ScalePass is a secure, reputation-based access control layer built on Solana. It leverages FairScale reputation scores to gate access to on-chain rewards and features.
- Frontend: React + Vite + Framer Motion (Glassmorphism UI)
- Backend Proxy: Express + TweetNaCl (Signature Verification)
- Smart Contract: Anchor (Rust)
- Node.js & pnpm
- Rust & Anchor CLI
- Solana Tool Suite
-
Install Dependencies
pnpm install cd server && pnpm install && cd ..
-
Start the Backend Proxy
cd server pnpm devServer runs on http://localhost:3001
-
Start the Frontend
pnpm dev
App runs on http://localhost:5173
-
Build Anchor Program of
anchor build
-
Run Tests
anchor test
- Dynamic Onboarding: Visualizes Bronze/Silver/Gold tiers.
- Secure Verification: Requires wallet signature to prove ownership before fetching reputation.
- On-Chain Gating: Anchor program enforces strict tier checks for reward claiming.
ScalePass uses a ProgramAuthority PDA to whitelist the authorized backend signer:
PDA: seeds = [b"program-authority"]
Stores: backend_signer (Pubkey)
Why this matters: Prevents anyone from arbitrarily updating user reputation scores. Only the registered backend signer (controlled by the project team) can call update_reputation_tier.
The Express server acts as a secure bridge to the FairScale API:
- Client → Signs message with wallet
- Backend → Verifies signature using
tweetnacl - Backend → Fetches reputation from FairScale (API key never exposed)
- Backend → Returns verified data to client
- Client → Displays tier in UI
Key Security Features:
- API keys stored in server-side
.env(never in client code) - Signature verification prevents wallet impersonation
- All reputation updates go through authorized backend signer
- Overflow Protection: Reputation scores capped at 1,000,000
- Tier Validation: Score ranges enforced (Bronze: 0-499, Silver: 500-799, Gold: 800+)
- CEI Pattern: Checks-Effects-Interactions ordering prevents reentrancy
- Event Logging: All state changes emit events for audit trails
For detailed security analysis, see SECURITY.md.
See audit-readiness-report.md for a detailed security breakdown.