Please describe your proposed solution.

<u>Extended Problem Statement:</u>

An automated (AI based) audit tooling for smart contracts can solve several problems related to the auditing process of smart contracts. With this proposal we aim to address following challenges:

• Enhanced Security Analysis: Smart contracts on Cardano can be complex, and manual code review may miss subtle vulnerabilities or logical errors. This automated audit tool can provide automated analysis and pattern recognition capabilities to identify potential security risks that might be overlooked during manual audits. This helps ensure that smart contracts are more secure and less prone to exploits or vulnerabilities.
• Efficiency and Scalability: Auditing smart contracts manually can be time-consuming, especially as the number of smart contracts in use grows. Our audit tool can automate parts of the auditing process, such as code analysis and testing, making it more efficient and scalable. This allows auditors to review a larger number of smart contracts within a shorter timeframe, thereby improving the overall audit process.
• Consistency and Standardization: With this proposed tool, auditors can apply standardized analysis techniques and best practices consistently across different smart contracts. This reduces the risk of human errors, ensures uniformity in auditing approaches, and enables a more thorough examination of contract code for potential issues.
• Risk Prioritization: Our audit tool can assist auditors in quantifying and prioritizing risks associated with smart contracts. By analyzing the code, identifying vulnerabilities, and assessing the impact and likelihood of each risk, auditors can focus their attention on critical areas that require immediate attention or remediation. This helps allocate resources effectively and address the most significant risks first.
• Continuous Monitoring and Early Detection: This automated audit tool can provide continuous monitoring capabilities for deployed smart contracts. By monitoring events and changes in the contract's behavior, these tools can alert auditors or developers to potential security breaches or anomalous activities. Early detection enables prompt response and mitigation of potential risks before they escalate.

<u>Our solution:</u>

Therefore, we propose the development of an Automated Audit Tool, that is based on AI and specifically trained and developed for Smart Contracts on the Cardano Blockchain.

This will include the following components:

• Smart Contract Analysis Engine: The tool will have the ability to thoroughly analyze smart contract code, identify potential vulnerabilities, and detect deviations from best practices.
• Automated Testing Module: The tool will provide automated testing capabilities, generating various scenarios and inputs to evaluate the contract's behavior and uncover potential risks.
• Machine Learning Models: Pattern Recognition by employing AI algorithms to recognize patterns and anomalies in the code, aiding in the identification of security risks or deviations from established coding standards.
• Risk Assessment: The tool will assess the overall risk associated with a smart contract, considering factors such as complexity, attack vectors, and asset sensitivity, and provide risk quantification and prioritization.
• Continuous Monitoring: The tool will offer real-time or periodic monitoring capabilities to detect changes or events in deployed smart contracts that could indicate security breaches or abnormal behavior.
• Security Rule Engine: The tool will have a rule engine that incorporates security best practices, industry standards, and regulatory compliance guidelines to check for adherence during the audit process.
• Reporting and Visualization: The tool will generate comprehensive reports and visualizations that summarize audit findings, highlighting identified vulnerabilities, risk levels, and recommended actions for auditors and developers.

<u>How does the smart contract analysis work?</u>

• Control Flow Analysis: The engine analyzes the control flow within the code to understand how the program's execution flows from one instruction or statement to another. It identifies branches, loops, conditional statements, and function calls to gain insights into the program's behavior and potential vulnerabilities.
• Data Flow Analysis: This technique traces the flow of data within the code, identifying how variables are defined, modified, and used throughout the program. It helps detect issues such as uninitialized variables, potential data leaks, or unintended variable assignments.
• Symbolic Execution: Symbolic execution involves performing a symbolic run of the code, treating inputs and variables as symbolic values instead of concrete values. This technique explores different execution paths and generates constraints that represent the possible program behaviors. It helps identify potential vulnerabilities or states where the program may behave unexpectedly.
• Taint Analysis: Taint analysis tracks the propagation of user-controlled inputs or tainted data throughout the code. It identifies how these inputs influence the program's behavior and detects potential security risks, such as unsanitized user input leading to injection vulnerabilities or data leakage.
• Dependency Analysis: Dependency analysis examines the dependencies between different components of the code, including functions, modules, libraries, and external dependencies. It helps identify potential vulnerabilities arising from the interaction between different code components or insecure use of external dependencies.
• Code Pattern Matching: Detection of vulnerable code, coding errors, or security risks. It compares code snippets against a database of predefined patterns, signatures, or rules to identify potential vulnerabilities or deviations from secure coding practices.
• Contract-specific Analysis: It will also apply contract-specific analysis techniques tailored to the characteristics and vulnerabilities commonly found in blockchain-based contracts. These techniques include analyzing the contract's state transitions, token operations, access control mechanisms, and interaction with other contracts.

