ton-society / grants-and-bounties

TON Foundation invites talent to imagine and realize projects that have the potential to integrate with the daily lives of users.
https://ton.org/grants
313 stars 137 forks source link

Upgrade Misti with Advanced Tact Detectors #777

Open jubnzv opened 2 months ago

jubnzv commented 2 months ago

Summary

Enhance Misti with more powerful Tact detectors to promote security best practices in the ecosystem.

Context

Misti is a static analyzer for the TON blockchain supported by the TON Foundation. Version 0.1 introduced the core of the analyzer, comprehensive documentation, and five detectors. The next minor release, version 0.2, introduced five more detectors, along with various improvements and fixes that enhance the tool's integrability, including the development of the Blueprint plugin. Version 0.3 was published in order to support Tact 1.5 and introduce 5 more detectors and API changes used in custom detectors. Version 0.4 will result after testing the analyzer on real-world contracts, includes 5 new detectors and the GitHub actions integration.

Thus, Misti will support 20 Tact detectors when starting working on this grant described here: https://nowarp.io/tools/misti/docs/detectors.

Planned Improvements

In the next 0.5 version, the focus will be on more powerful Tact security checks. The roadmap includes:

Note that the implementation of the suggested detectors is more complex than most of the detectors that have already been introduced. It will take more time to develop these, and it might require changes in the analyzer's internals.

Other planned detectors are included in the 0.5 roadmap. Detectors may be changed or added based on ecosystem needs and project constraints, but there will be at least ten.

Milestones

  1. Implement at least 10 new detectors along with the required improvements to the Tact compiler API as described above.
  2. Write a blog post on security risks in Tact. A blog post will be written addressing Tact's security issues, focusing on the problems Misti addresses. It will showcase some Tact issues and offer recommendations on how to mitigate them using the tool.
  3. Report grant results.

Key Contributions

Next Plans

The next priority will be FunC support in the following release. This release will make Tact support strong enough to focus on Func in the subsequent months. The decision was made to prioritize it over other tasks to increase community engagement.

References

Estimate suggested reward

10,000 USD in TON equivalent.

Estimated completion date: November 15, 2024. This is subject to change based on the Tact release cycle and the grant application process. But delays should not exceed a few weeks.

UPD: Adjusted the estimated completion date according to the new Tact 1.6.0 release date. UPD: Updated the roadmap. The next version number will be 0.4, as we need to release an additional minor version to support Tact 1.5, resolving this issue: https://t.me/misti_dev/105 UPD: 0.4 will be released before this in order to implement the Misti GitHub action and support more required features

anton-trunov commented 2 months ago

The Misti static smart-contract analyzer, despite its early stage of development has already found critical issues in soon-to-be released projects written in Tact. I'm all for supporting this project to make it even better! And it also has great potential to also support FunC.

jubnzv commented 1 month ago

I have split it into two milestones: v0.5 and v0.6. We need this in order to release Misti 0.5, containing the current progress, right after the Tact 1.6 release.