Verifyaleo

A protocol linking KYC to Aleo wallets by minting a soulbound ARC721 NFT upon successful KYC via Onfido, Persona, or Veriff verification, with a simple verify(address) endpoint for dApps/wallets.

Comment

Inspiration

Aleo must balance privacy with compliance. There is a tension between shielded transactions and on-chain AML. To help facilitate this, we expect dApps to inevitably hit KYC requirements. Verifaleo centralizes that: a single address-bound check you can carry anywhere. Rather than every dApp or wallet running its own KYC flow, you call our verify(address) endpoint to see if an address has valid KYC—and immediately unlock your app’s UX.

What it does

We have 2 main flows which achieve the Verifaleo protocol.

User Application Flow

  1. Connect: User links their Aleo wallet to https://verifaleo.vercel.app/.
  2. KYC: We “white-label” Sumsub’s flow (and can integrate others) for country selection, document upload, etc.
  3. Mint: On success, we mint a soulbound ARC-721 NFT to the user’s address.
  4. Untransferable (so it truly “binds” to that address)
  5. Expires after 6 months (via block-based timestamp)
  6. Indexing: Once minted, this token becomes discoverable via our verification API.

dApp/Wallet Verification API Flow

  • Any integrator calls: https://verifaleo.vercel.app/api/verify?wallet=<aleo-address or ANS name>
  • Returns a simple JSON payload: KYC status, expiration timestamp, and (optionally) KYC level or provider metadata.
{"verified":true,"expirationBlock":12766086,"ownerId":"6343611107927098604630691271078901602104165424204935641345654800195321857336field"}

Security Model

  • Soulbound NFT: No transfers → KYC can’t “move” to another address.
  • Single Deployer: Only our dedicated key can mint, preventing spoofing.
  • Expiry: 6-month block timestamp forces re-verification.

“Couldn’t I Just Sell My KYC’d Address?”

Yes—only by giving away your private keys, which defeats wallet security entirely. Plus, each NFT’s metadata can include:

  • kyc_level (basic, intermediate, enhanced)
  • provider (Sumsub, Onfido, etc.)

How we built it

  1. Core contract/program: Forked ARC-721, stripped out transfers, restricted mint to our deployer.
  2. Frontend/API:
  3. Wallet connection (Aleo+ANS)
  4. Sumsub KYC integration
  5. Minting pipeline & proof polling (proving currently takes up to 5 mins)
  6. Verification API & gallery display

Challenges we ran into

  • Provider Access: Securing sandbox only; awaiting production keys from Sumsub and EnTrust (Onfido).
  • Proving Latency: On-chain proof generation can take up to 5 minutes. Exploring “proving-as-a-service” to speed it up.

Accomplishments that we're proud of

  • MVP End-to-End: KYC → mint → verify works seamlessly.
  • Standards & Integrations: Leveraged ARC-721 and Aleo Name Service to maximize composability.

What we learned

  • Deep dive into Leo & Aleo’s dev lifecycle.
  • Importance of balancing privacy, UX, and on-chain compliance.

What's next for Verifaleo (Take your KYC anywhere)

  • Partnerships: DEXs, wallets, and other privacy dApps to adopt our API.
  • Sustainable Model: Define per-user or per-mint fees to cover KYC provider costs.
  • Rich Attestations: Expand NFT metadata—risk scores, multi-provider attestations, tiered KYC levels

Built With

Share this project:

Updates