DEV Community: Rastislav ₡ORE

Building a Well-Known Token Registry

Rastislav ₡ORE — Thu, 04 Sep 2025 08:54:53 +0000

The Problem: Token Discovery Chaos

In the blockchain ecosystem, one of the most persistent challenges is token discovery and validation. Every day, thousands of new tokens are created across different blockchains, but there's no standardized way for applications to discover and validate them.

Current Pain Points

Fragmented Data Sources: Token metadata is scattered across multiple APIs, websites, and databases
Inconsistent Formats: Each platform uses different data structures and validation methods
No Standard Discovery: Applications must maintain their own token lists or rely on centralized services
Validation Complexity: Each blockchain has different address formats and validation rules
Maintenance Overhead: Developers spend significant time maintaining token lists and validation logic

The Solution: Well-Known Token Registry

The solution can be a Well-Known Token Registry that leverages the established .well-known URI specification to provide a standardized, discoverable way to access token information across the web.

What is .well-known?

The .well-known URI specification (RFC 8615) defines a standard way to provide metadata about a service at a predictable location. It's used by major services like:

OAuth providers (/.well-known/oauth-authorization-server)
OpenID Connect (/.well-known/openid_configuration)
Security policies (/.well-known/security.txt)
WebFinger (/.well-known/webfinger)

By following this standard, we ensure that our token registry is:

✅ Discoverable at predictable URLs
✅ Interoperable with existing web infrastructure
✅ Standardized following established conventions
✅ Cacheable by CDNs and browsers

Architecture Overview

The solution is built on Serverless Functions with the following architecture:

┌─────────────────┐    ┌──────────────────┐    ┌─────────────────┐
│   Client App    │───▶│  Serverless      │───▶│   Storage       │
│   (Wallet/DEX)  │    │  Functions       │    │   (Token Data)  │
└─────────────────┘    └──────────────────┘    └─────────────────┘
                              │
                              ▼
                       ┌──────────────────┐
                       │  Information     │
                       │  (Address Check) │
                       └──────────────────┘

API Endpoints

Status Endpoints

Health Check

GET https://coreblockchain.net/.well-known/tokens/status/ping
# Response: "pong"

Version Information

GET https://coreblockchain.net/.well-known/tokens/status/version
# Response: {"version": "0.1.0", "environment": "prod"}

Detailed Health

GET https://coreblockchain.net/.well-known/tokens/status/health
# Response: {"currentTime": "2024-01-15T10:30:00.000Z", "health": "ok"}

Token Endpoints

List All Tokens

GET https://coreblockchain.net/.well-known/tokens.json?prefix=cb&limit=50

Response:

{
  "tokens": [
    "cb19c7acc4c292d2943ba23c2eaa5d9c5a6652a8710c"
  ],
  "pagination": {
    "limit": 50,
    "hasNext": true,
    "cursor": "6Ck1la0VxJ0djhidm1MdX2FyD"
  }
}

Get Specific Token

GET https://coreblockchain.net/.well-known/tokens/cb19c7acc4c292d2943ba23c2eaa5d9c5a6652a8710c.json

Response:

{
  "ticker": "CTN",
  "name": "CoreToken",
  "decimals": 18,
  "symbol": "Ƈ",
  "type": "CBC20",
  "url": "https://coretoken.net",
  "logos": [
    {
      "size": 16,
      "type": "image/svg+xml",
      "url": "https://corecdn.info/mark/16/coretoken.svg"
    },
    …
  ]
}

Benefits:

✅ Scalable: Handles thousands of tokens efficiently
✅ Consistent: Results remain stable across pagination
✅ Network-friendly: Minimal data transfer

3. Prefix Filtering

Support for filtering tokens by address prefix:

# Get all tokens starting with "cb11"
GET /.well-known/tokens.json?prefix=cb11

Route Configuration

// Status endpoints
app.get("/.well-known/tokens/status/ping", Ping);
app.get("/.well-known/tokens/status/version", Version);
app.get("/.well-known/tokens/status/health", Health);

// Token endpoints
app.get("/.well-known/tokens.json", listAllTokens);
app.get("/.well-known/tokens/:token.json", getToken);

