frames

question on frame security/trust:

the frame dev can validate a message to be sure of which fc account interacted w their frame

but the frame end user can't be sure that the frame is doing what they expect right? they have to trust the frame dev?

unless the frame issues some kind of attestation i suppose

@operator & /operator | BCI, bioinformatics, search, chaos, decentralized AI

Enabling TypeScript, JavaScript, Python and more for the Internet Computer (ICP) (built originally by DFINITY).

do you have a link to the docs or library i can take a look at? this sounds sick

ICP offers a compelling solution here. You can build frames in Express for example, and all POST requests go through BFT consensus. The Wasm binary of the server can be checked against the source code, and you can see which accounts own the server

ok yea that was my conclusion as well. are there tools where you can prove the current deployed version of the code?

If the frame is hosted on a centralized platform, there is no way to make any assumptions. You just cannot witness and verify what is happening.

The dev could change the deployments or AWS decides they want to screw with you.

Maybe some form of client side "hosted" frame?

Yep, no way to know what the button click is doing for now

we'll need a registry of verified frames down the road

Frame devs can't really do anything malicious