scrtlabs / Grants

Repository for grant proposal submissions
41 stars 22 forks source link

CoinFabrik | Scout for Secret Network | First static analyzer for Smart Contract vulnerabilities #155

Open rialalejo opened 7 months ago

rialalejo commented 7 months ago

Scout - CoinFabrik

Project Description

We want to build Scout, Secret Network’s first static analyzer for smart contract vulnerabilities. Our development includes:

Problem / Solution

In 2023 alone, over $1.8 billion in crypto funds were lost due to hacks and scams in the Web3 ecosystem. The primary resource currently used to mitigate this risk is manual audits. However, they are costly and time-consuming. Therefore, it is essential for developers to produce high-quality, security-conscious code.

At CoinFabrik, where we engage in both auditing and development of crypto projects, we understand this issue firsthand. This is why we created Scout, a vulnerability detection app, a static analyzer designed to assist developers and auditors in identifying potential security threats and to encourage the application of best practices during development.

Detailed product description

With the help of the Web3 Foundation, Aleph Zero, and Stellar, we´ve built an app with security detectors for a list of prioritized vulnerabilities, which are implemented as lints, for Ink! and Soroban. The app is already been used by developers of both communities to build more secure smart contracts. We want to extend it to help Secret Network developers too.

Scout is built on top of a static analyzer that interfaces with the Rust compiler, providing access to the High-Level Intermediate Representation and the Mid-Level Intermediate Representation. These capabilities enable the accurate detection of many vulnerabilities. The lints are specifically designed to identify certain types of vulnerabilities. Each lint is pre-compiled separately and then run at contract compilation time, making it straightforward for contributors to add their own detectors. We have further made contributions to the project that allow us to work on the output, generating PDF reports, dynamic HTML, and Markdown..

The VSCode extension utilizes the CLI and, once executed, highlights the code segments that contain vulnerabilities. Additionally, it provides an explanation of the bug along with suggestions for resolving it.

The project has an integration testing suite that tests all detectors against a growing set of examples, always raising the precision of the tool and making sure it works properly.

Scout is an open-source tool currently available on GitHub for Polkadot’s ink! (scout-ink) and Stellar’s Soroban (scout-soroban). The implementation of Scout for Secret Network will follow the same roadmap as with these other blockchains, building on top of scout-audit core implementation.

Tool Architecture Diagram

Scout Architecture Diagram

Go-to-Market plan

Stage 1 - Build it

Build the tool a make it available for early adopters to give feedback and recommendations on improvements and future detectors.

Stage 2 - Community Adoption

Active participation on secret network forums including new vulnerabilities and best practices to scout and encouraging the community to do so as well through our contribution guidelines.

Upon Scout for Secret Network Public release, we will promote the tool in social media and perform an open Webinar, showing the usage of the tool to the community.

We will also post an article on detection of vulnerabilities in Secret Network smart contracts, to be published in CoinFabrik blog. We will contact audit companies from the ecosystem to help them include scout in their process and gather recommendations for new detectors and improvements

We will partner with the secret network marketing team to promote the tool and their use for developing safer smart contracts on the secret network.

Stage 3 - Community driven growth

Community continues to improve the tool Further grants to extend scout capabilities on Secret network.

Value capture for Secret Network ecosystem

Our tool will serve as a valuable resource for discovering security bugs for developers in the Secret Network ecosystem for several reasons.

  1. Firstly, it will aid smart contract developers during the development process by helping them avoid common security issues and adhere to best practices. We will provide integration with widely-used Integrated Development Environments (IDEs), such as -VSCode. We will also provide a GitHub action that will allow developers to run Scout on every Secret Network smart contract project pull requests, ensuring a security assessment is available for the reviewer.

  2. We also plan to build a comprehensive knowledge base about security issues in Secret Network, which will include a list of vulnerability classes, descriptions, examples, and methods to avoid them.

  3. Furthermore, our tool is open source and will feature clear documentation and contribution guidelines, enabling others to add their detectors and enhance the tool's capabilities.

  4. Lastly, by making it easier to detect and fix an increasing number of security issues, our tool will raise the complexity threshold in Secret Network for potential attacks.

Team members

Team Website

Team's experience

CoinFabrik is a research, auditing and development company specialized in Web3, with a strong background in cybersecurity. Founded in 2014, we have worked on over 200 blockchain-related projects, EVM-based and also for Solana, Algorand, and Polkadot. We offer security audits through a dedicated in-house team of senior cybersecurity professionals, currently working on code in Rust, Solidity, Clarity, and TEAL.

Our team has an academic background in computer science and mathematics, with work experience focused on cybersecurity and software development, including academic publications, patents turned into products, and conference presentations. Furthermore, we have an ongoing collaboration on knowledge transfer and open-source projects with the Universidad de Buenos Aires.

Team Code Repos

Team LinkedIn Profiles

Development Roadmap

We will require 8 weeks to complete this project.

We intend to have 2 developers full-time, a part time Technical Lead and a part time Project Manager, at a total cost of $ 60,000.

Milestone 1:Research & Proof of Concept (30K USD)

(4 weeks) Deliverables:

Milestone 2: Prototype (30K USD)

(4 weeks) Deliverables:

Integrated functionalities from Scout core:

Additional Information

CoinFabrik page | https://www.coinfabrik.com/ Scout page | https://www.coinfabrik.com/products/scout/ Scout for ink! GitHub | https://github.com/CoinFabrik/scout Scout for ink! Docusaurus Documentation | https://coinfabrik.github.io/scout/ Scout for Soroban GitHub | https://github.com/CoinFabrik/scout-soroban Scout Audit Github | https://github.com/CoinFabrik/scout-audit Twitter | https://twitter.com/coinfabrik