Security Considerations

Input Validation: All inputs should be validated
Rate Limiting: Ensure built-in DDoS protection is in place
CORS: Properly configure for cross-origin requests
Environment Separation: Different validation rules for production and development

Future Improvements

The storage can be connected to multiple sources. Some examples may include:

KV storage
IPFS database (like OrbitDB)
Blockchain data itself

Benefits for the Ecosystem

For Developers

Reduced Complexity: No need to maintain token lists
Standardized API: Consistent interface across all tokens
Built-in Validation: Address validation handled automatically
High Performance: Global CDN distribution

For Users

Faster Loading: Optimized token discovery
Better UX: Consistent token information across applications
Reliability: Based on proven web standards

For the Industry

Interoperability: Standardized token discovery
Decentralization: No single point of failure
Transparency: Open source and auditable
Scalability: Can handle growing token ecosystem

Conclusion

The Well-Known Token Registry demonstrates how established web standards can solve modern blockchain challenges. By leveraging the .well-known URI specification, we've created a solution that is:

Discoverable: Easy to find and integrate
Standardized: Follows established conventions
Scalable: Built for the growing Blockchain ecosystem
Reliable: Powered by a global CDN infrastructure & selected storage

Resources

GitHub Repository: well-known
RFC 8615: Well-Known URIs specification

Speed-run a SvelteKit app with the MOTA starter

Rastislav ₡ORE — Sat, 30 Aug 2025 21:41:58 +0000

Want a fresh, batteries-included SvelteKit app without wading through prompts and boilerplate? The MOTA starter wraps the official sv CLI with a one-shot installer that scaffolds your app, merges a template, sets sensible dotfiles, handles licensing, and more.

TL;DR

bash -c "$(curl -fsSL https://cdn.jsdelivr.net/gh/bchainhub/sveltekit-starter/sv-starter.sh)"

Run that, follow the prompts, and you’re coding. The script calls npx sv create behind the scenes, then automates the rest. (GitHub)

What you get (automatically)

After you run the command, the installer:

Creates a SvelteKit project via npx sv create (you can still pass extra sv flags if you want—see below).
Detects the project folder and cds into it.
Installs a curated set of base deps for this starter.
Optional Auth setup (interactive):
- None (default)
- @auth/sveltekit (runs npx auth secret)
- lucia
Optional Data layer picker (interactive): Prisma, Drizzle ORM, Supabase, Neon, MongoDB, Redis, or none—kicks off tiny init steps where relevant.
Merges a template repository (default: the MOTA template) so you start with a real app structure instead of a blank skeleton.
Initializes git (if needed) and can make a quiet “scaffold” commit for a clean baseline.
Runs npm-check-updates locally to bump ranges, reinstalls, and removes the tool—so you begin on fresh deps.
Augments .gitignore (OS cruft, logs, editor dirs) and can optionally ignore lockfiles (default Yes).
Copies shared assets from the starter repo when you choose them:
- .editorconfig (default Yes)
- .github/ISSUE_TEMPLATE (default No)
Sets a LICENSE (interactive):
- CORE (custom, non-SPDX) with the right package.json field, or
- Common SPDX licenses (MIT, Apache-2.0, GPL-3.0-or-later, AGPL-3.0-or-later, LGPL-3.0-or-later, BSD-2/3, MPL-2.0, Unlicense, CC0-1.0, ISC, EPL-2.0).
Optional final local commit of all changes (never pushes).

When it’s done, open the new folder and run your dev server with your package manager of choice (the script already installed deps).

Why this saves time

One command, all the things – You don’t have to remember the right order of sv + packages + auth + DB + dotfiles + license. It’s orchestrated for you.
Real template, not just a skeleton – By default it merges the MOTA template so you start with a working app structure and assets. Less yak-shaving, more shipping.
Team-friendly consistency – Everyone spins up the same baseline (git commit included), which makes diffs and reviews saner.
Up-to-date deps from the start – The npm-check-updates pass means you aren’t starting behind on versions.
Sane housekeeping – .gitignore, .editorconfig, and optional .github templates come prepped, so you don’t copy/paste from old projects.

