Currently, icp lock only supports the ii login method to lock the position. Can it support the login lock method of wallets such as plug/stonicwallet?Personally, I prefer to log in with a wallet.
Good question. I do not know if NNS frontend dapp can only use II by design or if it can use other ICP wallets. I’ll ping some folks internally.
2 Likes
I think @jorgenbuilder might have had some insight into how some wallets use the root delegate instead of being scoped to a canister, meaning that any malicious website where you use them to authenticate could sign any request on your behalf.
If that’s the case, and the NNS supported those type of wallets, I think someone could theoretically create a site that says “Sign in with X for a free NFT” (or similar) and then take malicious actions on the user’s behalf within the NNS.
Apologies if I got this wrong or I’m misremembering anything.
Sounds like OP wants to lock ICP in a neuron on the NNS frontend using a plug/stoic type wallet.
tldr could happen but imo as a user you would want significant upgrades to the security of those wallets first
Technically speaking, I imagine all you need to achieve that is a signing principal, which those wallets provide.
II and NFID both scope delegates to a domain by providing a unique principal per domain. “Wallets” use a single principal for everything, which indeed would allow bad actor to use a connection from your wallet to their own app to muck with your NNS.
Plug attempts to mitigate this by sandboxing the delegate within a chrome extension and restricting message signatures behind an explicit user action. I don’t think it’s bulletproof in its current implementation, and would maybe require some integration work within Plug.
Stoic has no such mechanism. Be careful where you connect!
Fwiw if the assumption of no special sauce between II and NNS holds, then there’s nothing stopping someone from building an NNS frontend that supports other wallets. The major caveat would be that pre-existing neurons would be untouchable, because they are all scoped to a domain specific II principal.
1 Like
Is it possible to implement?