Funds Fund 11 Proposals F11: Cardano Use Cases: Concept Bug Bounty Platform - Cardano Community-Led Security
funded
Bug Bounty Platform - Cardano Community-Led Security
View on Ideascale View on projectcatalyst.io
Current Project Status
In Progress
Amount
Received
₳70,000
Amount
Requested
₳90,000
Percentage
Received
77.78%
Solution

A community-based bug bounty platform rewarding ADA for identifying smart contract vulnerabilities.

Problem

Cardano ecosystem lacks ways to improve code security through community-driven bug bounty audits.

Image fileImage file

Impact Alignment
Feasibility
Value for money

Team

1 member

Peter Hucik bio pic
Bug Bounty Platform - Cardano Community-Led Security

Please describe your proposed solution.

Our solution is a community-driven Bug Bounty platform on the Cardano Blockchain. Recognizing the importance of security in blockchain projects, we aim to create an ecosystem where developers can submit their projects for auditing. Users will be incentivized through ADA rewards to find and report vulnerabilities. In this way we aim to strengthen project security and increase collaboration within the ecosystem.

We intend to engage both experienced auditors and enthusiastic community members, offering a unique blend of expertise and fresh perspectives. By ensuring robust security measures, we contribute significantly to the Cardano ecosystem's overall integrity and reliability. Our solution is unique because it combines community engagement with professional auditing, benefiting developers, auditors, and ultimately, the Cardano network.

The first version of our website will be a PoC and to fit within the budget we plan to deliver it without a smart contract functionality. In the next phases of the project, we aim to add a smart contract described below.

Smart Contract Functionality:

  • Submission of Audit Requests:
  • Developers can submit their code repositories to the platform along with a specified amount of ADA tokens to be held in escrow by the smart contract.
  • The submission would include details such as the repository URL, contact information, scope of the audit, and the bounty amount.
  • Bounty Allocation and Locking Funds:
  • The smart contract locks the submitted ADA tokens as a bounty for the duration of the audit period.
  • Conditions for bounty distribution are predefined, such as types of vulnerabilities or issues that qualify for a reward.
  • Verification and Claim Process:
  • Auditors or community members who find vulnerabilities submit proof, such as a detailed report or code patch.
  • The smart contract will have a function to allow the admin team to review submissions and verify their validity.
  • Reward Distribution:
  • Upon admin approval, the smart contract automatically distributes the bounty to the finders of the vulnerabilities based on predetermined rules.
  • The distribution could be a flat fee per bug or a percentage based on the severity of the issue.
  • Dispute Resolution:
  • In case of disputes regarding the validity of a bug or the reward amount, the smart contract can hold the funds until the dispute is resolved through a predefined governance process.

Please define the positive impact your project will have on the wider Cardano community.

Our project will significantly enhance the security and reliability of the Cardano ecosystem. By incentivizing bug discovery and reporting, we encourage a proactive approach to identifying vulnerabilities. This not only improves individual projects but also elevates the overall trust in the Cardano network.

We plan to measure impact quantitatively by tracking the number of vulnerabilities reported and resolved, and qualitatively through community feedback. Success will be shared via regular updates and reports, detailing the vulnerabilities found and fixed. This transparency will promote a culture of security and trust, benefiting the entire Cardano community.

This proposal benefits wide array of groups within the community:

  • Developers: will have a way to demonstrate their knowledge and increase their income streams. Also, seeing previous vulnerabilities increases knowledge sharing, helps the community to learn about smart contract anti-patterns that should be avoided.
  • Users: more trust in protocols that participated in bug bounty.
  • Projects: ability to further increase security and trustworthiness.
  • ADA holders: each new utility is good for ADA

What is your capability to deliver your project with high levels of trust and accountability? How do you intend to validate if your approach is feasible?

As seasoned developers and auditors of smart contracts on Cardano, we possess extensive experience with audits and design reviews conducted in Plutus, Plutarch, and Aiken languages. We have already identified various vulnerabilities, viewable at https://github.com/vacuumlabs/audits. Additionally, we are launching a series of blogs on common Cardano vulnerabilities, accessible at https://medium.com/@vacuumlabs_auditing.

Drawing from our expertise and experience, we are confident in our ability to create a website that will be well designed for both sides: the projects in need of audit and the community of auditors and security experts.

What are the key milestones you need to achieve in order to complete your project successfully?

Conceptualization and Design of the Proof of Concept (PoC) Platform.

>Development and Backend Setup for the PoC Platform without Smart Contract Integration.

>User Interface Development and Testing.

>Launch of the PoC Platform and Initial User Engagement. Video overview of the entire platform.

>Collection of Feedback and Preparation for Future Smart Contract Integration.

Who is in the project team and what are their roles?

Project management:

<https://www.linkedin.com/in/peterhucik/>

Auditing know-how and exploit severity decisions, smart contract design:

<https://www.linkedin.com/in/sladecekmichal/>

<https://www.linkedin.com/in/michal-porubsky/>

FE development:

<https://www.linkedin.com/in/sebastian-jakabcin-6a28b1220/>

BE development:

<https://www.linkedin.com/in/igortot/>

  • Other available developers based on the needs of the project

Please provide a cost breakdown of the proposed work and resources.

Development Costs: 45,000 ADA

User Interface Design and Enhanced Testing: 20,000 ADA.

Marketing and Community Engagement: 10,000 ADA.

Project Management and Reporting: 10,000 ADA.

Contingency and Miscellaneous: 5,000 ADA.

Total: 90,000 ADA.

How does the cost of the project represent value for money for the Cardano ecosystem?

The budget is meticulously crafted to offer maximum value for the Cardano ecosystem. Developer and auditor costs are based on market rates. Investment in community engagement and marketing ensures widespread adoption and contribution. Efficient project management and regular reporting demonstrate our commitment to transparency and accountability. Each ADA spent aims to fortify Cardano's security infrastructure, contributing to the network's long-term sustainability and trustworthiness.

By preventing high-severity bugs and ensuring the reliability of smart contracts, the platform will potentially save significant funds that would otherwise be lost to vulnerabilities and exploits, thereby offering high value for the money invested. This will also indirectly boost user confidence and investment in the Cardano ecosystem.

close

Playlist

  • EP2: epoch_length

    Authored by: Darlington Kofa

    3m 24s
    Darlington Kofa

  • EP1: 'd' parameter

    Authored by: Darlington Kofa

    4m 3s
    Darlington Kofa

  • EP3: key_deposit

    Authored by: Darlington Kofa

    3m 48s
    Darlington Kofa

  • EP4: epoch_no

    Authored by: Darlington Kofa

    2m 16s
    Darlington Kofa

  • EP5: max_block_size

    Authored by: Darlington Kofa

    3m 14s
    Darlington Kofa

  • EP6: pool_deposit

    Authored by: Darlington Kofa

    3m 19s
    Darlington Kofa

  • EP7: max_tx_size

    Authored by: Darlington Kofa

    4m 59s
    Darlington Kofa
0:00
/
~0:00