pitch: enforce round to rely on project registry for data

[thelostone-mc]

Problem

The current process for applying to a round lacks proactive security measures, relying solely on off-chain verification. This approach leaves room for smart individuals to bypass the verification and apply dishonestly.

Why was it built this way?
The decision to rely on off-chain verification was made to support the use of a registry on a different chain than the round. Requiring project owners to synchronize their projects across multiple registries on every chain was deemed excessive. Although cross-chain adapters could potentially address this, the adoption and maturity of such technology remain limited.

Problems it has caused:

• Inability to ensure that only the project owner has applied to the round.
• Difficulty in storing project-specific data that can be accessed and reused by the round contract without duplicating the information (see issue update the author name to proper format #31 on GitHub).

What are we trying to solve?
We aim to address the following challenges:

• Ensure on-chain storage of project-related information, such as the project wallet address, in the registry.
• Enable the round contract to fetch this information reliably from the registry.
• Implement measures to ensure that only the project owner can apply to a round for their specific project.

[0xKurt]

Enable the round contract to fetch this information reliably from the registry.

Since we aim to allow multichain applications, achieving this may not be possible.
I suggest that projects only apply through a trusted source such as the registry or a (Allo) cross-chain contract. We could keep the application-snapshot concept and allow applications only through the trusted source and store the actual snapshot of all relevant data in the round contract.

[thelostone-mc]

Agreed! I'd say for the current pitch/problem we are trying to solve we limit the scope to assume the registry to be the trusted source
In follow-up scope -> we look at cross-chain contract
The source of truth would be the registry and the application would store a snapshot of the relevant data."

[thelostone-mc]

The scope here would involve :

• Adding a function on Registry for applyToRound (can be invoked only by owner)
• Ensuring only the approved registry can invoke the RoundImplementation (fetched from AlloSettings)
• Removing duplicate applications from the same Round and instead relying on toggling status