So I put together a sample Solidity contract where whoever connects to .... gets reward.
I have this function called reward. This worked fine. Except, this function is not secure. Anyone can write a front end and drain all the fund available in the contract. But if I restricted this function with require only owner, then my design will not work.
What did I miss?
function reward(uint amount, address payee) public {
require(
address(this).balance >= amount,
"Not enough eth in the contract"
);
payable(payee).transfer(amount);
}
If you want only people who use your frontend to be able to claim the reward, you will need to somehow verify that they came from your front end.
In terms of the contract logic, they could submit a signature that you give them from your backend as verification that they use your frontend.
But then you also have to worry about people bypassing your frontend and making calls to your backend themselves.
Regardless, to do something like this, you need some sort of central management to verify people are using your frontend. Also, remember people can deconstruct any logic you put on your frontend on their device, so in theory you would need some backend to verify this. The blockchain has no conceptualization of where users call into it from, nor should it.