POA
English
English
  • Welcome to POA
  • Features
    • Known Validators
    • POADAO Consensus
    • Bridged Native Token
    • On-Chain Randomness
  • Use Cases
    • Scalability for BlockChain Games
    • Community-Based Currencies
    • Subsidized Transactions
    • Decentralized Finance (DeFi)
  • DApp Spotlights
    • Ethernal.World
  • Roadmap
  • For users
    • POA Tokens
      • POA Merger & STAKE Swap
      • POA - STAKE FAQs
      • POA Token Supply
      • POA & POA20 Exchanges
      • POA & POA20 on Binance
      • FAQ: POA20 General Questions
    • POA Token Use Cases
      • Utility Token
      • Currency Token
      • Collateral Token
      • Bridged Token
      • Staking Token
      • Stable Token
    • POA to POA20 Bridge
    • Accept POA20 Payments
      • Account Registration & Login (Merchant Setup)
      • Setup Merchant Account
      • Merchant Payment Method Setup
      • Making a Payment with POA20 (Customer Perspective)
    • Tutorials
      • Trading POA20 on DEX.AG
      • POA20 Token Swaps on 1inch.exchange
      • Getting Airdrops via Discord
    • Governance
      • Article: A Successful Year of On-Chain Governance
      • Governance Reports
        • April 2020 Report
        • December 2019 Report
      • Ballot Type, Lifecycle & Limits
    • ❌Nifty Wallet (Discontinued)
      • Getting Started
      • Import and Interact with Smart Contracts
      • Connect to a Hardware Wallet (Ledger & Trezor)
      • Connect to D'CENT Biometric Wallet
      • Connect to Pocket Decentralized Network
    • 3rd Party Wallets
      • Trust Wallet
      • MetaMask
    • POA Mania
      • News - Updates
      • Rules
      • POA Mania FAQs
      • Deposit & Withdraw
      • Winner Selection
      • Round Details
      • POA Mania vs PoolTogether
      • POA Mania on Trust Wallet
      • POA Mania Security Audit
      • POA Mania on MetaMask Mobile
    • Whitepaper
      • POADAO v1
        • Introduction
        • Proof of Authority
        • POA Network Functionality
        • Decentralized apps (DApps)
          • Initial ceremony DApp
          • Proof of Physical Address (PoPA) DApp
          • Proof of Bank Account DApp
          • Proof of Social Network DApp
          • Proof of Phone Number DApp
          • Governance DApp
        • Summary & Acknowledgements
        • References
        • Appendix A: Code Samples
          • Ballots manager
          • Validators manager
          • Deployment scripts for the mining node
  • For developers
    • Developer Resources
    • Getting Tokens For Tests
      • ERC20 Test Token Faucet
      • Sokol Testnet Faucet
    • Full Node Setup
      • Install OpenEthereum Client
      • Install Nethermind Client
    • DApp Deployment
    • TheGraph Data Indexing
    • On-Chain Random Numbers
      • RNG explainer (AuRa + RandomAura Contract)
      • Accessing a Random Seed with a Smart Contract
      • Randomness FAQs
    • API & SQL Access
    • Smart Contract Dashboard
    • Grants for Building on POA
  • For validators
    • Getting Started
      • Validator Resources
      • Becoming a Validator
    • Bootnode Setup
      • AWS Bootnode Setup
        • Prerequisites
        • Configure AWS
        • Download and Configure Playbook
        • Deploy
      • Non-AWS Bootnode Setup & Deployment
        • Local/Remote Machine System Requirements
        • Node Preparation
        • Configure node with Deployment Playbook
    • Validator Node Setup
      • Nethermind Upgrade
      • AWS VM for Validator Node Deployment
        • MoC: Master of Ceremony Key Exchange & Generation
        • Current Validators Vote in New Validators
        • Validator Node Setup Prerequisites
        • Configuring AWS
        • Download and Configure Playbook
        • Deployment
        • Upgrade Instance to a Larger Instance Type
      • Non-AWS Validator Node Setup
        • Local & Remote Machine System Requirements
        • Remote Machine Setup
        • Configure Node using Deployment Playbook
      • NetStats Dashboard
    • Hard Forks
      • Parity Upgrade Guide
      • POA Core
        • 2021-11-02 | #24090200
        • 2021-05-24 | #21364900
        • 2020-03-31 | #14350721
        • 2019-12-19 | #12598600
        • 2019-04-29 | #8582254
        • 2018-01-29 | # 772000
        • 2018-10-22 | #5329160
        • POA Core spec.json hard-fork update
      • Sokol
        • 2021-05-24 | #21050600
        • 2020-02-20 | #13391641
        • 2019-12-05 | #12095200
        • 2019-02-06 | #7026400
        • 2019-01-04 | #6464300
        • 2018-09-19 | #4622420
        • 2018-01-18 | #509355
        • 2018-01-08 | #362296
        • Sokol spec.json hard-fork update
    • Validator DApps
      • Validators MetaData DApp
      • Adding or Removing a Validator
  • Media
    • Social Media
    • Media Kit
    • Contact Us
Powered by GitBook
On this page

Was this helpful?

