#349 Integrate Statemine interaction into UI of KodaDot
Short description
Statemine as the “home base” of assets in the Kusama network has so far untapped potential for users to create initial liquidity to support their project through the asset pallet and also to tokenize unique (non-fungible) assets.
This project aims to extend the current, universal NFT explorer and marketplace interface (KodaDot) to support non-fungible tokens on Statemine. With the final result of this proposal, users will be able to mint, transfer, and burn NFTs on the Statemine network.
Problem statement
The current workflow to create non-fungible assets on Statemine is not present except using extrinsics which is intended for developers’ executions and they are not end-user friendly, which result in a complex task for end-users to create NFTs.
Deliverables
On top of this, we will provide a user-friendly interface to teleport KSM between Kusama and Statemine, plus future connected parachains as well if they have close to similar functionality. The result will be, that users aren’t forced to switch between apps, chains and reload their window context completely.
First of all, our aim since every grant till today is to have an open-source UI with permissive MIT license and support developers to fork and contribute to repository, as till today we have 60+ forks.
Our primary deliverable will be an extension of KodaDot: an NFT explorer to work with the Statemine’s unique pallet.
The main goal of this proposal is to provide a simple friendly NFT UI to the end-users to open flood gates to mainstream adoption of non-fungible tokens for Statemine
Milestone 1: Non-fungible tokens
The first milestone is focused on the three main sections:
- Teleport $KSM between Kusama Relay Chain and Statemine
- Implement a user interface to create, burn, transfer NFTs (and many more)
- Design and setup the SubQuery indexing service, which could be reused by other projects
Deliverables
- Make a page dedicated to creating a unique (NFT) with a simple workflow
- Ability to create a Class (collection)
- Show class detail with metadata
- Show minted NFTs in explorer mode
- Ability to set and remove approval for instances
- Display metadata for particular NFT (instance)
- Transfer (send) ownership for class and instance
- Set metadata for class and instance
- Set attributes for class and instance
- Burn an instance
- Clear metadata and attributes.
- Implement a page to teleport KSM between Kusama and Statemine
- Extend vue-polkadot/api to handle multiple (parallel connections).
- Provide check if a user has enough balance on Statemine / Kusama to be able to mint and transfer a collection.
- Implement a GraphQL schema for Classes and instances
- Extend the embeddable component that will work with the Statemine implementation (note: embeddable component ->
- Write introduction article around experience with development around unique pallet implementation
- Write introduction article presenting using KodaDot on Statemine
Amount required -- 27_000 €
Budget breakdown Milestone 1 - non-fungible interface for Statemine in KodaDot
- Teleport interface for $KSM - 4k€
- Implement interface & flow
-
- Easier NFT creation - 9k€
-
- Showcase & Displaying NFT assets - 6k€
- Design query and deploy SubQuery project - 8k€
Team
The team behind @KodaDot
- Matej Nemcek (@yangwao) - Co-Founder of KodaDot, VueJS background, more info hypersignal.xyz
- Viktor Valastin (@vikiival) - Co-Founder of KodaDot, Publication about carsharing dApp on ETH using ERC721 token composition.
Show More
Before they tackle this, they should first figure out how to not expose API keys in their client-side JavaScript that I and numerous others have warned them about for months. I am only writing about this publicly at this point because they informed me they are accepting whatever risk is incurred from this architecture.
This is probably not the team you want to deal with. They mocked me and diminished the risks of this and other vulnerabilities during the responsible disclosure process.
Hey Taylor, make sure that you have the correct information before posting something publicly. The last message I got from you has the date 05.07.2021 and a lot of things have changed since then. Therefore it leads me to the conclusion that you have not checked the repo or read discord for a very long time.
In case there is something unclear please use DMs instead.
Nothing has changed, I checked before I made this post. Your slate API keys are still in use and exposed. I also confirmed that the three github security issues that were originally created are still active and haven't been updated since I walked away from trying to help y'all: https://github.com/kodadot/nft-gallery/labels/security
Here was the response I received from the KodaDot staff after trying to help them with these issues: https://i.imgur.com/uJxxlX5.png
Hey, as a small team of two, which still slowly scale I would like to put attention to that since the last inquiry from 0xtaylor, from early July, we've made radical steps to found a security program once time allows and opened discussion for audience to participate and take lead as we are out of capacity on this.
Since the incident, he reported code that was residue and not used actively and not impacting the application flow.
Your slate API keys are still in use and exposed. That's a residue environment variable and not used anymore. Also thanks for your notice, just removed it from builds from our CI/CD pipeline.
We even improved our security report to A rank
Afterwards, we've introduced Security Policy - https://github.com/kodadot/nft-gallery/security/policy
Feel free you are invited to participate in KodaDot development as a security researcher https://github.com/kodadot/nft-gallery/issues/537
Feel free to find labelled issues and comment there https://github.com/kodadot/nft-gallery/labels/security
haven't been updated since I walked away from trying to help y'all:
I mean, do you want to take lead and help us fix those issues? Will be more than welcome if you can help us tackle it with your knowledge.
Better trying to be constructive than destructive.
What I found was NOT residue, it was in use at the time and was still in use at the end of July when I had last checked. I even created PoC's to show you the risk.
I mean, do you want to take lead and help us fix those issues? Will be more than welcome if you can help us tackle it with your knowledge.
That was literally what I tried to do. I responsibly disclosed those issues to you and provided specific remediation recommendations to address them. Glad that my comments here at least got you to remove the API key from your client-side JavaScript.
Back in June/July I did a lot of work identifying vulnerabilities in Dotsama ecosystem projects as a public service to the community. Yours was one of a handful of projects that I reported vulnerabilities to. I'm not sure how much more constructive I could have been there. Every other project took my findings serious and worked to remediate them immediately; KodaDot was the exception.
What I found was NOT residue, it was in use at the time and was still in use at the end of July when I had last checked. I even created PoC's to show you the risk.
Can not tell which one you mean as we did a lot of fixes since then, so some may take time to resolve on our side. That's why security vulnerabilities have some time to disclose and time to fix.
Yours was one of a handful of projects that I reported vulnerabilities to. I'm not sure how much more constructive I could have been there. Every other project took my findings serious and worked to remediate them immediately;
I see you struggle with seeing recognition for your hard work. I guess as stated before, we might think of opening tips from Kusama Treasury to pay for your work? As you ultimately trying to care about the Kusama ecosystem, your hard work could be well rewarded. What are your points on this? Can you state what would satisfy your needs or what kind of "security" patch would costs you, would be involved from your side, so we can receive your PR to fix this stuff with your help? That would be more than awesome for your participation.
KodaDot was the exception.
In what sense are we exception? Can you elaborate on what you did not like exactly? Speed of fixes we did among other 100+ issues we have within the small team? Our A security report is not enough? More you can be descriptive, more we can see what's overlooked from our side.
We are more than happy to announce we've finally released Statemine implementation into KodaDot.
From today you can use Statemine in KodaDot.
We've had a few testers before we went public plus we had to rework our whole KodaDot from the bottom-top to mitigate technical debt for further integrations.
We would warmly welcome Twitter RT and mention in Polkadot/Kusama daily news digests from you, whenever possible twitter.com/KodaDot/status/1489575517892325382
Have a nice read.
Best, Matej & Viktor and the rest of the KodaDot Team.
PS you are invited to join our Discord channel Statemine
Discover similar proposals
