From flashbots by socrates1024

by Xyn Sun, Ryan MacArthur, Roshan Palakkal and Andrew Miller

This week we used TEEs to help Azuki carry out a magic show performance livestreamed to Youtube 6 using the Teleport prototype 14. This post outlines the technical implementation behind it.

Background: Bobu the Magnificent’s magic show

Azuki has a character called Bobu that is governed by ERC-1155 tokens, where holders can vote on proposals on how to use the character’s IP. Because Bobu is all about community ownership and co-creation, the magic trick was one where audience volunteers acted as both the magician’s assistants and the rabbit in a hat. Each of the volunteers used their delegated twitter credentials to tweet out collectively, the digital equivalent of a “Flash Mob.” This collective tweet was a twist on our first trick 4 where a Bobu community member was tweeting from Bobu’s account via on-chain interactions (see 2pmflow’s walkthrough post 4 for details).

|441.37057728119186x299731×497 315 KB

Desiderata

Posting from a bunch of Twitter accounts is, on its own, not too demanding of a magic trick. Like many web2 account providers, Twitter allows users to delegate read/write access to third party applications. Volunteers for the show were explicitly invited to opt-in to the show’s app and offer “Read/Write” access. Users had to specifically click “Authorize Bobu to access your account”, post to their account, follow/unfollow, everything.

695×677 58.7 KB

But, Bobu only needs to post one tweet for his magic trick. We don’t need all the rest of the authority that Read/Write gives you. And users don’t like to give this away! This is an instance of “over-authorizing”, and it’s the main problem we use TEE to address.

What’s the worst that could happen?

In a normal Twitter app web service, the app owner retains raw access to the OAuth credentials. Even though the show only wanted to Tweet once, the app owner could hang on to the oauths after the show. They’d be tempted to use the oauths for just one more purpose. Lose them to malware where they’re sold to unscrupulous advertisers. Bots will shill their scam coins from your account and boot misinformation. Like in the $OPENAI hack.