying the "Connect Wallet" screen.

@talkol talkol changed the title TEP-91: Wallet registry for dapps TEP-92: Wallet registry for dapps Sep 11, 2022
@ex3ndr
Copy link

ex3ndr commented Sep 12, 2022

I don't see how this registry could be completely decentralized: Right now one of the wallets for TON uses our (Tonhub) sources in violation of its license, and they would be able to put themselves into a list with a legitimate wallets.

This is the same reason why Metamask changed their license to kill copycats. I have experience in the past with other opensource products, and they all are under constant threat of phishing wallets. Ledger is another excellent example - there are so many fake apps that are just a fork of a ledger app that asks for a seed phrase.

Pretty much the issue is the same as a lot of fake "USDC(T)" coins in virtually any network.

@hacker-volodya hacker-volodya changed the title TEP-92: Wallet registry for dapps TEP: Wallet registry for dapps Sep 12, 2022
@talkol
Copy link
Author

talkol commented Sep 12, 2022

@ex3ndr I understand your concern about fraudulent wallets. I'm personally fine with any of these alternatives:

  1. Giving the foundation a master key that will allow the foundation to delete a fraudulent wallet from the registry in extreme scenarios (the deposit of this wallet will not be returned to discourage them from registering)
  2. Moving the registry from a contract to a foundation hosted JSON file (like global.config.json) that contains the list of domains of all wallets - this is a bit more centralized but still works and achieves most goals
  3. Ignoring the problem and saying that it should be resolved off-chain by taking legal action against the fraudulent wallet in the real world. This may be similar to some entity registering a TON DNS name that has a trademark and using it for phishing - like binance.ton or coinbase.ton - TON DNS does not attempt to resolve this issue on-chain

I wonder what @EmelyanenkoK @tolya-yanot think

shaharyakir
shaharyakir reviewed Sep 13, 2022
View reviewed changes
text/0092-wallet-registry.md

## Wallet registry contract

The contract holds a list of TON DNS names of wallet providers in its persistent storage. Anyone can add a new TON DNS name to the list. To reduce spam, we propose to require a deposit of 1,000-10,0000 TON Coin for registration that will be held by the contract and returned if the wallet provider unregisters.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The contract holds a list of TON DNS names of wallet providers in its persistent storage. Anyone can add a new TON DNS name to the list. To reduce spam, we propose to require a deposit of 1,000-10,0000 TON Coin for registration that will be held by the contract and returned if the wallet provider unregisters.
The contract holds a list of TON DNS names of wallet providers in its persistent storage. Anyone can add a new TON DNS name to the list. To reduce spam, we propose to require a deposit of 1,000-10,000 TON Coin for registration that will be held by the contract and returned if the wallet provider unregisters.

shaharyakir
shaharyakir reviewed Sep 13, 2022
View reviewed changes
text/0092-wallet-registry.md

## Wallet registry contract

The contract holds a list of TON DNS names of wallet providers in its persistent storage. Anyone can add a new TON DNS name to the list. To reduce spam, we propose to require a deposit of 1,000-10,0000 TON Coin for registration that will be held by the contract and returned if the wallet provider unregisters.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The ton value fluctuation issue is relevant here as well - if ton decreases in value temporarily, for example, it exposes the contract to a spam attack.

@Gusarich
Copy link
Contributor

Gusarich commented Sep 26, 2022
edited
Loading

If the registration fee for a wallet is too large, only the largest wallets will afford it, which will lead to a situation similar to a Metamask.
If the registration fee is too low, attackers will be able to register malicious wallets and some users will download them.

Also, it's not good to rely on solutions in which everything will be controlled by one organization (for example, TON Foundation), because this is essentially centralization, and it will add a lot of extra work to them like checking wallets for security.

@SupinePandora43
Copy link

Why there are different ways to connect wallet? I thought that Ton Connect 2.0 unified everything under ton:// url 🫠

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shaharyakir shaharyakir shaharyakir left review comments

@queenmoon-bot queenmoon-bot queenmoon-bot approved these changes

@1981-crossfade 1981-crossfade 1981-crossfade approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@talkol @ex3ndr @Gusarich @SupinePandora43 @shaharyakir @1981-crossfade @queenmoon-bot