Options you might want

Use a different template

  bash -c "$(curl -fsSL https://cdn.jsdelivr.net/gh/bchainhub/sveltekit-starter/sv-starter.sh)" \
    -- --template https://github.com/your-org/your-sveltekit-template.git

The default template is the MOTA repo. Swap it for your own when needed. (GitHub)

Forward flags to sv create Anything after -- goes straight to sv. For example:

  bash -c "$(curl -fsSL https://cdn.jsdelivr.net/gh/bchainhub/sveltekit-starter/sv-starter.sh)" \
    -- --name my-app

Requirements & platform notes

Node 18+ (20+ recommended), git, curl, and at least one of: pnpm, bun, yarn, or npm. The script auto-detects what you have.
Tested on macOS 14/13 and Ubuntu 22.04+.

Security tip

Running remote scripts is super convenient—and something you should always eyeball first. You can review it before executing:

curl -fsSL https://cdn.jsdelivr.net/gh/bchainhub/sveltekit-starter/sv-starter.sh | less

Then run it once you’re comfortable:

bash -c "$(curl -fsSL https://cdn.jsdelivr.net/gh/bchainhub/sveltekit-starter/sv-starter.sh)"

The repo’s README documents this flow and the safety notes. (GitHub)

Handy links

Installer / README (full step-by-step & flags): (GitHub)
MOTA template repo (the default template the script merges): (GitHub)

Wrap-up

If you find yourself starting SvelteKit projects often-or onboarding teammates-the MOTA starter condenses 15-30 minutes of setup into a guided minute. One command, clear prompts, production-minded defaults. Copy the TL;DR and go build something.

0G Transmission service - TxMS

Rastislav ₡ORE — Tue, 17 Sep 2024 16:33:59 +0000

What is 0G Transmission?

0G refers to signaling and transmission used prior to the introduction of mobile data technologies such as GPRS, 3G, 4G, etc. With this technology, you can enable communication in areas without internet connectivity, as it only requires a basic cellular network.

Why is it important?

Even in well-developed areas, data transmission is not always feasible due to coverage limitations or cost constraints. For example, imagine enjoying wine 🍷 in a cellar and wanting to pay with cryptocurrency. This is possible using TxMS, which operates without data connections.

What can be transferred?

TxMS can handle any data in hexadecimal format, as described in the binary-to-text encoding process. You can utilize the Core Blockchain endpoints or set up your own TxMS server.

Let's try it!

Step 1: Create and Sign a Core Blockchain Transaction

First, you need to compose and sign a Core Blockchain transaction.

If you don't have the go-core client installed, you can download it here for your platform.

Once downloaded, make the file executable by navigating to the directory containing gocore and running the following command:

chmod +x gocore

You can now run the client with:

./gocore --verbosity 2 --nat any console

This opens an interactive console where you can execute commands.

Step 2: Create a New Account

To sign transactions, you need an account. You can either create a new account or import an existing one (UTC file). For now, let’s create a new account:

personal.newAccount("your_passphrase")

Replace your_passphrase with something you will remember! If you'd rather not use a passphrase, simply omit it. The UTC file will be stored in ~/Library/Core/keystore/ (on Mac).

Step 3: Check Sync Status (Optional)

You may not be fully synchronized with the Core Blockchain, which is not strictly required but can be helpful. Use the following command to check your sync status:

xcb.syncing

If you're synchronized, this command returns false. Synchronization consumes bandwidth and computing power, so you might want to leave it running when you're not actively using it.

Step 4: Create and Prepare a Transaction

To get the nonce for your account (which should be 0 for the first transaction), run:

web3.xcb.getTransactionCount("cb…")

Make sure your client is synchronized to get the correct nonce.

Now, compose your first transaction:

var tx = {nonce: '0x0', energy: 21000, energyPrice: 1000000000, from: "cb…", to: "cb…", value: web3.toOre(1)}

Here's a breakdown of the fields:

nonce: The transaction count (in hexadecimal format).
energy: The computational effort required, 21000 is standard for simple transfers.
energyPrice: The amount of Core you're willing to pay per unit of energy (measured in 'nucle' from Core denomination table).
from: The sender's ICAN address.
to: The recipient's ICAN address.
value: The amount of Core to send, using the helper function web3.toOre.

