Join through Verification

Joining through Verification

To verify using Github, your account must be at least 1 year old.

One of the ways to join the DAO is by verifying your identity. Currently, only Proof of Humanity (opens in a new tab) and GitHub (opens in a new tab) are supported but we are working on adding more platforms.

Verification guide

Connect your wallet

First, you need to connect your wallet to the DAO. This can be done using Metamask or a variety of other wallets. Don't have a wallet? Create one by following the steps here.

wallet connected

Pick a platform

Navigate to the verification page (opens in a new tab). You will be presented with a list of platforms that you can use to verify your identity on the left side of the page. Click the 'Verify' button of the platform you wish to use.

Pick one of the platforms

Approve signature

Once you clicked the button, your wallet will notify you of a signature request. If you accept this request, a specific message will be signed using your wallet, after which it is sent to our server. This is needed to prove that you own the wallet.

Sign in to the platform

After you have approved the signature request, you are redirected to the chosen platform. Here you will need to sign in to your account. If you are already signed in, you will be redirected back to the verification page immediately. Note that for Github, your account needs to be at least 1 year old.

Finish verification

If everything goes to plan, a new card will become visible on the right side of the page under the "Pending verifications" section. Clicking the "Finish" button on this card will prompt you to approve a transaction. Approving this transaction will call a smart contract function, which will finish your verification. After this transaction has been processed, you have been successfully verified on the chosen platform.

Finishing the verification process

Claim your reward

If this is the first time you have verified your identity with the chosen platform, you will be able to claim a reward. A new card will appear on the right side of the page, informing you how much you can claim. Clicking the "Claim reward" button will once again ask you to approve a transaction. When the transaction has been processed, you will receive your reward! The reward is given in the form of a token called SECOREP. This token is used to vote on proposals and will be explained in more detail in the SECOREP section.

Claim your reward

Reverification

Your verification status is not permanent. Your verifications will expire after a certain amount of time. The time until expiration is shown on the card of each platform. You can reset this time at any time by reverifying yourself. This can be done by clicking the "Reverify" button on the card of the platform you want to reverify with. The process for reverification is the same as the initial verification process, so you can follow the steps above.

Reverification

Unverification

It is also possible to unverify yourself for any of the available platforms. This can be done by clicking the "Remove" button on the card of the platform you want to unverify for. This will prompt you to approve a transaction. After the transaction has been processed, you will no longer be verified on the chosen platform.

Technical details

The process of verification consists of the following steps:

  1. First, the user must sign a message using their wallet that will be sent to our server, which was built using TypeScript and uses Express. This message will prove to our server that the user owns the wallet that signed the message. This step protects against spoofing of the wallet address, where a malicious user would attempt to verify an arbitrary address.

  2. After the signed message has been received and confirmed, the user will be redirected to the website of the chosen provider to sign in.

  3. Upon successful sign-in, the user will be redirected to our verification server, which receives a token that will be used to retrieve the user's data. This data generally includes things like account age and username.

  4. When the server has verified the validity of the account (e.g., checked that the Github account is more than one year old), a proof is assembled, signed using the private key that deployed the diamond, and sent back to the webapp, where it will be used to display a pending verification for the user.

  5. The pending verification can be finished by calling a function on the verification smart contract and passing the generated proof to it. The smart contract function will check the validity of this proof by ensuring that the message was signed by the correct wallet (i.e., the wallet that owns the verification smart contract) and records a stamp on the blockchain if it is valid. This stamp is what proves to the DAO that the user is verified.

A verification does not last forever. The duration for which a verification remains valid is defined and configurable in the smart contract. Once a verification has expired, the user will have to reverify themselves through the webapp. It is also possible for a user to remove a verification from their account.

The use of a two-fold process, where the user must initiate an action twice, is required to avoid expenses for the DAO due to gas fees. Calling the smart contract function in the last step of the process above requires a gas fee to be paid, just like any other blockchain transaction. If in the fourth step above, you would want to call the smart contract function without having the user explicitly initiate this, the DAO itself would have to pay the required gas fee. Instead, the proof is sent back to the frontend, where it can be used to call a smart contract when the user clicks a button, such that the user is prompted to pay the gas fee. An additional benefit of this approach is that verification requires the processing of funds (though, the gas fees are generally very low), which makes it harder for bots to be verified in large quantities.

Proof

The proof that is generated by the verification server consists of the following data:

  • The user's wallet address.
  • A hash derived from the combination of:
    • Unique user-specific data (e.g., the Github username).
    • A unique identifier of the provider (e.g., github).
    • An undisclosed secret.
  • The current UNIX timestamp.

Stamp

On-chain verifications are encapsulated using a construct known as a stamp. Every user can verify with multiple different providers, and will receive a stamp for each provider they verify with. Internally, the data structure for a stamp looks as follows:

struct Stamp {
    string providerId; // Unique identifier for the provider ("github", "proofofhumanity", etc.)
    string userHash; // Hash of unique user data from the provider (username, email, etc.)
    uint64[] verifiedAt; // Array of timestamps indicating the times at which the user verified with this provider
}