⚑ Hackathon Abril 2026 β€” La Crypta

Verify identity,
kill the scammers

Perfiles verificables con badges de reputacion sobre Nostr. Nunca mas un come empanadas se hace pasar por alguien de la comunidad.

πŸ›‘οΈ Security
πŸ›‘οΈ Pentested Β· 10/10 attacks blocked Β· NIP-98 enforced
0
Verified
0
Badges
0
Events

The Problem We Solve

Real scams happen in our community. We stop them with verifiable Nostr identity.

❌ Without Identity Hub

  • Impersonators go undetected
  • Scammers change name slightly and blend in
  • New members can't tell who's legit
  • No way to prove real contributions
  • Come empanadas walk free πŸ₯Ÿ

βœ… With Identity Hub

  • NIP-05 verified identity (user@lacrypta.ar)
  • Public badge history on Nostr relays
  • Reputation score based on real activity
  • Instant verification of any member
  • Come empanadas = 0 badges, exposed 🚫

Reputation Badges

Earn badges through real participation. Build trust one event at a time.

πŸ“

Attendance

Proof of attendance at La Crypta events. Linked to POA-HDMP system via NIP-58.

🎀

Speaker

Given a talk or workshop. Verified by event organizers with badge issuance.

πŸ‘¨β€πŸ’»

Contributor

Built something for the community. Code, content, tools, or infrastructure.

⚑

Donor

Supported La Crypta via Lightning zaps. Verified through NIP-57 receipts.

βœ…

Verified Member

Identity confirmed through NIP-05 DNS verification. The base of trust.

πŸ†

Core Member

Long-term contributor with multiple badges. The real cypherpunk jungle animals.

Profile Preview

Members of the community with different reputation levels. Spot the scammer.

πŸ”₯
Fierillo
fierillo@lacrypta.ar βœ“
πŸ“ 24 Events 🎀 Speaker πŸ‘¨β€πŸ’» Contributor ⚑ Donor πŸ† Core
Reputation 97/100
🐺
Negr0
negr0@lacrypta.ar βœ“
πŸ“ 18 Events ⚑ Donor πŸ‘¨β€πŸ’» Contributor πŸ† Core
Reputation 88/100
🦊
Lai
lai@lacrypta.ar βœ“
πŸ“ 15 Events 🎀 Speaker βœ… Verified
Reputation 78/100
🌢️
Kerry_kaberga
kerry_kaberga@lacrypta.ar βœ“
πŸ“ 6 Events ⚑ Donor βœ… Verified
Reputation 55/100
🦍
Agus Gorilla
agus@lacrypta.ar βœ“
πŸ“ 12 Events 🎀 Speaker πŸ‘¨β€πŸ’» Contributor ⚑ Donor πŸ† Core
Reputation 92/100
⚠️ SPAMMER DETECTED
🚫
Lapija del Negr0
not-verified@fake.com βœ—
🚫 0 Events 🚨 No NIP-05 🀑 Come empanadas
Reputation 3/100

πŸ’¬ Discord Integration

Extend identity verification and reputation badges to Discord. Three modules ready to drop in β€” click any card to see the one-step integration.

πŸ€–

Discord Bot Verification

Auto-verify users with Nostr identity. Commands to check profiles and badges in real-time.

/verify satoshi@lacrypta.ar
/profile @user
/check-scammer <pubkey>
⚑ Instant verification πŸ… Auto-role assignment πŸ“Š Live reputation
πŸ”—

Webhook Auto-Sync

Badge changes sync to Discord instantly. User gana badge β†’ Bot updates roles automatically.

🎀 Speaker badge gained
↓
@user gets role "Speaker" in Discord
βš™οΈ Real-time sync 🎯 No manual updates ✨ Seamless UX
πŸ”

Verification on Entry

New members must verify their Nostr identity to access the server. Gatekeeping against scammers.

New user joins β†’ Modal: Verify identity
βœ… Has badges β†’ Full access
⚠️ No badges β†’ Read-only
πŸ›‘οΈ Scammer protection πŸ“œ Verification required ⚠️ Come empanadas blocked
All three modules share the same Nostr-hub source of truth.
Bot can run standalone; Gate needs the Bot installed first.

πŸ›‘οΈ Security & Pentest

Identity infrastructure is only as trustworthy as its weakest endpoint. This project was pentested before submission β€” every CRITICAL and HIGH finding was closed.

10/10
Attack scenarios blocked
0
Critical / High unresolved
NIP-98
Mandatory on write endpoints

πŸ§ͺ Pentest results β€” register endpoint

# Attack Result Status
A1Register without Authorization401βœ“ blocked
A2Identity hijack (auth pubkey β‰  body.pubkey)403βœ“ blocked
A3Body tampering after signing401βœ“ blocked
A4Replay (event older than 60s)401βœ“ blocked
A5Claim reserved name (β€œadmin”)403βœ“ blocked
A6Oversized displayName (200 chars)400βœ“ blocked
A7Form-encoded CSRF (simple request)415βœ“ blocked
A8IP flood (12 rapid requests)429βœ“ throttled
A9Name starts with β€œ.” (regex bypass)400βœ“ blocked
A10Malformed pubkey (not hex-64)400βœ“ blocked
πŸ”

NIP-98 Auth

Kind 27235 signed event required on POST /api/register. Server checks signature, URL match, method match, body hash, Β±60s replay window, and that event.pubkey === body.pubkey.

⏱️

Rate limiting

Sliding window: 10 reqs / 10 min per IP and 3 registrations / hour per pubkey. Kills automated squatting.

🚫

Reserved names

24 protected handles: admin, root, lacrypta, satoshi, support, api… full list in SECURITY.md.

πŸ“

Input caps

Strict regex on name, 64-char hex pubkey, displayName ≀ 64 chars, body ≀ 2 KB. Content-Type must be application/json.

πŸ›‘οΈ

HTTP hardening

CSP, HSTS (2y preload), X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy, Permissions-Policy. Cache-Control: no-store on every API response.

πŸ“¦

Supply chain

nostr-tools pinned to exact 2.7.2 (no caret). ADMIN_KEY compared with crypto.timingSafeEqual. Planned: bundle crypto deps with Vite.

πŸ“„ Read full pentest πŸ”’ Security policy

Create Your Profile

Connect your Nostr identity and start building reputation.

@lacrypta.ar

2-32 chars, lowercase. This becomes your verifiable handle.

Your NIP-05 will be served from /.well-known/nostr.json so any Nostr client can verify you.

Community Directory

Verified members of La Crypta with their reputation badges.

Loading verified members from Nostr relays...

Verify a Member

Check if someone is really who they claim to be.