I am looking for a visual identifier for smart contracts that can be used in apps, wallet and explorers.
I am suggestion to use the sha521/256 of the source code and the use minidenticons, it could look like this:
Should this be a SIP?
1 Like
Very interesting. Seems very useful. I wonder if there is a potential security risk?
1 Like
The idea is to reduce the security risk. It is harder to trick users to interact with a contract that looks similar from address and name but the code is not. The user can identify this by the identicon.
The identicon is created, assigned to contracts through their source code in the same way clarity 4 is doing it.
Furthermore, same contract code can be identified more easily.
What would be the risk? There can be a risk if users only trust the identicons.
2 Likes
So anyone can obtain it?
Perhaps a verified contract auditor can authorize?
1 Like
Yes, everyone can verify it through the source code.
- Take the source code
- Build the sha512/256 hash of the source code
- Take the hash and show the minidenticon for the hash
If this is adopted by many apps, explorers, wallets, then we can trust the identicons.
Maybe I don’t see the problem..
2 Likes
Can a bad actor create a malicious content with a nearly identical/similar identicon?
There are only 294,912 different minidenticons. It is possible to generate the same icons by adding some spaces or so.
Jdenticons is a different library with 873,600 different icons. Is that better?
To represent the full hash we could use a sequence of minidenticons like suggested in cryptoglyphs ( GitHub - Light-Labs/cryptoglyphs-ts )
1 Like
To be honest, I don’t have a handle on the technical side, I’m just going strictly on hypotheticals. Short of it being an attack vector, which even then may be just something to plan around, then I don’t see a downside.
I have no idea if there’s a possibility/feasibility of such an attack vector being worth even exploiting.
Users visually comparing these small icons for equality would be problematic, not easy.
They are more recognizable that QR codes obviously but still better recognized by software than by humans.
I wonder if in combo with the last 4 characters of the address string would that make it easier to identify at a glance? ie… ‘oh, it’s a red color blob and ends in “H335” looks good’
To stupid-proof things for users, perhaps a smart-contract Oracle would help… that apps can call to authenticate a smart-contract. But how would the Oracle be kept up to date and how would it know if a contract is real/safe or fake/malicious?
1 Like
This is really an excellent proposal. It will make contracts easily recognizable at a glance; I see a synergy with the Security Template Standardization proposal I’m working on. While the minidenticon serves as a visual identifier, the security registry system confirms its verified and audited.
This also addresses @PeaceLoveMusic’s concern about security risks, visual recognition helps users identify the right contract, and verification ensures it’s safe to use.
2 Likes
I wonder if taking advantage of Clarity 4’s feature of ability to hash the contract could help here (in @friedger and @Terese idea)?
Heard @codeonedotzero and Rapha talk about leveraging this feature in their thing on AI BTC Working Group X space, https://x.com/i/spaces/1LyGBXqAgljxN?s=20 at around 29:28, maybe this could help verification process without things being tampered with.
Maybe what Friedger already mentioned it’s the same feature?