CIP-0072: Suggestions for improving dApp registration identity verification

[wrmarchetto]

Introduction

This is a follow-up to a conversation regarding how a dApp store supporting CIP-0072 should implement controls to mitigate the ability for bad actors to present counterfeit dApps and tokens as being legitimate. Below are some recommendations:

Example Cases

• A counterfeit NFT collection is minted with identical artwork to the original (only the policy IDs differ).
• A fake dex website is created, which looks identical to the legitimate site.

Recommendations

To enhance the security and trustworthiness of dApp listings, here are some recommended controls that could be implemented:

Introduce User Voting Mechanism:

Enable users to upvote/downvote projects, with the weight of each vote determined by the user's wallet stake. This on-chain governance approach not only helps mitigate spam and highlight authentic projects but also fosters community engagement.

Verify dApps through Token Verification:

For dApps utilizing tokens (e.g., dexes, games, NFTs), offer the option to sign a verification transaction from the token's mint address. This process grants a verified checkmark on the dApp page, providing users with the highest level of assurance regarding the legitimacy of the project.

Implement a 'Report' Button:

Introduce a 'Report' button on dApp listings to enable users to notify a human moderation team for further review. This mechanism allows for identification and removal of fraudulent dApps by a human moderation team, safeguarding users from potential scams.

Note: If these suggestions are out of scope of CIP-0072 itself, there could perhaps be a set of recommendations published for platforms that intend to utilize this CIP when building dApp aggregation services in order to protect users from scams.

[rphair]

@wrmarchetto it might be within the scope of CIP-0072 with respect to Stores / Auditors > "integrity and trust validations" but personally I don't have the right practical experience to assess your recommendations. I've added it to the agenda of our next CIP meeting (https://hackmd.io/@cip-editors/83) so other editors & relevant devs can decide where to go with this.

@danielmain @matiwinnetou please also let us know if & how you think we should proceed with this.

[Ryun1]

@wrmarchetto
To me these sound more like an implementation details of a platform showing CIP72 compliant metadata.

What could such suggestions look like?

[vhulchenko-iohk]

Hey @wrmarchetto,

Thanks for your suggestions above! I really like and agree with your recommendations. As @rphair mentioned above, we can list them under a dedicated section called "integrity and trust validations" for DApp publishing apps to consider for implementation.

The only thing is the Verify dApps through Token Verification feature. I would love to dive into this topic more to understand how much work it might be implement in on the DApp publishing app side of things.

[rphair]

@vhulchenko-iohk: As @rphair mentioned above, we can list them under a dedicated section called "integrity and trust validations" for DApp publishing apps to consider for implementation.

When I made #772 (comment) I was thinking that some of these ideas for measuring trust could be mentioned here (within the current CIP scope), but as we said in the meeting today the means of actually doing so would be too complex (and, I believe, likely to disagree upon) to include in the CIP specification itself.

As we further mentioned at the meeting (via @Ryun1 @Crypto2099) these "extensions" to CIP-0072 would well be described in another CIP to propose a specification for metadata with "votes" or other statistics to support an agent's validity, along with a means of interpreting this metadata for CIP-0072 compliant systems.