Token Security Considerations

Hi everyone, I’m working on NFT project and found some issues that needs to be discussed regarding current identity model and its drawbacks.

I’m currently working on claiming and later purchasing of NFTs and found following problems with current security model of identities generated by

Problem 1: creates separate principal for each of URL that is requesting the identity. (I understand that it is also a feature, which gives good separation of data and security between sites).


User 10000 logs in to site, returns principal aaaaaa-aab.
User 10000 logs in to site, returns principal aaaaaa-aac.

This gives a great separation of identities between different sites. However, with current capabilities, it is not possible for different sites to work together and send data regarding a given user.

I’ve created a simple app that can show current principal ICP amount, however it will never show the icp amount reported by as it is getting different principal. So it is not possible to use tokens, data or anything else stored in principal on one site by any other site.

Of course, we can instruct the user to transfer funds from nns or any other wallet, but it adds additional friction and may cause people to lose their tokens (it makes known dapps and defi from other networks more complicated and alien for users that are coming from other networks).

Additionally, if we keep tokens in principal assigned to given URL, if the URL changes or given canister is not working for any reason we are loosing access to given principal (and all data and tokens associated with it).

Solution 1:
Add possibility to choose principal when logging through It will give the user possibility to choose which principal they are willing to use.

Solution 2:
Make flow similar to OAUTH2 authorization code grant. Site A can request the „principal” with specified roles and privileges to site B. Then on user can view what data is requested and accept or deny the transfer of credentials.

I also think that possibility to export pem file for given principal for given site is needed. Currently, there is no possibility to use principals generated by by tools like dfx or quill.

Problem 2:
Once user is logged in, the agent receives possibility to call all actions (unless it has additional security layer).

This problem is directly related do DeFi and current standard of securing Dapps. It is possible to make JS injection in web pages served from containers (of course not all sites will be prone for such attacks). So once the user is logged in and the principal is assigned, the malicious code can make any call. (steal funds, scramble data and any other call it can make on containers).

Solution 1:
Add third type of function (apart from query, and regular function) secure. This type of function requires additional explicit acceptance by the user (similar to signing transactions in MetaMask or similar).

Solution 2:
Establish standard for additional checking of user credentials with using external tools like MetaMask (the Wall is a good example of such action)

What do you think is the best solution to given problems? While I can not do anything about problem 1, I’m working on implementing solution with MetaMask to improve security of NFT exchange (similar to the Wall).


II is just one way to access a principal on the IC. I do agree some kind of shared mechanism where authorization could be requested and granted would be a good idea.

The alternative is to use a 3rd party tool that provides cross-domain access, like what Fleek are doing with Plugged. We are looking at something similar with Stoic but too. I don’t think it’s too much of a problem though.

Re: 2 - yep this is an issue, but would be solved by a 3rd party tool.

II is not the best for somethings that you may want to do, but it is a very solid key management mechanism. As the ecosystem grows I believe both of these points will be resolved

Linking my issue here, cause it is basically question #1 in OPs post.

1 Like