How does your proposed solution address the challenge and what benefits will this bring to the Cardano ecosystem?

This challenge is asking 'How do we equip and support developers with tools and working infrastructure?'

With our proposed automated auditing tool we will bring several benefits to our ecosystem:

1. Enhanced Security: Identify complex vulnerabilities and reduce security breaches.
2. Efficient Auditing Process: Faster review of smart contracts, enabling quicker issue identification.
3. Consistent Audit Standards: With AI audit tooling, the Cardano ecosystem can establish consistent audit standards and best practices.
4. Risk Mitigation and Prioritization: The tool's ability to assess risks and prioritize them helps auditors and developers focus on critical areas that require immediate attention.
5. Continuous Monitoring and Early Detection: Prompt response to security breaches and anomalies.
6. Developer Empowerment: The tool can serve as a valuable resource for developers (especially new ones) within the Cardano ecosystem. It can provide insights into security best practices, coding standards, and potential vulnerabilities, enabling developers to build more secure smart contracts from the outset.

How do you intend to measure the success of your project?

Our list of KPIs to measure the progress and success of this proposal:

Number of Audits Performed:

• Total number of smart contract audits conducted per month.
• Number of auditors, developers, and projects utilizing the AI audit tooling.
• IIncrease percentage in the number of audits per month performed after implementing the tool.
• Time required to conduct a smart contract audit using the tool compared to manual methods.

Risk Mitigation Effectiveness:

• Total number of high-risk or critical vulnerabilities identified and mitigated using the tool.
• Total number of security incidents or vulnerabilities discovered in audited smart contracts.
• Success rate of risk mitigation efforts based on the tool's prioritization.
• Reduction percentage in high-risk or critical vulnerabilities after implementing the tool.

User Satisfaction and Feedback:

• User satisfaction ratings collected from auditors, developers and other users.
• Ratings of ease of use, effectiveness, and value provided by the tool.
• Feedback on specific features, improvements, or areas of enhancement.

Please describe your plans to share the outputs and results of your project?

Our approach is to operate as transparently as possible, so that the community has the maximum possible insight into the project on the one hand and can also participate in the project development on the other.

To measure and track the process of the proposal, we will document any step and output in our dedicated GitHub repository. All outcomes are open-source and free to use for the community.

Furthermore, we will offer monthly feedback opportunities for the community (communicated via GitHub and on Catalyst Telegram Channels).

What is your capability to deliver your project with high levels of trust and accountability?

Our project team consists of experienced professionals with a track record of developing and implementing various product and software developments. Furthermore, parts of the core team have been active members of the community since Fund 3 in Project Catalyst. They have actively participated in the community and have been voted and funded for their projects by the community multiple times. Importantly, all previous projects have been successfully completed.

<u>Our capabilities to deliver this project successfully:</u>

• Machine Learning: Our team is experienced in AI and Machine Learning Software and is able to use the latest updates of advanced AI technologies in order to create the proposed tool.
• Cardano Ecosystem: We have a deep understanding of the Cardano blockchain and ecosystem, including its protocols, standards, and development tools.
• Security and Auditing: We have knowledge of security best practices and experience in conducting security audits to ensure the reliability and resistance of the tool. Understanding common security risks in smart contract development is essential to create the proposed tool.
• Project Management: We have strong project management skills to ensure efficient planning, coordination, and execution of the project.
• Collaboration and Community Engagement: We will foster collaboration within the Cardano community, engage with developers, gather feedback, and incorporate community input into the library's development.

