Allow off-chain CAPTCHA puzzles

Question

Allow off-chain CAPTCHA puzzles

Closed this issue 2 years ago · 0 comments

Using the example of a faucet contract, the requesting account will not usually have any tokens to submit a captcha solution proof to the chain. Therefore, they need some method by which they can solve a captcha challenge and receive tokens without having to make a transaction.

Off-chain captcha solving essentially extends the scope of the Providers from only web3 to both web3 and web2. A potential user flow could be:

user requests a random Provider from the contract
user requests captcha challenge from the Provider
user sends solution to Provider without on-chain commitment
Provider responds with approval or rejection but does not supply proofs? Perhaps only supplies proof hashes?

The key benefits for the faucet are the distributed nature of the Providers and the random choice being governed by the Protocol contract on-chain. The alternative is forcing traffic through a centralised gateway such as Telegram / Twitter / etc.

Some form of rate limiting would need to be created for these insecure captcha requests. Otherwise, a bot user could simply scrape the Providers' datasets by continually requesting captcha. This scraped data could then be used to learn how to defeat the challenges.