Credencea

Academic credential fraud is a global problem that undermines trust in educational systems. Employers, universities, and licensing authorities struggle with verifying whether a certificate is genuine.

Comment

Inspiration

A few months ago, a friend of mine spent three weeks waiting for a single email from a university registrar — just to confirm that his degree was real. The employer had already made a verbal offer. The offer lapsed before the verification came back. That moment stuck with me. We live in a world where you can transfer money across continents in seconds, prove identity with a fingerprint, and stream 4K video to a phone in your pocket yet verifying that someone graduated from a university still depends on a PDF, a stamp, and a slow email chain. This is not a developing-world problem. It is a trust infrastructure problem. Every country, every employer, every institution operates on the implicit assumption that certificates are genuine, while simultaneously having no reliable, fast, open mechanism to actually check. When I learned about Soulbound Tokens the idea, introduced by Vitalik Buterin in 2022, of NFTs that are permanently tied to a wallet and cannot be transferred, I immediately saw the fit. A credential is not an asset you trade. It is a fact about you. It should live where you live, follow you wherever you go, and be provable to anyone without asking permission from any institution. That conviction became Credencea.

What it does

Credencea lets universities and schools issue degree certificates as Soulbound Tokens on Ethereum non-transferable NFTs permanently tied to a graduate's wallet. Each certificate is rendered as a real parchment-style image, uploaded to IPFS, and minted on-chain with a unique ID like MIT-0042. A student shares a link or shows a QR code. An employer opens it and knows in under a second whether it is genuine or revoked no email, no phone call, no third-party service. The blockchain is the registrar. Institutions get a dashboard to issue and manage credentials. Students get a portfolio of everything ever issued to their wallet, with a downloadable certificate image. Anyone in the world can verify without an account.

How we built it

The contract is Solidity 0.8.24, inheriting ERC-5192 for soulbound semantics and OpenZeppelin's security stack for everything else. Eight security controls reentrancy guards, a pausable emergency stop, rate limiting per institution, a 30-day revocation window, two-step ownership transfer before a single certificate can be minted. Deployed the contract on Ethereum Sepolia testnet The frontend is React 18 with TypeScript, Vite, and Tailwind CSS v4. Wallet connection goes through ReownAppKit. Contract calls go through Ethers.js v6. When an institution issues a certificate, html2canvas renders the parchment design into a PNG off-screen, uploads it to IPFS via Pinata, then uploads an OpenSea-compatible metadata JSON pointing at that image so the token works on any NFT marketplace out of the box, and students can download their certificate as a real file.

Challenges we ran into

The technical problem was getting html2canvas to capture fonts correctly in an off-screen element. The certificate uses serif fonts loaded from Google Fonts, and html2canvas captures what the browser has actually rendered, if the fonts haven't loaded yet, you get fallback Arial in the PNG. The fix was await document.fonts.ready before triggering the capture. The design problem was the revocation window. Unlimited revocation is an abuse vector, a compromised institution key could erase every credential it ever issued. A hard cutoff with no override is too rigid. The solution mirrors real legal frameworks: a default 30-day window, an owner override for exceptional cases, a force-revoke for situations where a court demands action. The right answer was already in the world just not on a blockchain yet. Then there was the wallet loss problem. Soulbound means non-transferable, which is the whole point — but it also means a lost seed phrase is a lost degree. Building the two-step recovery mechanism (institution requests, 48-hour cooldown, then executes) without weakening the soulbound guarantee took three full rewrites of the contract.

Accomplishments that we're proud of

The certificate looks like a real certificate. That sounds small but it matters, a student should feel something when they open their credential, not stare at a JSON blob. Getting the parchment design, the serif typography, the double-rule border, the gold ornaments, and the institution seal rendered correctly into a downloadable PNG and then minted as the actual NFT image was the detail that made everything feel real. The seamless user experience from institution dashboards for bulk issuing to student verification pages that works. The soulbound nature ensures credentials stay with their rightful owners, and our QR code system makes verification as simple as scanning a code. Plus, it's all open-source and ready for real-world adoption.

What we learned

Writing a working smart contract and writing a secure smart contract are very different things. Every function that changes state is an attack surface. The first version had none of the security controls. Adding them one by one and understanding why each one exists was the most valuable part of the build. Certificate design too is new to us, having to design render it on the certificate page and also pushing it to ipfs through pinata, although the current certificate is not perfect yet but it's presentable

What's next for Credencea

Bulk issuance via CSV upload, universities graduate hundreds of students at once, not one at a time. A LinkedIn share button that pre-fills the credential details. Multi-chain deployment on Polygon or Base for near-zero gas costs. Account abstraction so students never need to hold ETH. Multi-sig wallets for institutions so no single key can issue or revoke unilaterally. And eventually, a public graduate directory opt-in, wallet-signed, searchable by name or degree. A place where credentials live in the open, permanently, without anyone's permission to keep them there.

Built With

Share this project:

Updates