dsuite

Secure the Software Supply Chain

Before any web3 technology can be used to responsibly control large sums of money, we need to secure the software supply chain, especially for frontends.

DNS and the cert auth infrastructure are all backdoored. Sometimes by friendly governments, sometimes by adversarial ones, and sometimes by rogue hackers.

Most web3 developers treat frontend development the same way they did in web2, installing thousands of dependencies using package managers and pushing them to users over DNS, trusting SSL certificates signed by certificate authorities, where those users then sign transactions based on what that frontend presents to them.

This is not an acceptable state of affairs if we hope for blockchain-based financial infrastructure to improve the world of finance. Below are a few tools we have started developing to help augment Ethereum and IPFS to make them usable for securing the software supply chain. We call this set of tools dsuite.

Feel free to join our chat if you want to contribute.

2022-05-31: All of these tools are alpha-quality and should not yet be trusted for serious money at stake.

• dmap
• • de-root your defi dapp with an easy-to-audit lockable namespace
• dpack
• • simple lockfile for EVM addresses and artifacts
• lockpack
• • simple lockfile/manifest describing how to dump a directory tree from dmap/ipfs locks

Here are just a few examples of software supply chains that impacted the web3 industry.

• attack on etherscan via ad network
• attack on coingecko via ad network
• HUGE attack on 35k github repos that uploads env vars
• attack on 4 dapps via domain registrar

The entire supply chain is vulnerable to these kinds of attacks because the PKI infrastructure is fundamentally rooted in something that is backdoored.