FYI : It seems that you are just building something Mora already does.
Why would Bob rug his own platform when he was making so many fees? Lol
Ask Austin @skilesare he is the one mentioning in the thread above, as an excuse to leve ICRC1 as is, or to justify it’s security issues.
No.
We run native on your PC or Mac or Linux.
We have a desktop app, and we publish online anonymously, unless you credit yourself.
I believe in the last few months the boundary nodes have been “decentralized” to the extent that the incoming messages may now be processed in a Secure Enclave. This is a great improvement but was not the case when we were defining icrc-1. And it still doesn’t work that way on the node machines themselves. A node provider could keep and/or publish a list of corresponding principals to addresses simply by looking at its traffic logs.
There is nothing insidious about this, it is just the way blockchains work. If you want to agree on the state of something, everyone needs to agree on the inputs and that in closes the credentials of the person submitting the application.(zk can fix this but we don’t have zk trxs at the moment and certainly not in icrc-1 or ICP.
One could write it, in fact, I hope someone does.
1 Like
This is such a fascinating post and I’m not sure addressing each point has value as it is so diametrically opposed to my own approach. It has given me a good bit to think about.
I’ve been banging my head against the first mover pain points of this platform for 4 years for a number of reasons, almost all of which your represent, overcoming the approach to the world that your stance embodies. As much as we say ‘we’re all about the tech’ we have to admit that this tech is just masochistic if you don’t also have some deep cypher/solar/lunar/regen punk ends.
Why in the world you would put yourself through similar pain to just build something that perpetuates an ethos that can be replicated on any big tech platform is beyond me. I’m glad you have your ICP and attention here, but I can’t help but hope your users see the absolute recklessness you are taking with their funds and insist you do things differently. I’m steadily losing faith that good sense will prevail as I sit here watching the same story play out with users putting assets and funds on yet another unaudited, closed-source application.
Onward with education, building, and organizing…
3 Likes
I addressed your points using the same tone you used yourself, which was quite aggressive and elitist. Not everyone has millions in funding, in fact most teams that build on the IC are small.
I am however grateful for the technical areas you discussed that deal with security architecture.
Please re-read my very first post in this thread, my objective was not to criticize security failures, or demand audits, instead I want us all to learn from Odin.fun’s now obvious mistakes, so that we all learn, and prevent hacks like this in the future.
Joseph Hurtado
Founder Satoshi Notes
1 Like
I appreciate your engagement and like I said, the comments are very though provoking for me. It is always good to back and double check your assumptions and try to see the world through others eyes.
Any aggression comes from frustration. I’ve seen countless devs crash and burn as small teams on this platform. Over and over. Hell…I’ve seem massively funded teams do the same by over extending. I guess I’ve built a list of table stakes to try to make a go and one of those is stay in Alpha and disclose until you can open source and afford an audit. I’m not diluted to think that I’ll convince everyone of that, but I’ll keep giving the advice. You shouldn’t have anon people putting money they can’t lose on your platform until you’ve had someone with some competence outside of your team look at your code. Human familiarity bias alone should scream this at people. We stop seeing the flaws in our own code as we approach ‘shipping’.
…and I think the right answer is somewhere along the lines of enabling affordable audits rather than just not doing them…trying to work and think through that as well.
1 Like
One good idea I hope DFINITY adopts, establish a fund just for security audits, and let people apply to it.
The code inside our app is very by the book:
- We use Internet Identity, we do not do the trickery that Bob did pretending the IC did not exist. I disagree with his lack of support of IC login.
- We do not hide ckBTC, it is right there in the app, and we use it by the book, using IC’s APIs.
- Our software Satoshi Notes will be free, but not open source. It will allow people to run it on their desktop, Windows, Mac or Linux, 100% free. They only pay if they want to publish online, and they pay little, we used those funds to pay cycles and give them a canister for their content.
Anyway, looking forward to share with the IC community this labor of love that has taken us over a year of hard work.
Cheers,
Joseph Hurtado
Founder Satoshi Notes
1 Like
Thanks for exposing this security flaw, this is indeed the root of the problem!
And honestly the fact the Odin.fun hid the IC completely is part of this whole can of worms, and also yes it improved their UX.
Can you confirm that the snippet you shared was the fix the Odin.fun team applied? Or that is actually the bug behind the security hack?
Instead of learning from it, can’t we all just get drunk and laugh how these scammers got rekt?
2 Likes
I believe one of the root causes of this issue—often overlooked by many—is the lack of strong guidance for IC development. There should be clear, community-recognized best practices and secure foundational infrastructure, such as Stable Structures, Internet Identity, etc.
I’m thinking of starting a new post to share some of my development experience on the IC over the past few years, including the libraries I’ve used most often, how to use them correctly, and what their limitations are.
Of course, this effort will likely need more than just me, but I’m willing to take the first step. I believe this would be beneficial for the long-term growth of the IC ecosystem. New developers could more easily get started with secure IC development by learning from the resources we compile.
Additionally, I think it would be valuable to have community-led audits or code walkthroughs of some of the core public libraries. This would help the community better understand how the infrastructure works and avoid potential development pitfalls ahead of time.
What do you think?
5 Likes
Excellent idea! May I suggest using a wiki, or Medium so we can comment, or contribute.
1 Like
I’m thinking of using both the forum and GitHub to create a public, open-contribution repository, with a link to the forum included—this way, code and discussion can be connected.
In fact, whether it’s from DFINITY or third-party developers, most tools currently lack good documentation or guidance to help developers use them effectively. I think it’s time we take this on ourselves.
I plan to start working on this within the next week, and I hope more developers will gradually join us in this effort.
4 Likes
GitHub works too for sure.
We do accept PRs for internetcomputer.org in this repo, but I believe it is a good idea if we get more community-driven things going.
4 Likes
3 Likes
I’ve noticed that too, but that documentation is more focused on how to write a secure canister, rather than how to actually use things like StableStructure or community-provided libraries like SIWB in detail.
What I want to do is curate a high-quality collection of commonly used developer libraries—something like an “awesome-internet-computer” list, but carefully selected by myself or other tech enthusiasts in the community to include only more reliable repos.
If it matures, I might even submit a PR to include it in the official Internet Computer documentation. I’m still thinking through the best way to approach this.
5 Likes
yes please, I like this! 
I really like this idea and thought a lot about this in the past. I think it will be healthy if the community drives such initiatives.
IMO we currently also lack of very clear and goal driven examples / tutorials. I think we have many answers spread across different channels, but it is hard to navigate for newcomers. I am happy though that the Kapa AI integration already helps a lot in that regard.
personally I am also happy to contribute and provide feedback / assistance whenever needed.
I also want to tag @tiago89 here in case the Hubs want to get involved in this, too.
another topic to think about is future maintenance of community developed libraries and tooling. e.g. a lot of people are interested in ic-py which is currently unmaintained and includes security issues.
3 Likes