Hello,
We are in the process of validating a true need for a service to assist teams with crafting and completing successful treasury proposals, so they can focus on building. We would love to hear about your experience with this proposal. If you are willing to take a few minutes, please fill out this form about your experience with the OpenGov treasury proposal process: https://forms.gle/MwDij4adXEQd7Um79
Feel free to leave out any details that your team is not comfortable with sharing, but the more info you can provide, the better we will be able to assess the potential need for our services.
For more info, follow us on Twitter/X: https://twitter.com/OpenGovAssist
I'm curious who votes against this proposal? Guys are you serious? What can be more relevant than improving the ecosystem by connecting it with an army of Ledger users? Treasury spends shitloads of money on some random events and other useless stuff and you are opposing something that's really needed... crazy
Ledger never approves blind signing apps.
Can you please define this as coming from Equilibrium.io, and not Equilibrium.co? Thanks!
@2b5d60f85e9a46189bf66825c It is coming from Equilibrium.io
Can you please define this as coming from Equilibrium.io, and not Equilibrium.co? Thanks!
I'm curious who votes against this proposal? Guys are you serious? What can be more relevant than improving the ecosystem by connecting it with an army of Ledger users? Treasury spends shitloads of money on some random events and other useless stuff and you are opposing something that's really needed... crazy
> The below comment was posted to the discussion post originally. I copied it here to raise the awareness...
As the Cofounder and a DAO member of Phala Network, I fully support this proposal. We all understand the importance of a nice hardware wallet in the Polkadot ecosystem. However, from our perspective the current solution offered by some 3rd party developers cannot fulfill our requirements in a few aspects:
- One app for one chain raises the development barrier and maintenance cost. EVM developers can seamlessly publish any smart contract and Ledger works out of the box. But parachains developers have to maintain their own Ledger app. The maintenance costs would be $100,000-ish per year, which is a really big burden to parachain team.
- One app for one chain raises the barrier to users: Polkadot users tend to interact with multiple parachains frequently, given the cross-chain design in the Polkadot ecosystem. For more affordable devices like Nano S, a user can only install 4-5 apps. The limitation makes Ledger much useless.
- Unreasonable costs for runtime upgrade: In the Polkadot ecosystem, parachains upgrade themselves frequently. However, existing solutions doesn't offer affordable upgrade at all. A work with updating the metadata, namely something that can be automated with CI/CD pipelines, would be charged $10,000-ish. This is only the code update cost, without counting the cost of security audit (of just some simple config changes) and the long long waiting time.
There are security concerns pointed out by the Ledger official and 3rd party developers, especially focused on the blind signing (hash without decoded method names). However, I believe it's already well addressed in Equilibrium's proposal. I'd point out it offers the same level of security as any other Ethereum Dapps. After all, parachains in Polkadot run at the same level of Dapps on Ethereum. To my best knowledge, there's no solution for blind signing of customized DApp on any other smart contract chain as well.
Finally, Manta made a really good call. Voters, please listen to the true builders in the ecosystem. We are the ones who want Polkadot to be successful the most.
Makes me wonder why nobody implemented this, yet. As you said you can earn up to $100,000 per parachain. Given there are forty of them you can earn $4 million per year.
Really nice of the Equilibrium team to forfeit all the profit and work for the common good.
It is dishonest to say that "Ledger gave the green light" if this app will be only available in developer mode. Which is only available after doing some weird actions:
From the ledger website > To activate the Developer mode in Ledger Live, go to the Settings/About section, and click ten times on the Ledger Live version. This will make the Developer tab appear.
Why is that? Well because this option is not for normal users! This app would contribute to the bashing of the Polkadot ecosystem with bad UX, now it will also add bad security practice and provide a false sense of security to users that will happily get rekt as they won't verify what they are signing.
Strong NAY for me.
I did. What part in particular are you referring to?
It is dishonest to say that "Ledger gave the green light" if this app will be only available in developer mode. Which is only available after doing some weird actions:
From the ledger website > To activate the Developer mode in Ledger Live, go to the Settings/About section, and click ten times on the Ledger Live version. This will make the Developer tab appear.
Why is that? Well because this option is not for normal users! This app would contribute to the bashing of the Polkadot ecosystem with bad UX, now it will also add bad security practice and provide a false sense of security to users that will happily get rekt as they won't verify what they are signing.