Step 5: Sign the Transaction

Before signing, you'll need to unlock your account:

personal.unlockAccount("cb…")

You'll be prompted for your passphrase (or just press Enter if you didn't set one). The account will remain unlocked for 300 seconds (5 minutes).

Next, sign the transaction and store it in the txSigned variable:

var txSigned = xcb.signTransaction(tx)

Step 6: Prepare the Raw Transaction for TxMS

To prepare the raw transaction, print it with:

txSigned.raw

Copy the raw transaction, as you'll need it for the next step.

That is all what we need from Core console now. Keep it running for synchronization or shut down using the command Ctrl + D.

Step 7: Install TxMS

If you haven't already installed TxMS, you'll need Node.js installed. I recommend using nvm for Mac users. Once you've finished installing Node.js, proceed to the next step.

Install the TxMS library globally:

npm i -g txms.js

After installation, restart your terminal and verify that txms is recognized by typing command for opening help context:

txms -h

Step 8: Encode the Transaction with TxMS

To encode your transaction with TxMS, run:

txms -e=rawtransaction

Replace rawtransaction with the transaction data you copied earlier. TxMS will return the encoded message. You can also use the -dl parameter to download the encrypted message to your working directory as .txms.txt.

Step 9: Send the TxMS Message via SMS

Now, copy the encoded message and send it via SMS. The message will typically split into 2-3 SMS messages, but MMS is also supported.

Make sure the TxMS service is running before sending the message to the appropriate number:

Mainnet: +12019715152
Testnet (Devín): +12014835939

Step 10: Confirm the Transaction on the Blockchain

After about 10 seconds, the transaction should appear on the Blockchain. You can verify it using Blockindex by entering the sender or recipient address.

Congratulations! You've just completed your first TxMS transaction. If you encounter issues, feel free to ask for help on our Discord, or open a thread in the forum.

We would be happy to hear about new use cases and your ideas for applying the technology. Don't hesitate to reach out to us.

The Future of Financial Compliance Supported by Blockchain

Rastislav ₡ORE — Sat, 31 Aug 2024 12:37:13 +0000

In an era where financial crimes like money laundering and terrorist financing pose significant threats to global security, innovative solutions are adding value as significant tools. One such solution is the goAML platform, a comprehensive Anti-Money Laundering (AML) software developed by the United Nations Office on Drugs and Crime (UNODC). This system empowers Financial Intelligence Units (FIUs) with the tools necessary to collect, manage, analyze, and exchange financial data related to suspicious activities. The effectiveness of compliance software can be significantly enhanced, providing a robust framework for secure, transparent, and efficient data exchange.

The Role of goAML 5.0 in Combating Financial Crimes

On 9 July, a landmark release of goAML was published, introducing version 5.0, UNODC's Next Generation solution for Anti-Money Laundering and Countering Terrorist Financing. This latest release marks a major milestone for the project, offering Financial Intelligence Centres worldwide more advanced technologies for fighting financial crime. goAML 5.0 is the result of hard work and intensive collaboration between FIUs and UNODC, showcasing the power of global partnerships.

Notable Features of goAML 5.0

Cryptocurrency Support: With the rise of virtual assets as a popular method for money laundering, goAML 5.0 now includes cryptocurrency support, allowing the reporting and processing of transactions involving digital currencies.
Hybrid Reporting and Full Customisation: This feature enables the combination of transaction and activity reporting in a single report, with flexible options for including persons, entities, or accounts.
Integration with Egmont Secure Web: FIUs using goAML can now export and import information to each other, enhancing international cooperation and data sharing.
Accessible Web Interface: The new interface ensures that the reporting community of over 120,000 users can operate without restrictions in their daily tasks.
Artificial Intelligence Features: goAML 5.0 introduces Natural Language Processing (NLP) and Optical Character Recognition (OCR) to ingest unstructured data, increasing automation and efficiency.
Expanded Reporting Capabilities: The addition of 130+ new fields and virtually unlimited reporting possibilities empower FIUs to capture more detailed and comprehensive data.

goAML 5.0 is already deployed in close to 60 countries, where it processes over 300,000 transactions daily, contributing to a global total of one billion transactions.

