We need source code verification for canisters

We know we can check the WASM hash of a canister and developer can expose WASM code from their source code on github. There is also a complicated steps to verify code integrity of a canister Creating reproducible canister builds | Internet Computer

However, I think we are missing a fundamental component to tell end users that

  1. whether the frontend canister you are interacting is open sourced. If yes, where is the source code
  2. when the frontend canister makes network calls to other backend canisters, tell users which of them are open sourced and which are not. If open sourced, where is the source code of the downstream backend canister
  3. a place to search for canisters and check the transaction (API calls) request and response history. This may be impossible to implement natively but there should be a SDK for developer to use to expose logs

I think this is crucial for a public blockchain. If it’s hard / near impossible for normal users to verify the code integrity, or at least being assured the code is open sourced given that most users cannot read code, then we can’t say it’s a public decentralized computing platform. And that is a major reason why people don’t believe in ICP per some of my friends opinion.

Also, this provides near feature parity with mainstream blockchains which people are familiar with. This disparity confuses/scars/blocks people to use IC. If most of apps on IC are not open sourced, it is no different from web2. Why people would use IC instead of normal web2 app on AWS?

You can argue that it is the responsibility of developers to open source their dapp and provide a user friendly way to prove the canister is indeed running with that source code. However, without a standard mechanism for both devs and users to easily check that, it would be hard to make that a norm hence hardly make IC a public blockchain

To my understanding, this is possible to be built. Dfinity, do you agree this is important and is there a roadmap for this?

6 Likes

Another possible argument is that all of the dapps out there build their website using AWS and 1% of the component is hosted on Ethereum and you don’t even know whether the frontend/backend is calling the right smart contract with the right request and show users back with the untampered response. They are no better, right?

Well, users can at least check the transaction detail real time on etherscan (or polygonsan etc) and this provides integrity in some level. Whereas on IC, the problem is you don’t know what is running. Telling users canister is unstoppable, untampered and deterministic makes no difference.

1 Like

How can we really verify that a canister with certain ID has a certain hash?
Is there some kind of API that can return a hash of ANY canister?

dfx canister info produces the currently installed hash

2 Likes

So something like

  1. Registry mapping canisterID → [Hash, source_code, human explanation of risks, signatures of auditors/reviewer]

  2. Browser plug-in that:

  • Identifies when it is visiting an IC hosted site.
  • Identifies ID’s and hashes of associated canisters.
  • Looks up ID’s and compares hashes to source code registry.
  • (optionally) looks up additional information: e.g. which variables are certified and audit report signed using verified credentials from auditors.
  • Presents the results to users as traffic light in address bar or something.
4 Likes

@CoolPineapple @let4be please vote on this https://dx.internetcomputer.org/topic/205

for anybody interested in that topic, it came across my eyes recently again on X:

to me this seems like a very important and crucial service that should definitely be tackled by somebody.

edit:

2 Likes

Why tackled by somebody? Why not by the foundation?

The dashboard at internetcomputer.org is a blackbox. Nobody can trust its data as as it was not open sourced even after 3 years the blockchain was deployed in production. The reason? Nobody knows.

The canisters are also blackboxes. The update transactions between canisters or between users and canisters are not public and not recorded - yeah they could be logged by the applications like done by a canisters that implements some ICRC standard, but even so that could be faked as they would not be the real messages exchanged between the canisters or users when doing update calls. That makes it impossible to replicate a canister state, as we can’t replay the update calls. If someone is in doubt if a malicious majority took over a subnet, well, too bad, they will never know.

Also the node operators don’t have anything to lose. They don’t have to stake a dime to be part of the network. Yeah they could be sued as they are doxed, but it would be too late if IC becomes really huge with millions (billions?) at stake in a single DeFi app running on a rogue subnet. If nodes could collude with a half dozen of peers, that also have nothing to lose, and run with tens, hundreds of million of crypto, running on a chain that makes it really hard to prove on court that they did something wrong (again the blackbox problem), their gain would be too high to not consider.

Even the candid metadata could be faked. One could pretend his closed-source canister has some interface facade, while hiding, say, mint(), withdraw(), transfer(), destroy() and other methods from the public. The dashboard would only show the interface the attacker wants to show and he could lure the users saying his canister is totally secure.

Look, I love IC in many aspects, but we will never have a chain fusion with other really open blockchain like Bitcoin and Ethereum without fixing those issues. They will never trust the chain without that.