8

The Fluence DAO is providing rewards to developers based on their GitHub profiles. As a cryptocurrency novice, I'm uncertain whether it is worth figuring this out or if I should just ignore it.

My current understanding is:

  1. Fluence itself is not a total scam.
  2. The emails suggesting that some unknown person can do this claim process for me likely are a total scam, and they would keep all of the tokens themselves.
  3. To claim the reward, I need to decode a secret using my private SSH key. As far as I can tell, this step seems secure enough, with only the age utility having access to the key.
  4. With the decrypted secret, I need to start an "airdrop" and make a "claim transaction". These are an Ethereum method for transferring funds between accounts.
  5. There is some "gas fees" to pay for this, while the FLT-DROP tokens themselves cannot be exchanged for FLT (and then Ethereum) until 2 months after the claim.
  6. The market price of FLT is at 0.24 USD now, but trend is downwards and it is not clear what the price will be in 2 months.

With the complex process, upfront payment of gas fees and uncertain value, I'm not sure it is worth the effort. But can someone confirm that my basic understanding of the process is correct?

Improve this question
5
  • 1
    I've claimed it, and it was legit. Although I also had doubts about it later they added a read-only flag in the command, which means, the script will only read the SSH key and not store it. You can claim it without worrying.
    – Zartaj Afser
    Commented Jul 12 at 11:11
  • 1
    @ZartajAfser Did you have to pay any "gas fees" out of pocket, and how much did it amount to?
    – jpa
    Commented Jul 12 at 12:10
  • 1
    yeah it took around $30 of gas fees for both transactions combined.
    – Zartaj Afser
    Commented Jul 12 at 17:34
  • The official tutorial provides command to run it in a docker image with read-only access to your key and no internet access, and also using just a pipe of three commands.
    – David Davó
    Commented Jul 20 at 18:27
  • @DavidDavó Read-only access to private SSH key and then pasting a binary blob out of it is scary enough. But k_o_'s method is good.
    – jpa
    Commented Jul 21 at 6:03

2 Answers 2

Reset to default
4

To check Github account ownership, Github OAuth API should be used.

Exposing the SSH key to an unaudited script is high risk and advised against by any security professionals.

There are safe ways to build confirmation of GitHub ownership, and this is not one of them. Even though Fluence is not a total scam, the supply chain and complex script touching the SSH keys are ill-advised.

Improve this answer
3
  • 3
    In principle I agree, but it seems the goal has been to make it decentralized. The web browser based method seems the safest to me, it ends up needing echo ... | base64 --decode | age --decrypt --identity ~/.ssh/id_rsa to touch the key.
    – jpa
    Commented Jul 12 at 14:31
  • 2
    The distribution list is created by centralised entity, in centralised manner. Tjhere was no decentralised process of creating the CSV file. Because of this, there is no additional value created whether this ownership is verified centrally or not - it is just smoke and mirrors here.
    – Mikko Ohtamaa
    Commented Jul 12 at 14:39
  • Where can I find the distribution list?
    – David Davó
    Commented Jul 20 at 18:26
2

Disclosing the private SSH key is not safe, but what I did was to delete my public SSH key from GitHub first and create a new one. And then I used the old now deleted and useless key with the Fluence rewards tool The process is acceptable if the current value turns out to be real, which I don't know.

Improve this answer
3
  • deleting your copy of the private key is not enough. if e.g. the public counter-part is present on some servers as an authorized key, then they can log in using your private key. what's needed is a guarantee that the key is not leaked. and an audit that convinces me that some random 1000+ lines of code does not leak my key would probably cost a multiple of the airdrop value...
    – Attila Lendvai
    Commented Jul 29 at 16:44
  • you deleted your public key from the github servers, not your private key.
    – Attila Lendvai
    Commented Jul 29 at 16:46
  • Right, thanks, I have corrected it to public key. Since my key is only used on GitHub and this is the only service used with this key removing this key from GitHub should be good enough.
    – k_o_
    Commented Jul 31 at 11:57

Not the answer you're looking for? Browse other questions tagged or ask your own question.