Please describe your proposed solution.
Target Market
With over a thousand projects currently in the Cardano ecosystem and many more in the works, there will be no shortage of users. The Cardano Foundation recognized the power of this model in August 2021 by teaming with HackerOne to provide bounties for security vulnerabilities within the Cardano codebase.
<https://cardanofoundation.org/en/news/bug-bounty-program-with-hackerone-announced-for-cardano%E2%80%99s-blockchain/>
Extending this capability to all Cardano projects through a simple to use website just makes sense.
Website Details
User Identity
The website will allow a user to connect their Cardano wallet to the site. Without a wallet connection, the site will be read only. Once a wallet is connected, it will act as the user’s login/identity and the site will no longer be read only. The user will have the option to attach an alias, small avatar, an email, and a website URL to their wallet. If they add this additional data, then they will be required to sign arbitrary data with their wallet before they can log into the site. The resulting signature will then be verified to confirm or deny the user’s login.
Bounty Submission and Storage
A simple form will be available for a bounty creator to fill out. The metadata required for the bounty will include: who created it (project name or person’s alias/name), a bounty category, a problem statement, the reward amount in ADA/native token, the success criteria, how to claim the bounty, optional tags, an optional website URL, and an optional time frame for completion (up to 1 year).
There will be error checking on the submission to include that the required fields are filled out along with some specific validity checking per field. After filling out the form, the creator will be able to review their bounty before a final submission. The final submission will generate a transaction to store the metadata on the Cardano blockchain. There will be a small service fee (<= 3 ADA) collected with it along with the Cardano network fee. The submission data will also be parsed and stored in an ElasticSearch repo. This ElasticSearch repo will allow the bounties to be fully searchable via free text search, token type and amount, creator, and tags.
Creators will be able to view all of their bounties in their dashboard view.
Bounty Hunting
A bounty hunter will be able to use search and listing capabilities to find bounties that they are interested in. A comment thread will be available for each bounty for additional comments and questions. Once a hunter finds a bounty they are interested in, they can bookmark it for easy retrieval on subsequent site visits. These bookmarked bounties will be viewable on their dashboard.
It’ll be up to the bounty hunter to contact the creator and present the evidence required for collecting the bounty as directed by the creator.
Claiming a Bounty
The success criteria given by the creator will be the final marker as to whether a solution should receive the bounty or not. A bounty hunter will be required to follow the creator’s instructions for claiming the bounty. The creator will need to review the submission against the success criteria and determine if the criteria is met.
Bounty Closing and Expiration
A bounty can be closed by the creator at any time regardless of its status. Closure by the creator will be recorded on the blockchain via a transaction and also recorded in the ElasticSearch repo.
The creator must add the transaction ID for the bounty reward as part of closing the bounty if they want it to be marked as successful. The transfer amount from the bounty transaction will be verified and checked against the bounty reward. If the transfer amount meets and/or exceeds the declared bounty reward, the system will mark the bounty as successfully resolved. If the reward is lower than the declared bounty reward, then the system will mark the bounty as being partially successful. If the bounty is closed without a resolution, the system will mark it as unsettled.
A bounty will be marked expired if the creator creates an end date for the bounty and the bounty is not yet closed by the creator. In this case, only the ElasticSearch repo will be updated to indicate that the bounty is expired. It will still be up to the creator to create a transaction to close a bounty.
For a bounty with no end date, if no comments or changes have been recorded for a 6 month period, the bounty status will be recorded as stale. It will be up to the creator to change the status of the bounty back to active. This will prevent clogging the system up with orphaned bounties.
Assurances
Multiple metrics for creators and hunters will be collected to help provide assurances for the community and accountability for creators and hunters. These metrics can be nuanced, so it will be up to each user as to whether or not they want to work with another user based on these metrics.
This is the initial list of metrics that will be available.
-
Creators
-
Percentage of successfully closed bounties vs all bounties
-
Percentage of partially successful bounties vs all bounties
-
Percentage of unsettled bounties vs all bounties
-
Percentage of expired bounties vs all bounties
-
Percentage of stale bounties vs all bounties
-
Hunters
-
Number of successful bounties claimed
-
Number of partial bounties claimed
There will be milestones for successful bounties for both creators and hunters. As they cross the threshold for these milestones, they will be given the option to mint an NFT with their status for a service fee (<= 5 ADA) plus the Cardano network fees. For the purpose of this proposal and the initial project capabilities, these NFTs will have no intrinsic value other than as a symbol of the holder’s status on the site.
Website Implementation
Tech Stack
Cardano metadata and wallets will be the backbone for the project. The website will be an Angular project. The Cardano metadata for a bounty will be stored on the Cardano blockchain to provide immutability. In addition to that, it will be parsed and stored in ElasticSearch. Bounty comments and system metadata will be stored in ElasticSearch.
Parsing and storing this data in ElasticSearch will allow for a number of capabilities to the site:
- Free text search of the problem statement, success criteria, and other fields
- Search by tags
- Search by creator
- Search by award token
- Search by amount of tokens
- Allow search by any combination listed above
List of technologies and libraries to be used for implementing the website:
- Multiple Cardano wallet browser extensions (as many as possible)
- Cardano Browser Library
- Angular
- Java
- SpringBoot
- ElasticSearch (will allow more flexibility, capability, and scalability over similar solutions)
- AWS Cloud hosting (chosen based on developer's experience)
- Github (this project will be opensource allowing full transparency and community interaction)
- Node.js
Revenue
A small service fee (<= 3 ADA) will be applied to every proposed bounty. This fee will be in addition to the Cardano network fee for submitting the transaction. There will be no fees associated with commenting on a bounty. There will be no service fees associated with closing a bounty but there will be a Cardano network fee.
In the future, holding certain NFTs, delegating to specific pools, and/or holding a particular native token could be used as a way to waive or lower the service fee.
Please describe how your proposed solution will address the Challenge that you have submitted it in.
This project addresses all three success categories listed in "F9: Dapps, Products & Integrations".
Increasing the number of dapps and products available for the community to use that help to enrich the ecosystem with new use cases.
This project will combine leading Web2 solutions with Cardano Web3 libraries. The world is full of amazing developers who have limited to zero Web3 experience. This project will show that moving into the Web3 space is easier than it’s ever been.
The site itself will be a tremendous resource for those new to Cardano development and current developers.
Increase the number of integrations that bring existing solutions together for a more seamless and connected experience between different products.
Projects will list their bounties on a public website. Any Cardano project or developer can search these bounties and if their product or skills fits the bounty, then symmetry could be found. Finding symmetry with other projects can bring massive value to both parties. This ultimately will bring more capable and mature APIs and products to the Cardano ecosystem.
Increased quality of existing products & integrations through suggested improvements that is supported by customer feedback or increased usage by the community.
The bounty rewards will incentivise the community to get involved in the development of the Cardano ecosystem. Bounties are typically awarded to someone who finds security and/or critical bugs within existing or developed software. Bounties can also be awarded for helping the creator through a coding problem. In both cases, the security and quality of the product can be increased through this community collaboration.
What are the main risks that could prevent you from delivering the project successfully and please explain how you will mitigate each risk?
The traditional technologies being used have been around for a long time. They have been vetted through many years of usage and development. They are extremely low risk.
The Cardano wallet and browser libraries are fairly new, but have been being used for a number of projects already. There are some risks that the wallet API and/or capabilities change, which would then require changes to the site. The wallets and browser libraries that are implemented will be followed to track any potential breaking changes. Updates to the system will be made to mitigate those changes.
Overall, the project’s main risk is the funds required for setting up and hosting the website and services. Having this project funded through Catalyst would mitigate this risk.