This article will demonstrate how developers can use Proof of HUMANity to protect their DApps from bots.
The article will cover how smart contracts are vulnerable to bot activity, and offer developers a solution: Proof-of-HUMANity.
Let’s consider the simplest example of a dApp – a counter stored on the chain.
Demo: basic-counter.bakoush.in
Note. All demos in this article are deployed on Polygon Mumbai Testnet. Consider getting some trial MATICs through your faucet.
Humans can increase the counter by pressing the button on the user interface. Robots, instead, could take advantage of a direct call to the smart contract. This is an example that goes for many smart contracts.
Full bot code on GitHub
If you want to play with the bot yourself, here is the basic contract address of the counter (Polygon Mumbai Testnet): 0x336c94E1F0F4D0103b012E78E6700959c89Ba8AD
Depending on your app design, you may want to prevent similar bots from interacting with your app.
This is where the problem of bot protection arises.
Since the public methods of smart contracts can be interacted with by everyone, it is not enough to integrate traditional CAPTCHA solutions into the front-end or back-end servers. We have to additionally check the on-chain humanity, within the smart contract itself, that it has no ability to interact with the outside world and thus cannot call any off-chain APIs.
We propose a simple, yet powerful mechanism to pass the humanity test verification to the chain infrastructure.
humanity test concept
Proof of HUMANity (PoH) is signed evidence that the caller is a human. Signed off-chain by a trusted party, the PoH can be verified on-chain.
PoH consists of a 36- or 97-byte long evidence base, depending on the type of evidence, and a 65-byte signature from the evidence base validator.
On the chain, the signature of the validator can be verified and, therefore, trust that the humanity of the caller is authentically confirmed.
The test of humanity can be of two types: basic and sovereign.
Basic PoH
The basic test has a base of 36 bytes and is therefore 101 bytes long. It consists of a random challenge and a timestamp as the proof basis, along with a validator signature on the proof basis.
Sovereign PoH
The sovereign test has a base of 97 bytes and is therefore 166 bytes long. In addition to the basic elements of the PoH, its base includes the sender’s signature.
In this way, it can be verified in the chain that the proof has been generated by the sender of the transaction, eliminating the possibility of proof being generated by those who do not control the sender’s address.
This provides more robustness, but requires users to sign the challenge with their wallet.
Using Proof of HUMANity in your DApp
When a user wants to send a transaction to your smart contract, your app UI could get a Proof-of-HUMANity verification using the hCaptcha system. This proof could be used in the smart contract call.
The smart contract, in turn, verifies that the proof comes from the trusted source and has not been seen before. Otherwise, revert.
Integrating the PoH into your application is quite easy thanks to the existing libraries. Three steps are needed:
Deploy validator API (hCaptcha)
Include PoH in the UI of your dApp
Integrate PoH into your smart contracts
Validator API
The key element of proof of humanity is the signature of the validator. You must trust that this validator is really validating the humanity of the users. This can be achieved in at least two ways:
you have full control of the validator (hCaptcha API)
trust an established third-party validator, such as a major CAPTCHA provider
The latter option isn’t available yet (but we hope it will), so let’s focus on the former.
Deploy validator API
You can quickly deploy an API that produces Proof of Humanity using a Docker image. It is an example of a PoH validator API for the hCaptcha service.
You have to provide the hCaptcha secret and validator private key. This key will be used to sign the tests.
You can also create your own validator, as long as you produce valid tests that adhere to the PoH format we discussed earlier.
Include PoH in the user interface
To interact with the deployed API, you can use a set of React components designed to quickly integrate into any app:
1) Wrap your app in the ProofOfHumanityProvider:
2) Instantiate the PoH hCaptcha validator plugin:
3) Initialize the getProofOfHumanity method from the PoH hook using the instantiated validator
4) Obtain the humanity test before sending any sensitive transactions, and provide it as a parameter to the sensitive external method you are calling:
That’s it for the user interface.
Smart contracts update
You can use the poh-contracts library to easily integrate Proof-Of-HUMANity into your smart contracts.
Let’s see an example. This is our basic counter contract:
This is how we can integrate it with Proof-Of-HUMANity:
Inherit your HumanOnly contract.
Make sure the validator address is set (can be done in constructor or by external call as well).
Add one of the -proof modifiers to your sensible methods along with the “bytes calldata proof parameter”
That’s it for the smart contract!
Now the method call will be rolled back unless the test has a valid signature and has not been seen before.
Demo: poh-counter.bakoush.in
If you feel like trying the bot, here is the address (Polygon Mumbai Testnet): 0x454C82492DF9E5582186c983D26Dda6Bf9861A50
References
dApp example
Counter dApp
source code
Validator API (Docker)
Proof-of-Humanity hCaptcha Validator API
UI Components
Proof-of-Humanity-React
Proof-of-Humanity hCaptcha Validator React
Solidity Library
Proof-of-Humanity Solidity Contracts
Disclaimer: The information and/or opinions expressed in this article are the sole responsibility of the author and do not necessarily represent the views or editorial line of Cointelegraph. The information set forth herein should not be taken as financial advice or investment recommendation. All investment and commercial movement involve risks and it is the responsibility of each person to do their due research before making an investment decision.