Strong NAY for me.
@tbaut Buddy, I recommend that you take a closer look at what is written in the team proposal.
It is dishonest to say that "Ledger gave the green light" if this app will be only available in developer mode. Which is only available after doing some weird actions:
From the ledger website > To activate the Developer mode in Ledger Live, go to the Settings/About section, and click ten times on the Ledger Live version. This will make the Developer tab appear.
Why is that? Well because this option is not for normal users! This app would contribute to the bashing of the Polkadot ecosystem with bad UX, now it will also add bad security practice and provide a false sense of security to users that will happily get rekt as they won't verify what they are signing.
Strong NAY for me.
@296c319da23d4bffb919e89fc > But the statement that the app is only available in dev mode is simply untrue.
My bad. Your proposal made me think so, as there is no milestone to actually publish the app, but it is stated several times that it'll be available in dev mode. Having the app published on the normal store is a minimum requirement. From my understanding, this is not a given and Ledger have not accepted to allow blind signing apps in the past.
It is dishonest to say that "Ledger gave the green light" if this app will be only available in developer mode. Which is only available after doing some weird actions:
From the ledger website > To activate the Developer mode in Ledger Live, go to the Settings/About section, and click ten times on the Ledger Live version. This will make the Developer tab appear.
Why is that? Well because this option is not for normal users! This app would contribute to the bashing of the Polkadot ecosystem with bad UX, now it will also add bad security practice and provide a false sense of security to users that will happily get rekt as they won't verify what they are signing.
Strong NAY for me.
@5192a8b4fe044eecae94dbdd3 > What kind of Rekt are you talking about?
I'm talking about the rekt by scammers because ppl will sign things they have no clue about. And relying on a hot device to decode the calls is not secure. If you have a hot wallet, ok, but we're talking about a hardware wallet, the security standards need to be high. I guess no security conscious user should use this app. It will give a false sense of security to users.
Hot wallets have been, and will continue to be compromised. You know very well that ppl cannot verify such calls easily, the app effectively makes it harder. Nexus Mutual Founder hacked for 8M$
It is dishonest to say that "Ledger gave the green light" if this app will be only available in developer mode. Which is only available after doing some weird actions:
From the ledger website > To activate the Developer mode in Ledger Live, go to the Settings/About section, and click ten times on the Ledger Live version. This will make the Developer tab appear.
Why is that? Well because this option is not for normal users! This app would contribute to the bashing of the Polkadot ecosystem with bad UX, now it will also add bad security practice and provide a false sense of security to users that will happily get rekt as they won't verify what they are signing.
Strong NAY for me.
> The team that proposed this has currently developed one of the best Defi protocols in the ecosystem with the most user-friendly UI.
After trying out the Equilibrium dapp, I'm going to have to disagree here.
It is unfortunate that after the discussion we had at AAG40, you didn't really follow up and provide more detail on your claims.
Unfortunately, we think this proposal not only misrepresent "partnerships", multiple technical aspects and the risk it pushes over users but also misleading indicates that Zondax "proposal" is something that someone unrelated to us posted as an opinion!
As discussed during AAG40, this proposal covertly pushes blind signing over the community by forking Zondax app and removing parsing and security checks. The claim of clean signing is just based on not "removing" some code.
For the sake of clarity, we will post a detailed article about this and we invite the broader community to partipate on this. A link to polkadot forum will be provided shortly.
@Zondax Dear Zondax team, your tanacity to discredit our developments in your favor is truly impressing. It's unfortunate that instead of solving hands-on issues of the ecosystem (that include Ledger support for parachain projects primarily) you attempt to play a security theater that factually backs up your personal interests.
We are sure, you know that our team has been constantly talking to Ledger regarding their requirements and there is a clear plan of making our app comply with their security standards. The purpose of this proposal is finalizing these developments according to this plan.
Specifically, the app will allow clear signing for the majority of transactions (including all asset transfers) and hash validations (that never existed in your solution btw). Future developments will significantly expand the list of transactions for clear signing. Simultaneously, blind signing is available only for users who manually enable this function in the app settings. Worth mentioning that overall this approach is identical to what Ethereum currently offers on Ledger.