  1. For users
  2. Whitepaper
  3. POADAO v1
  4. Decentralized apps (DApps)

Proof of Social Network DApp

PreviousProof of Bank Account DAppNextProof of Phone Number DApp

Last updated 5 years ago

Was this helpful?

User fills out a form in DApp providing the link to his/her social network profile and submits it to the server.

Server consists of a web app and a parity node connected to the blockchain. The node is run under the ethereum account that was used to deploy the PoSN contract (contract's owner). This account needs to be unlocked.

Server validates and normalizes the user's profile link: removes trailing spaces, converts protocol to HTTPS if applicable, domain name to lowercase, and removes extra URL parameters.

Then it generates a random confirmation code (alphanumeric sequence) and computes its SHA-3 (strictly speaking, keccak256) hash. Also, it generates a random session code (see below), that it stores in memory/database along with the user's eth address and plain text confirmation code. Then server combines input data, namely str2sign = (user's eth address + user's profile link + confirmation code's hash) into a string that is hashed and signed with owner's private key (this is why owner's account needs to be unlocked).

Signature, the confirmation code's hash, the user's normalized profile link, and the session code are sent back to the client. User then confirms the transaction in MetaMask and invokes the contract's method. The contract combines input data in the same order as the server did, hashes it, and then uses the built-in function ecrecover to validate that the signature belongs to the owner. If it doesn't, the contract rejects the transaction, otherwise it adds some metadata, most importantly the current block's number, and saves it in the blockchain.

When the transaction is mined, tx_id is returned to the client and then via the client to the server along with the session code. Server queries memory by the session code and validates the user's eth address. Then it fetches the transaction from the blockchain by tx_id. It verifies that tx.to is equal to owner and tx.from is equal to the user's eth address. Then, using tx.blockNumber the server uses the contract's method to find the profile link added at that blockNumber. User should be limited to registering at most one profile link per eth block.

Then the server uses the session code to get plain text confirmation code from memory and enclose it into a predefined meaningful text, e.g.:

My POA identity confirmation code is <confirmation code>

(As a side note, it'd be funny if the confirmation code was a random quote from a random book.) Then the server sends this confirmation phrase back to the client and removes the session code from memory to prevent reuse.

User must create a publicly available post where the confirmation phrase would appear alone, on a separate line (there may be other text in this post, on other lines).

Then the user returns to the DApp and submits the link to his/her post. Server needs to scrape this post, find a line starting with the predefined text and extract the confirmation code from it. Server then calculates SHA-3 of the confirmation code and signs it with the owner's private key. Hash of the confirmation code and signature is returned to the client.

User then confirms the transaction in MetaMask, which invokes the contract's method. Contract first of all uses ecrecover to verify that the signature belongs to the owner. If it doesn't, the contract rejects the transaction, otherwise it computes the confirmation code's hash and loops through the user's profile links to find a matching one. Server must also double-check that post is on the same network that is in the profile link in the contract's data.

Possible cheating

  1. user can generate his/her own confirmation code, compute all hashes, and submit it to the contract, and then confirm it This can't be done because the user doesn't know the owner's private key and therefore can't compute a valid signature.

  2. user can reuse someone else's confirmation code, or his/her own confirmation code from one of the previously confirmed profile links This is prevented by hashing all essential pieces of data together before signing (user's eth address, profile link, confirmation code) and by checking the profile link for duplicates in the contract.

  3. user can submit the form, but doesn't sign the transaction For this reason confirmation phrase is sent to the client after the profile link is added to the blockchain and tx_id presented to the server.

  4. since user knows confirmation code right from the start (cf. PoPA DApp), he/she can avoid posting the confirmation phrase and just call the contract's method directly Link to the post should be presented to the server, which scrapes it, extracts the confirmation code, and then signs it with the owner's private key.

  5. user can post the confirmation phrase on some other social network or website Server should double-check that the post is on the same network as the profile link from the contract's data. 6. user can resubmit the same tx_id to the server multiple times This is prevented by removing the session code from memory after the first postcard is sent.

Click on image to enlarge