What are the main goals for the project and how will you validate if your approach is feasible?

<u>The main goals for the AI audit tooling project can be summarized as follows:</u>

• Enhance Smart Contract Security: The proposal aims to improve the security of smart contracts within the Cardano ecosystem by leveraging AI capabilities to identify vulnerabilities, reduce risks, and enhance auditing processes.
• Increase Efficiency and Scalability: The project seeks to streamline the auditing process, making it more efficient and scalable. By automating these tasks and providing advanced analysis capabilities, the tool aims to save time and resources while enabling auditors to review a larger number of smart contracts.
• Ensure Consistency and Standardization: The project aims to establish consistent audit standards and best practices across the Cardano ecosystem. By incorporating predefined rules, analysis techniques, and industry standards, the tool promotes uniformity and reliability in the auditing approach.
• Foster Trust: The project aims to enhance trust and confidence in the security and reliability of smart contracts within the Cardano ecosystem. By providing auditors and developers with a robust auditing tool, the project intends to demonstrate a commitment to quality, security, and industry best practices.

<u>To validate the feasibility of our approach, we will take several steps:</u>

• Technical Proof of Concept: We will first develop a technical proof of concept to demonstrate the core functionalities and capabilities of our auditing tool. This includes showcasing its ability to analyze smart contract code, identify vulnerabilities, and generate actionable reports.
• Prototype Testing: We will conduct extensive testing of the prototype with various types of smart contracts to validate its effectiveness in detecting vulnerabilities and providing accurate analysis. Additional, we will collect feedback from auditors and developers to refine and improve the tool's features.
• Performance Evaluation: We will assess the performance and scalability of the tool by conducting stress tests and analyzing its behavior under different workloads.
• Comparative Analysis: We will perform a comparative analysis of the tool against existing manual auditing methods and measure the time savings, improved efficiency, and accuracy of the auditing tool in comparison to traditional approaches.
• Pilot Deployment and Real-World Testing: Eventually, we will conduct pilot deployments of the auditing tool with selected auditors and projects within the Cardano ecosystem and then monitor its performance.

Please provide a detailed breakdown of your project’s milestones and each of the main tasks or activities to reach the milestone plus the expected timeline for the delivery.

In the following, we present a milestone-based project plan for developing and implementing our proposed automated audit tool within a 4-month timeframe:

Milestone 1 (4 weeks): Prototype Development

Phase 1: Requirements Gathering and Design

• Definition of specific requirements and objectives for the AI audit tooling prototype.
• Conducting discussions with auditors, developers, and stakeholders to gather their input and refine the requirements.
• Design of the architecture and components of the prototype, considering scalability and extensibility.

Phase 2: Smart Contract Analysis Engine

• Developing the core engine responsible for analyzing smart contract code.
• Implementation of static analysis techniques to identify potential vulnerabilities and coding errors.
• Integration of a rule-based system to enforce security best practices and coding standards.

Phase 3: Automated Testing Capabilities

• Implementing automated testing functionalities to generate test cases and scenarios for smart contracts.
• Developing multiple algorithms to simulate different scenarios and inputs to evaluate contract behavior.
• Ensure comprehensive coverage of critical code paths and edge cases.

Phase 4: User Interface and Report Generation

• Design and development of interface for auditors and developers to interact with the prototype.
• Creation of a dashboard to present analysis results and identified vulnerabilities.
• Implementing a reporting module that generates comprehensive testing reports.

Milestone 2 (4 weeks): Model Evaluation

Phase 5: Data Collection and Preprocessing

• Gather a diverse dataset of smart contracts representing various use cases and complexities.
• Preprocess the dataset, clean the code, and ensure compatibility with the analysis engine.

Phase 6: Model Training

• Deploy machine learning algorithms and techniques for smart contract analysis.
• Training the models using the preprocessed dataset, considering performance and accuracy.
• Optimizing the models to achieve efficient and effective analysis results.