Probably, the most important thing is that our solution solves immediate needs of the Polkadot community. Parachain users are suffering from inability to sign transactions using Ledger with a bunch of assets got stuck there. You had more than enough time and resources to solve these issues but you have never done this. As such, we expect you either to stay apart from this initiative or find the way how you can positively contribute. Thanks for your understanding.
> The below comment was posted to the discussion post originally. I copied it here to raise the awareness...
As the Cofounder and a DAO member of Phala Network, I fully support this proposal. We all understand the importance of a nice hardware wallet in the Polkadot ecosystem. However, from our perspective the current solution offered by some 3rd party developers cannot fulfill our requirements in a few aspects:
- One app for one chain raises the development barrier and maintenance cost. EVM developers can seamlessly publish any smart contract and Ledger works out of the box. But parachains developers have to maintain their own Ledger app. The maintenance costs would be $100,000-ish per year, which is a really big burden to parachain team.
- One app for one chain raises the barrier to users: Polkadot users tend to interact with multiple parachains frequently, given the cross-chain design in the Polkadot ecosystem. For more affordable devices like Nano S, a user can only install 4-5 apps. The limitation makes Ledger much useless.
- Unreasonable costs for runtime upgrade: In the Polkadot ecosystem, parachains upgrade themselves frequently. However, existing solutions doesn't offer affordable upgrade at all. A work with updating the metadata, namely something that can be automated with CI/CD pipelines, would be charged $10,000-ish. This is only the code update cost, without counting the cost of security audit (of just some simple config changes) and the long long waiting time.
There are security concerns pointed out by the Ledger official and 3rd party developers, especially focused on the blind signing (hash without decoded method names). However, I believe it's already well addressed in Equilibrium's proposal. I'd point out it offers the same level of security as any other Ethereum Dapps. After all, parachains in Polkadot run at the same level of Dapps on Ethereum. To my best knowledge, there's no solution for blind signing of customized DApp on any other smart contract chain as well.
Finally, Manta made a really good call. Voters, please listen to the true builders in the ecosystem. We are the ones who want Polkadot to be successful the most.
It is dishonest to say that "Ledger gave the green light" if this app will be only available in developer mode. Which is only available after doing some weird actions:
From the ledger website > To activate the Developer mode in Ledger Live, go to the Settings/About section, and click ten times on the Ledger Live version. This will make the Developer tab appear.
Why is that? Well because this option is not for normal users! This app would contribute to the bashing of the Polkadot ecosystem with bad UX, now it will also add bad security practice and provide a false sense of security to users that will happily get rekt as they won't verify what they are signing.
Strong NAY for me.
@tbaut Thank you for your feedback. But the statement that the app is only available in dev mode is simply untrue.
We've been in constant communications with the Ledger team and held multiple calls with them to sync our vision with their requirements. We've concluded with them on several important aspects:
- Clear sign for critical transactions (including pretty much all asset transfers)
- Support for all types of balance pallets in the ecosystem
- Further developments to expand the list of transactions for clear sign
Adding app to the dev mode is a natural part of the process towards new applications to be submitted for Ledger Live. We don't see any contradictions here.
Nano S is a no go to parachains if you have one app for Polkadot, one app for Kusama and no space left, so why not having a lite application?
That's a great chance for the whole Polkadot ecosystem!
It is dishonest to say that "Ledger gave the green light" if this app will be only available in developer mode. Which is only available after doing some weird actions:
From the ledger website > To activate the Developer mode in Ledger Live, go to the Settings/About section, and click ten times on the Ledger Live version. This will make the Developer tab appear.
Why is that? Well because this option is not for normal users! This app would contribute to the bashing of the Polkadot ecosystem with bad UX, now it will also add bad security practice and provide a false sense of security to users that will happily get rekt as they won't verify what they are signing.
Strong NAY for me.
@tbaut Ledger has a neutral stance towards third-party development, but they, like any company, are interested in a quality application for the Polkadot-Kusama ecosystem. The team that proposed this has currently developed one of the best Defi protocols in the ecosystem with the most user-friendly UI. What kind of Rekt are you talking about? If the reputation of the project itself and the team is at stake. A large amount of projects in the ecosystem have already expressed their support and confidence in the launch of this application. It can be seen here: https://polkadot.polkassembly.io/post/1795
It is dishonest to say that "Ledger gave the green light" if this app will be only available in developer mode. Which is only available after doing some weird actions:
From the ledger website > To activate the Developer mode in Ledger Live, go to the Settings/About section, and click ten times on the Ledger Live version. This will make the Developer tab appear.
