Trustlane.me - Token Trust Form Generator for Issuers

KINKCreative · Jan 11, 2018

So, being aware of the perspective "don't give your private key to anyone", but we still do it e.g. on the Horizon service --- here's what I have been working on:

A public, frontend only trust builder app, providing a means to any token provider to specify / build the specs via a form, and it generates a unique URL (logo / faq link / currency code, amount etc)
A user would click that link, paste their private key and the app would use the stellar SDK to sign the transaction and send it out; the app could check the balance first to ensure in fact sufficient funds are there on the account, prior to submitting
Trust would be implicit as follows:
- Private key only used to sign the transaction
- Code of the app published on GitHub and open to scrutiny by the community, link to the specific JS file that demonstrates how the private key gets used
- Adding "used by" / verified logos by trusted applications

Is this inherently stupid? I'm coming from the place where there's a lot of tokens being issued now but the trust seems to be quite a bit of a bottle neck. In some places, it is being suggested that it's better to own user accounts (e.g. for gaming) but where you're dealing with 100.000 users potentially, it may be hard for a company to foot that investment.

Would it make sense to ask for a donation, if wanted, or charge a provider at the time of generating the unique URL a small fee?

Thanks for the input! I'll be publishing screenshots in the next day or two.

KINKCreative · Jan 12, 2018

Here's the first screenshots of a semi-working prototype:

I. Token Issuers populate their custom Token Trust Form
https://www.dropbox.com/s/h6uuhc1c1qzpcxz/Screenshot%202018-01-12%2001.55.19.png?dl=0

II. End Users click the custom URL and receive a sexy looking token trust page:
https://www.dropbox.com/s/9p5agk8m3qb4wcd/Screenshot%202018-01-12%2001.54.58.png?dl=0

The Stellar-JS-SDK is used to sign the transaction and it gets posted.

A few questions:
- Which fields would token issues like to populate for the squeeze page? I'm currently doing a logo, title of the page, token code, trust amount, issuing account, name of the issuer, their URL...
- How can we reduce attrition? Approved badges / Security badges / Used by... type of deal? Hash of the app code for people to be able to test it on their own, link to GitHub?

Thanks!

bkolobara · Jan 12, 2018

KINKCreative I think that it's going to be hard to convince people to enter their private key on your website if your website is not stellar.org. There is also the problem that many wallets don't even give you access to the private key (Ledger, Lobstr, Saza, ...) and from others it's a bit hard to extract (Stargazer requires you to scan a QR code). If you want some kind of network effect and growth you will need to address each of the different platforms.

The problem you are solving, easy way for Stellar users to trust your token, is worth solving. It's just so hard with so many different wallets and standards. Maybe it should be an open protocol that everyone can implement. But for it to get any adoption you will need to closely work with wallet developers and convince them to implement it.

KINKCreative · Jan 12, 2018

bkolobara Yeah, trust will always be the case. I'm thinking the wallets don't have this problem anyway since they ARE signers and (at least technically) owners of your in-wallet account . Whether they will implement "adding" custom/random coins is a different question.

In any case, I'm going to open source it, provide links to all the code, can be peer reviewed --- it's built on React, UIKit and is behaving really nicely, and will work for guys such as e.g. Sudokoin, that have mini pilot apps and their own token with great potential where it's just really a pain in the ass and they lose a lot of prospective users because of this bottleneck.

Been really inspired a) to work on Stellar, b) to learn some more React, so all in all so far I've been having a blast. Thanks for the input!

Ssheba · Jan 19, 2018

not sure if i understand what ur trying to do but if they dont trust the app with their secret key cant u just have a button thats generates a temporary keypair for them?

KINKCreative · Jan 24, 2018

sheba well this would be to establish trust with an existing account (a wallet, say) and an issuer, in order to e.g. receive 3rd party tokens and make establishing trust for custom tokens easy for issuers.

If I issue a keypair, that won't be able to sign the trust transaction on a user's existing account, right? You do bring up a point and I could say, just setup an "account you're okay with the risk" if you don't trust the app with your wallet, so you can receive the third party tokens (e.g. game tokens, rewards etc).

KINKCreative · Jan 30, 2018

KINKCreative @sheba I just realized, I think that's really useful. Say they want to receive a custom token but don't want to share their wallet. They just create a new account but they'd need to fund it with the minimum... which I suppose is okay.

Ssheba · Feb 2, 2018

ok i understand u are setting up a trust line. well, then it would need to be active and ur right funded with min. that is only 1 xlm but not sure how u can get it to deposit from there.

sacarlson · Feb 4, 2018

my method in my_wallet https://github.com/sacarlson/sacarlson.github.io/tree/master/my_wallet is to send a pre-funded account link that when is received for the first time on the user side moves the received account assets to a newly generated random created account on the user side. The originator no longer has access to the funds after the new user rekeys the account ( they no longer hold a sign key for the new account). this is all done in the background the user never see's or needs to understand what goes on. The flaw in the system is that the end point user may loose the key it now holds as they don't understand how to protect or recover it. So it's optional to disable the re-key option and allow the sender to recover the lost key for the user. The user at that point can optionaly re-key the account manually if funds needed (about 3.1 XLM) are also provide or are available. You can try run the web app from https://sacarlson.github.io/my_wallet/ to give it a try. note it defaults into testnet mode so you can play safe.

KINKCreative · Feb 7, 2018

@sacarlson I had to read a few more times to be clear exactly what happens - I'm unclear what "send a pre-funded account link" means. So In the above you never need a user's existing private key but you will generate one for them? Isn't that the same, in a way, if we're being precise about them not doing this with the wallets that hold their life savings?

I see this as a temporary solution for this round, for all these new tokens which people are giving out free, and it's for someone to quickly get started even if they have to create and fund a new account somewhere (for now). I think to generate a new keypair would be really nice and friendly and I'll do that by launch, now that we can check balances to ensure 0 balance new accounts won't work...

I've cleaned up the landing page, added the check for existence of the signer's account and verification of sufficient funds to sign. I think it's coming together nicely and in fact just today I signed trust for a new token that I was going to receive in the community...

http://trustlane.me

Sample signing form:
http://trustlane.me/eyJ0ZXN0bmV0Ijp0cnVlLCJ0b2tlblR5cGUiOiJBTFBIQTQiLCJjb3BpZWQiOmZhbHNlLCJ0aXRsZSI6Ik1pa2UncyBNYWdpY2FsIE1hc3RlciBNYW5hIE1hcmtzIiwibWVzc2FnZSI6IlRoZSBjdXJyZW5jeSBvZiB0aGUgRml2ZSBNb3VudGFpbnM7IHBvd2VyIGFsbCB5b3VyIG1hZ2ljYWwgc3BlbGxzLiIsImNvbXBhbnkiOiJNaWtlJ3MgTWFnaWNhbCBNYW5hIiwiYWNjb3VudCI6IkdDUldJSFNTS08zT1dFMkNIVFdaNUhTUkVENkxPN0RGVEpKNktOVkRSVzJGMkUzSEtIQUhNNUtDIiwidG9rZW5Db2RlIjoiNU0ifQ==

Need to setup https (it's hosted on github) and show if there's an error with the signing or, say, show a link for a person to confirm the new trust has been esatblished (e.g. direct link to account on horizon API)

Anyone have any suggestions?

Ccryptobrant · Feb 17, 2018

Was looking for something similar. Love it thank you.