You just subscribed to a signature bounty and you are about to get some good stake, but guess what? There's another one that filled the form with your data but his erc-20 address.
Or maybe you just wrote a good article on medium, jus to find it copied by another one on the Spreadsheet, again on his wallet address.
Also, if you ever have been a bounty manager, you struggled on double-triple-thousand checking spreadsheet and answering the complaining of legit (or who knows! maybe scammer) user.
The reason is simple.
Bounties have no Authentication. While good platforms like BountyHive comes out with already built-in strong authentication methods, great teams, such as AmaZix, keep using the good old way.
So, here's my (simple and probably not fully secure, but at least is a try) solution: A BitcoinTalk Authenticator Telegram Bot
Here's how it will work
Front office side (for the Bounty Hunter):
- Users will start the bot on their phones, and communicate their BitcoinTalk username and profile url
- It will be requested to solve a simple challenge: putting a nonce (generated by the bot on the spot) in the field "additional data" of the bitcointalk user profile (which is a public field)
- The bot will check that public field (which is reachable through an API), matching it also with the username
- Now the couple bitcointalk username - telegram username is authenticated and paired
- The bot will now request the user to put an ERC-20 address. This address will complete the triple.
- The job is now complete, the bot will now, for convenience and additional level of authentication, compute a digest over the data (bitcointalk username, telegram username, address, nonce), and return it to the user. This digest could also be enhanced with device fingerprint in order to pair also the device used for the authentication
Back office side (for the Bounty Manager):
On the other end of the bot, the Bounty Manager (and only him) will receive a spreadsheet report with all the triples (which are proven authentic)
- Fake bountiers will be identified on the spot: a different triple (bitcointalk username, telegram username, wallet address) will not be accepted
- Placing the BitcoinTalk or telegram username (or even the digest) on an article, will authenticate it (In relation with the data provided in the google form. It will be still possible to copy-paste it, but that is a solution-less problem sadly, and even in this case, the first one on a time basis will be accepted)
I am even trying to figure out a way to self authenticate the users placing the digest as the new additional for convenience, but i still have to validate it.
That said, I am a Java/Scala developer, so I will need a bit of help to develop the bot (even if it seems quite simple). The bot will be of course free and open source, I already got paid more than enough with the bounties themselves.
As any security-related solution, i need feedback, and corrections. What do you think? Can you see any major vulnerability?
Thanks