Why is that? Well because this option is not for normal users! This app would contribute to the bashing of the Polkadot ecosystem with bad UX, now it will also add bad security practice and provide a false sense of security to users that will happily get rekt as they won't verify what they are signing.
Strong NAY for me.
It is unfortunate that after the discussion we had at AAG40, you didn't really follow up and provide more detail on your claims.
Unfortunately, we think this proposal not only misrepresent "partnerships", multiple technical aspects and the risk it pushes over users but also misleading indicates that Zondax "proposal" is something that someone unrelated to us posted as an opinion!
As discussed during AAG40, this proposal covertly pushes blind signing over the community by forking Zondax app and removing parsing and security checks. The claim of clean signing is just based on not "removing" some code.
For the sake of clarity, we will post a detailed article about this and we invite the broader community to partipate on this. A link to polkadot forum will be provided shortly.
@96548ff3d62a4ec1a03db7131 Thanks, I read it. Most of the projects have expressed support, this must be approved by the community.
This is an excellent offer. Such an application is what many users on Polkadot/Kusama and projects have been needing for a long time. I will vote YES. I think we should all support him.
Seems like a good intitative for Ledger users I'm voting Aye
It is unfortunate that after the discussion we had at AAG40, you didn't really follow up and provide more detail on your claims.
Unfortunately, we think this proposal not only misrepresent "partnerships", multiple technical aspects and the risk it pushes over users but also misleading indicates that Zondax "proposal" is something that someone unrelated to us posted as an opinion!
As discussed during AAG40, this proposal covertly pushes blind signing over the community by forking Zondax app and removing parsing and security checks. The claim of clean signing is just based on not "removing" some code.
For the sake of clarity, we will post a detailed article about this and we invite the broader community to partipate on this. A link to polkadot forum will be provided shortly.
I am not a part of the team, but seems like proposal is not about removing critical code.
It is unfortunate that after the discussion we had at AAG40, you didn't really follow up and provide more detail on your claims.
Unfortunately, we think this proposal not only misrepresent "partnerships", multiple technical aspects and the risk it pushes over users but also misleading indicates that Zondax "proposal" is something that someone unrelated to us posted as an opinion!
As discussed during AAG40, this proposal covertly pushes blind signing over the community by forking Zondax app and removing parsing and security checks. The claim of clean signing is just based on not "removing" some code.
For the sake of clarity, we will post a detailed article about this and we invite the broader community to partipate on this. A link to polkadot forum will be provided shortly.
We don't refer to that. We refer to the chat on AAG40 where some strong unsubstantiated claims about security were made.
Also, the point is not on forking Apache 2.0 code! Of course, not!
The point is on taking something designed to be safe, removing critical code, making strong claims and pushing the community towards a solution with significant drawbacks.
It is unfortunate that after the discussion we had at AAG40, you didn't really follow up and provide more detail on your claims.
Unfortunately, we think this proposal not only misrepresent "partnerships", multiple technical aspects and the risk it pushes over users but also misleading indicates that Zondax "proposal" is something that someone unrelated to us posted as an opinion!
As discussed during AAG40, this proposal covertly pushes blind signing over the community by forking Zondax app and removing parsing and security checks. The claim of clean signing is just based on not "removing" some code.
For the sake of clarity, we will post a detailed article about this and we invite the broader community to partipate on this. A link to polkadot forum will be provided shortly.
it seems that the communication was here https://polkadot.polkassembly.io/post/1795
And it is very strange to be against of forking application, that was made with community money
It is unfortunate that after the discussion we had at AAG40, you didn't really follow up and provide more detail on your claims.
Unfortunately, we think this proposal not only misrepresent "partnerships", multiple technical aspects and the risk it pushes over users but also misleading indicates that Zondax "proposal" is something that someone unrelated to us posted as an opinion!
As discussed during AAG40, this proposal covertly pushes blind signing over the community by forking Zondax app and removing parsing and security checks. The claim of clean signing is just based on not "removing" some code.
For the sake of clarity, we will post a detailed article about this and we invite the broader community to partipate on this. A link to polkadot forum will be provided shortly.
Powered by Subsocial