Security

Actions and Blinks are a new way to interact with crypto transactions. They present an array of exciting new opportunities, along with new attack vectors for bad actors. Safety is a high priority for this new technology, and we'll discuss Dialect's approach to security in this section.

With the help of the Solana Foundation and other community members, Dialect maintains a public registry of blockchain links that have been verified as non-malicious as a public good for the Solana ecosystem. As of launch, only Actions that have been registered in the Dialect registry will unfurl in the Twitter feed when posted. Learn how to apply to the registry here.

In the near term, the registry will be managed and hosted at https://dial.to/registry, where developers may register their actions as trusted, and malicious actions will be flagged as blocked.

Why a new registry is needed

Wallet Chrome extensions typically rely on the origin URL of the web page from which a transaction is being created to determine whether that transaction is trustworthy. Actions break this mould, and make it possible, and common, for transactions to come from providers not affiliated with the site.

Registration Status

Wallets and other clients using Dialect's Blinks SDK use the registry hosted at https://dial.to/registry to check URLs in the client, and then render Blinks as one of:

  1. trusted—This action has been registered by the developer and accepted by the registration committee.

  2. blocked—This action has been flagged as malicious by the registration community.

  3. none—The action has not been registered.

Users should still take precaution when executing actions, trusted or otherwise. Even trusted actions may cause unintended consequences—the developer may have bugs in their Action that cause unintended outcomes for users, or their Actions provider may get compromised by a third party.

Wallets that use Dialect's Blinks clients will use this registry under the hood to decide how to render Blinks. They have two options:

  1. Render the Blink with the appropriate registry status, neutral for trusted, yellow with a warning for unregistered actions with status none, and red for blocked actions known to be malicious.

  2. Don't render blinks of specific registry statuses.

Today, Phantom, Backpack, and all known wallets implementing Blinks clients for sites such as Twitter have chosen to implement option two. This is because the most conservative thing a Blinks client can do is to not render a Blink with a none or blocked status. Neither Phantom, Backpack, or Dialect are in the business of deciding what links users can share on an independent site such as Twitter.

Register your Action

Submit your action to the Registry here: https://dial.to/register.

Please complete the following steps to ensure your submission contains accurate information:

Step 1—Your Action Works ✔️

Ensure your Action performs all tasks correctly and reliably. Thoroughly test it to confirm functionality and avoid rejection. You can test your action at dial.to

Step 2—Have a Clear Action Description 📝

Provide a clear, detailed description to expedite the review process. A well-matched description and functionality help reviewers approve your action quickly.

Step 3—Test your Action Thoroughly 🧪

Thoroughly test your action in various environments. Consistency and reliability can speed up approval.

Step 4—Build Secure Actions 🔒

Adhere to best security practices to ensure your action is approved. Prioritize security to protect users and gain approval swiftly.

Step 5—Provide a Valid Contact 📞

Provide accurate contact information for smooth follow-ups and verification. Keeping your contacts updated helps prevent delays.

Step 6— Patience 🙏

We are on a mission to change how experiences are shared on the internet, & are thrilled to have you along for the ride

Currently registration review is a manual process, however, we are working toward a future automated registration review process.

Registry schedule

Thank you for your patience as we work to better automate and decentralize the Actions registry.

Registry submissions may be made at any time. Applications will be approved during business hours in various time zones, Monday through Friday.

Work with us on the Registry

Dialect believes trust is never something that can be managed by a centralized authority. In the long term, we are working to create a more decentralized, community-driven system for trust. If you're interested in working on this with us, reach out to us in our community Discord.

Last updated