Phase 7: Evaluation and Performance Metrics

• Evaluating the trained models using evaluation metrics such as precision, recall, and F1 score.
• Assessing the performance of the models on a separate validation dataset.
• Fine-tuning of the models based on the evaluation results and iterate as necessary.

Phase 8: Integration and Refinement

• Integration of the trained models into the existing prototype.
• Validation of the integration and ensure seamless interaction between the analysis engine and the machine learning models.
• Refinement of the prototype based on the evaluation feedback and further optimize its performance.

Milestone 3 (4 weeks): Tool Validation

Phase 9: Validation Planning

• Definition of criteria for validating the tool.
• Definition of KPIs and metrics to measure the tool's effectiveness.
• Defining the validation process, including the selection of auditors, projects, and test cases.

Phase 10: Validation Execution

• Conducting validation tests with auditors.
• Gathering feedback from auditors regarding usability, accuracy, and overall satisfaction.
• Capturing any issues or suggestions for improvement during the validation process.

Phase 11: Iteration and Enhancement

• Analyzing the feedback received from auditors and identifying areas for improvement.
• Implementing necessary changes and enhancements to address identified issues.
• Iterate on the prototype to improve its usability, performance, and effectiveness.

Phase 12: Performance Evaluation

• Conducting comprehensive performance testing to evaluate the tool's efficiency and scalability.
• Measuring and analyzing key performance metrics, such as processing time and resource utilization.
• Optimizing the tool's performance based on the evaluation results.

Milestone 4 (4 weeks): Real-world Testing and Release

Phase 13: Real-world Testing Preparation

• Selection a subset of real-world smart contracts for testing the tool in live environments.
• Making sure that all necessary resources and permissions are in place for conducting real-world testing.
• Creation of a detailed test plan and define success criteria for the real-world testing phase.

Phase 14: Real-world Testing

• Deploying the AI audit tooling in a controlled real-world environment with selected smart contracts.
• Monitoring and analyzing the tool's performance, accuracy, and effectiveness in identifying vulnerabilities.
• Collecting feedback from auditors and developers during the real-world testing phase.

Phase 15: Analysis and Refinement

• Analysis of the data and feedback gathered during the real-world testing phase.
• Identification any additional issues, bugs, or suggestions for improvement.
• Refinement the tool based on the findings to ensure it meets the requirements and addresses real-world challenges.

Phase 16: Documentation and Release Preparation

• Documentation of the tool's functionalities, features, and usage guidelines.
• Preparation of release notes and user manuals.
• Final testing, to ensure stability and quality before the tool's release.

At the end of the 4-month project plan, our proposed tool will have progressed from prototype development to real-world testing and will be ready for release, incorporating valuable feedback and improvements gathered throughout the project.

Please describe the deliverables, outputs and intended outcomes of each milestone.

Milestone 1 (Prototype Development):

• Deliverables: A functional prototype of the tool for smart contract analysis.
• Outputs: Core engine for smart contract analysis, automated testing capabilities, user interface, and reporting module.
• Intended Outcomes: A prototype that demonstrates the tool's ability to analyze smart contracts, identify vulnerabilities, and generate actionable reports.

Milestone 2 (Model Evaluation):

• Deliverables: Trained machine learning models for smart contract analysis.
• Outputs: Evaluated and optimized models, performance metrics, and integration with the prototype.
• Intended Outcomes: Effective machine learning models that enhance the analysis capabilities of the tool + Improved accuracy, efficiency, and the ability to handle a wide range of smart contracts.

Milestone 3 (Tool Validation):

• Deliverables: Validated and refined tool.
• Outputs: Validation strategy, user feedback, iteration and refinement of the tool, optimized performance.
• Intended Outcomes: Validated tool with positive user feedback and satisfaction. Enhanced usability, accuracy, and effectiveness in identifying vulnerabilities + Addressed issues and improved performance based on validation results.

Milestone 4 (Real-world Testing and Release):

• Deliverables: Real-world tested and refined tool ready for release.
• Outputs: Real-world testing data, bug fixes, documentation, release-ready version of the tool.
• Intended Outcomes: A robust and stable tool that has undergone real-world testing and refinement + Finalized documentation and release preparation for wider adoption.