The Backbone of Secure and Decentralized Transactions

Core Blockchain brings a new dimension to AML systems with its fast, secure, and decentralized network. Its key features make it an ideal platform for transmitting sensitive financial information:

Security and Decentralization: Core Blockchain ensures that data transmitted through its network is secure and immutable. The decentralized nature of the blockchain prevents unauthorized access and tampering.
No PoS system: Core and its ecosystem leverage proofs that work with contributions to computing; this is a well-proven concept for years. The era of Blockchain started with it, and we have improved it to be more efficient.
Speed: Transactions on Core Blockchain are verified approximately every seven seconds, making it possible to transmit information quickly without sacrificing security.
Offline Capabilities: With 0G (SMS, MMS) connectivity, Core Blockchain can operate even in environments without traditional internet access, ensuring that critical data can be transmitted regardless of infrastructure limitations.
Layer-1 applications: Applications built on the Core network, such as CorePass.
PayTo: Native support of PayTo protocol.
ICAN: ICAN addresses.
Oracles: Built Oracles, which connect current financial and compliance applications. Like XmlGoaml oracle.
KYX: KYT (know your transaction), KYP (know your transaction partner), KYC on demand.

These features make Core Blockchain a powerful tool, enabling the secure and efficient transmission of financial data, even under challenging conditions.

Enhancing Compliance Through Verified User Information

CorePass, a Layer-1 application on the Core Blockchain, adds another layer of security and compliance to the AML process. CorePass allows users to provide verified information through a system that prioritizes user consent and privacy. This capability is crucial for Know Your Customer (KYC), Know Your Customer's Customer (KYCC), and Know Your Business (KYB) processes, which are central to AML compliance.

KYC and KYCC: CorePass ensures that the identities of individuals and entities involved in financial transactions are verified, reducing the risk of fraud and money laundering.
Beneficial Ownership: Through CorePass, FIUs can access verified information about the beneficial owners of businesses, providing greater transparency and accountability.
Risk Assessment and Financial Audit Trails: CorePass can generate comprehensive audit trails, making it easier for FIUs to track and assess the risk associated with financial transactions.

A Comprehensive Compliance Ecosystem

The integration of Core Blockchain and CorePass with goAML 5.0 creates a powerful compliance ecosystem that meets the highest standards of security, transparency, and efficiency. This integration supports various AML processes, including:

Secure Information Transmission: Core Blockchain ensures that all data exchanged within the goAML system is secure and resistant to tampering.
Advanced Compliance Tools: CorePass provides verified, user-consented information, enhancing the accuracy and reliability of KYC, KYCC, and KYB processes.
Compliance Oracles: Core Labs offers XmlGoaml, a .NET project designed to process XML data aligned with goAML XSD standards. This tool enables seamless integration between Core Blockchain and the goAML environment, ensuring compliance with global AML regulations.

The Future of AML with Core Blockchain and goAML 5.0

The financial system is undergoing a transformation, with digital currencies, programmable tokens, and FIAT bridges becoming increasingly prominent.

You should follow few interesting aspects:

Digital money / CBDC
Stable programmable tokens (not coins)
FIAT bridges into digital ecosystem
Compliance oracles

By basing your ecosystem or Dapps on Core Blockchain's decentralized architecture and CorePass's verified information system, you can offer an unparalleled level of security, efficiency, and on-demand compliance. This innovative approach not only contributing to global standards, but keep your data safe and full decentralized and anonymous.

Licensing the Open Source Software

Rastislav ₡ORE — Mon, 26 Aug 2024 10:22:01 +0000

The rise of open-source software (OSS) has fundamentally changed the landscape of software development, offering an alternative to the traditional closed-source model. The evolution of OSS continues, and the Core License is helps with licensing and flexibility. Whether you're working on a small personal project or managing a large corporate project, the Core License offers significant benefits that can amplify the impact of your work.

