James
@theref
1/9 Mini-App Decentralisation Check: QR Coin Today I'm looking at https://qrcoin.fun by @jake If you haven’t seen it: it’s a daily auction where the winner decides where a permanent QR code points for 24h This isn't an audit, just a decentralisation check. What’s onchain? What’s not? Where’s the trust?
1 reply
5 recasts
10 reactions
James
@theref
2/10 The Good and the Bad **Good:** - Verified smart contract - Onchain URL logic - Public builder **Tradeoffs:** - Closed frontend - Owner + whitelist control Let’s dig in...
1 reply
0 recast
2 reactions
James
@theref
3/10 What's onchain, what's not Onchain on Base: - Auction logic: time extension, refunds, etc. - Bids in USDC - Winning URL is stored in contract state Offchain: - QR redirects - Viewer rewards - Whitelist of addresses that can settle the auction
1 reply
0 recast
2 reactions
James
@theref
4/10 What's under the hood? Each bid includes a destination URL. When the auction ends, a whitelisted address (a “settler”) calls a function to: - Set the winning URL onchain - Start the next auction This is all handled in a verified contract https://basescan.org/address/0x6207674cc6db2687308f1fb37df1c7b8990c199b
1 reply
0 recast
2 reactions
James
@theref
5/10 The onchain logic is solid, however... – Only pre-approved (who??) addresses can settle – The contract is upgradeable by a single owner – No multisig, no DAO, no clear off-ramp from central control So the mechanics are good, but control is centralized.
1 reply
0 recast
2 reactions
James
@theref
6/10 The frontend is a single point of failure The QR points to a frontend that queries the contract + redirects users. But: – It’s closed source (so I'm assuming some stuff) – If it stops respecting the contract, the whole thing falls apart – No insight into how rewards are distributed
1 reply
0 recast
2 reactions