Thanks for the interesting ideas.
Let me maybe first provide a bit more context. You might already know this, but it might also be helpful for other readers.
So the ledger canister specifies and account that is the “minting account”. Whoever controls this account can mint new tokens. If tokens are burned, they are also sent to this account.
In the NNS, this account is the NNS governance canister’s account. This allows the governance canister to mint new tokens when rewards are paid.
I think this would still be an elegant solution for paying e.g., voting rewards in the SNS.
One can also imagine just adding a method on the governance canister that generalises this existing concept: a proposal that calls this method could then mint any tokens (from the governance canister) and send them to any other account (canister or other).
Now in terms of how users can be paid for something that they have done in the dapp:
-
Your first suggestion would probably imply that the dapp canister would control the minting account. I am not sure this is advisable. First, for the reason that you already stated, as the dapp might get hacked. This is even more concerning if the dapp is on a (currently) less secure subnet. Moreover, it would then be unclear how voting rewards can be paid. Also, I can imagine many use cases where a dapp consists of multiple canisters over time that can easily be added and removed from the SNS by just setting their controllers to the SNS or removing it. Having then one dapp canister with this power to mint might be undesirable.
-
Here you seem to suggest that the ledger canister itself controls the minting account. I think this is not how the current ledger design intended things to work. In general, we should probably be very cautious of adding more logic to the ledger, as it is now more or less just a database of accounts and transactions. For security (and probably also for integration), it is probably a good idea to keep the ledger canister as simple as possible. But the team working on the ledger could probably provide even more input here.
As a variant of 2., we could let the SNS governance mint tokens regularly and send them to the dapp canister’s account. This would be similar to how voting rewards are now distributed in the NNS, except that the rewards would not be distributed to the voters but rather just to the dapp.
I think apart from your concern that I share, another tricky thing here is how we can make this generic so that all SNSs can use the same canister code. Also, there might be multiple dapp canisters, so in some cases this might be more complex than just regularly minting tokens to one canister.
I thus think all of these options require some more thought regarding how we can make things generic (so that all/most SNSs can share the canister code) but flexible (so that SNSs have the choice).
From the top of my head, it seems that having a manual proposal every now and then where some funds are just allocated to the right canister (e.g., one of the dapp canisters) and then have the logic how these rewards are algorithmically allocated to users based on their behaviors in the dapp canisters, might be a combination that can cover many use cases…