Understanding the Core License

The Core License is a permissive open-source license that grants users extensive freedom to use, modify, merge, publish, distribute, sublicense, and even sell copies of the software. However, it includes one crucial condition: all distribution of the software in source code form, including modifications and contributions, must be disclosed and made publicly available.

This transparency requirement ensures that improvements and innovations built on the software benefit the entire community, inviting collaboration and driving collective progress. This will significantly improve the security of the project and transparency.

Why Core License is Beneficial for Small Projects

Maximize Visibility and Impact: For individual developers or small teams, gaining visibility can be a challenge. By adopting the Core License, your project is inherently open to contributions and improvements from the wider community, potentially attracting more users and collaborators. This can lead to your project growing far beyond what you could achieve alone.

Leverage Community Contributions: When your project is open and accessible, other developers can contribute to it, fixing bugs, adding features, and improving documentation. This can significantly reduce your workload and allow you to focus on the core aspects of your project.

Learning and Collaboration: For developers looking to learn, open-source projects licensed under the Core License offer a unique opportunity to see how others approach problem-solving. Collaborating on such projects can accelerate your growth as a developer and expand your professional network.

Why Core License is Essential for Corporate Projects

Innovation: In a corporate setting, innovation is key to staying competitive. The Core License allows companies to leverage external contributions and innovations, speeding up development cycles and reducing time to market.

Ensure Compliance and Security: The transparency required by the Core License means that all modifications and contributions are publicly available. This makes it easier to audit code for security vulnerabilities, ensuring that your software remains robust and secure.

Collaboration: Many large corporations are shifting towards open collaboration to solve industry-wide challenges. By adopting the Core License, your company can contribute to and benefit from a collective pool of knowledge and resources, leading to better solutions faster.

Adapt to Changing Market Conditions: In today's fast-paced tech environment, the ability to pivot and adapt quickly is crucial. The flexibility of the Core License allows your company to rapidly incorporate new technologies and approaches without being constrained by proprietary software models.

The End of Closed Source: The era of closed-source software is rapidly drawing to a close. The benefits of open-source development—collaboration, transparency, and innovation—are too compelling to ignore. The Core License represents a modern approach to OSS, one that balances freedom with responsibility. It encourages developers to share their work and contribute to a larger ecosystem while retaining the ability to monetize their efforts.

By adopting the Core License, you're not just choosing a license; you're choosing to be part of a global community that believes in the power of collective progress. Whether you're an individual developer or part of a corporate team, the Core License offers a framework that can help you achieve your goals more effectively.

Text of the license: https://github.com/bchainhub/core-license/blob/master/LICENSE

The Hidden Cost of Centralization: A Cautionary Tale from the World of Domains

Rastislav ₡ORE — Fri, 04 Aug 2023 17:45:37 +0000

In our modern digital era, domain names are our real estate, the cornerstones of our online identity and our business's digital presence. As our reliance on digital platforms grows, we become more creative, adopting unique and eye-catching domain names like emoji domains. These emoji domains were a fresh, fun twist on the traditional digital address format. Unfortunately, as some of us recently discovered, there's a cost to being too innovative in this arena.

A Journey Through Emoji Domains

Emoji domains, a captivating innovation in the digital world, are domain names containing one or more emojis, e.g., 😉.ga. They became a unique and vibrant way to mark our online presence. However, they're under the jurisdiction of centralized authorities like ICANN and regional domain registries. My recent experience highlighted the pitfalls of this centralization.

I acquired several emoji domains through Subreg.cz, hosted on the GA TLD. They were a proud digital asset for me due to their rarity and uniqueness. But things started to unravel when I noticed some services hosted on these domains were failing. Further investigation revealed that Cloudflare was delisting them.

Unforeseen Complications

To make matters worse, the domain records themselves began to disappear, even though they were paid and active. I reached out to Subreg.cz to shed light on this mysterious occurrence. After a lengthy back and forth, the shocking truth was unveiled: the registry of GA domains was changing their rules and delisting all emoji domains.