Please provide a detailed budget breakdown of the proposed work and resources.

<u>Milestones based budget breakdown</u>:

Google Spreadsheet:

<https://docs.google.com/spreadsheets/d/1jduw8MddHOVj7VAk-5jlYFcUXgv8XD4v3vyqWTuWp9Q/edit?usp=sharing>

Total estimated project time: 728 hours

Total amount of requested ADA: 184,600

Milestone 1: 59,000

Milestone 2: 58,800

Milestone 3: 33,400

Milestone 4: 33,400

We have calculated the estimated time to the best of our knowledge. The hourly rates represent a fair payment for our team. We have calculated an average hourly rate, since both senior and junior developers are used.

Who is in the project team and what are their roles?

<u>This is our core project team:</u>

• Dominik Tilman: Project management

Dominik is the lead on this project. He has been an active part of the Catalyst community since Fund 3. Among other things, he has been a co-founder of IdeaFest and the Catalyst Swarm Initiative. He has successfully funded and executed several proposals.

With his company Conu21 he mainly advises startups and actively helps in the founding phase to develop the right business model and to market the ideas sustainably. With his wealth of experience and network, he helps promising ideas and projects to be successfully implemented and taken to market.

<https://www.linkedin.com/in/dominikstumpp/>

<http://www.conu21.com>

• Thomas Zuchtriegel: Product Lead

With his own innovation agency 'Metavers', he has already helped numerous companies make the crucial transition to the digital world of Web 3.0. Furthermore, Thomas is and has been successfully involved in a variety of startups and businesses over the last decade. He and his team help us in the implementation of our projects, so we can deliver solid product developments. Thomas has been an active part of the Catalyst community since the beginning, and he has successfully funded and executed several proposals.

<https://www.linkedin.com/in/thomaszuchtriegel/>

http://wwww.metavers.com

• Zsolt Kallos: Technical Lead

Zsolt is Programmer since 2007 and founder of KallosSoft, a software development company. He released a variety of mobile apps and reached over 9M downloads so far. Furthermore, KallosSoft owns and manages different applications powered by AI Machine Learning models and Generative Adversarial Networks (GANs). Due to his expertise and experience in software development with a focus on AI, our projects have a solid technical foundation. His network helps us to have the best professionals in the implementation of our projects .

<https://www.linkedin.com/in/zsolt-kallos-6b956386/>

<https://kallossoft.com/>

<u>Support Team:</u>

• Rostislava Glebovich & Iana Geidrovich: Software Development

To ensure that our team meets the requirements of technical development, we have decided to collaborate with MetaLamp. They have a tremendously talented team that have already developed a variety of MVPs and products in the Cardano Ecosystem (including an NFT marketplace for IOG). For the execution of our projects and the development of smart contracts and blockchain integrations, we regularly use experienced developers from their talent pool.

https://www.metalamp.io

• Dominik Klopsch: Community engagement

Experience: 4+ years community management in the blockchain/web3 industry.

Link: https://de.linkedin.com/in/dominic-klopsch

How does the cost of the project represent value for money for the Cardano ecosystem?

• Enhanced Developer Experience: By investing in the development of an automated smart contract auditing tool, the Cardano ecosystem provides developers with a valuable resource that simplifies smart contract development, reduces development time, and promotes best practices. This enhanced developer experience leads to increased productivity, higher-quality applications, and a thriving developer community.
• Improved Security and Reliability: The proposed tool is able to conduct security audits, code reviews, and adherence to best practices, to ensure robust, secure, and reliable smart contract development. This investment in security mitigates the risk of vulnerabilities and potential exploits, safeguarding the ecosystem and users' assets.
• Accelerated Innovation: This tool is able to accelerate the development process, allowing developers to focus on building innovative applications and driving the pace of innovation within the Cardano ecosystem.
• Long-Term Cost Savings: While the initial cost of the project may be an investment, it can result in long-term cost savings for the Cardano ecosystem. A robust and widely adopted auditing tool to analyze smart contracts reduces the effort for audits, and streamlines development processes. These efficiencies contribute to cost savings over time.