The entire episode resulted in sudden, unannounced deletion of the domains I owned and loss of services hosted on them. It was as if the rug had been pulled out from under me. Even worse, Subreg.cz provided no notification or refund. The company, in essence, shirked responsibility, citing that the actual issue was with Freenom, the previous GA domains operator.

The Fallout

The implications of this abrupt delisting were severe:

All services hosted on the emoji GA domains were down and exposed to potential security breaches.
The money paid to keep the domains registered was lost.
Valuable time and resources were wasted in addressing the issue.
There were no refunds or notifications from the registrar or the registry.
Lastly, the damage to the digital infrastructure was substantial.

As a result of this debacle, my decision is clear: I will steer clear of GA domains and let go of emoji domains altogether.

The Need for Decentralization

This incident serves as a stark reminder that the future of domains should ideally not be tied to the ICANN or similar centralized bodies. The arbitrariness of their decisions and lack of transparency or responsibility can have significant consequences for individuals and businesses alike.

That's why we should start considering alternatives, such as decentralized domains hosted on Blockchain. While onion domains can also serve as an alternative, their practical application remains limited. Blockchain domains, on the other hand, are immune to the whims of centralized authorities and offer greater security and control over our digital assets.

In conclusion, as we continue to navigate our digital future, it's crucial to critically evaluate the platforms and systems we use. We should advocate for and support decentralized, transparent, and user-friendly domain systems that empower rather than disenfranchise us. The stakes are too high to leave our digital presence in the hands of unreliable centralized entities.

Blockchain-based domains exemplify this by ensuring that your digital identity remains immune to external disruptions, such as arbitrary changes in domain registry rules. Just like our DNA, these domains are immutably tied to us, unalterable by external forces, ensuring that your digital "self" stays intact and inviolable.

The incident I experienced serves as a stark reminder that the digital components of our identity are not just ornamental but are integral and as real as our physical selves. The current systems, under centralized control, lack the ability to recognize and respect this new facet of our identity. It's as if our digital self is under constant attack, not just from cyber threats, but also from the authorities supposed to protect it.

This forces us to think in new directions, to consider how we might enable a decentralized autonomous organization (DAO) environment. DAOs, built on blockchain technology, can provide the level of security, autonomy, and respect that our digital identities deserve.

As we march towards an increasingly digital future, it's important to remember that our digital selves are not mere extensions of us; they are us. We must not shy away from striving to protect and nurture them in the same way we would our physical selves.

We're in an era of a new type of revolution: an identity revolution. By embracing blockchain technology and DAOs, we have a real opportunity to redefine and reclaim our digital identities, paving the way for a more secure, autonomous, and equitable digital future.

WhiteHat report: Cloudflare Email worker

Rastislav ₡ORE — Tue, 16 May 2023 13:37:49 +0000

Email worker and email redirection are dropping the valid emails.

Email routes and workers exclude addresses with a "plus" addressing field. This made the service unsuccessful in processing the data. No error nor notification is provided.

Steps to reproduce

Create an email redirection processed by the worker and print using the console.log (for example) event.to
Enable email worker on email in the dashboard. e.g.: user@sld.email to process emails in the worker
Execute the worker with an email with a 'plus' addressing field. e.g.: user+info@sld.email
Email is not captured at all. And the worker didn't run.

Impact

The impact is high because you miss emails, even if they are addressed correctly.
All cases with event.to have been affected so far. There may be more cases.
The impact is to lose even valid emails in the Cloudflare system.
With the configuration: catch-all: none or drop; the valid emails are lost.

Environment

Please, set the catch-all to drop. And create a custom address recipient@cloudflare.com or test@cloudflare.com. Then those addresses should run the worker. On my end, I am facing issues with "plus" addresses, such as recipient+123@cloudflare.com; test+123@cloudflare.com.

Rationale

Certain important communications may be inadvertently excluded due to filtering processes, which can harm Cloudflare's operational efficiency. The perpetrator may attribute this to a spam filter, thereby influencing Cloudflare's business logic. By employing a catch-all address, the system may be vulnerable to DoS attacks or result in the loss of client funds.

Classification

CWE840: Business Logic Errors

Referrence

Originally posted in HackerOne #1988088

Result

Informative