Funds Fund 12 Proposals Cardano Use Cases: MVP Bug Bounty Platfrom: move from concept to MVP
not approved
Bug Bounty Platfrom: move from concept to MVP
View on Ideascale View on projectcatalyst.io
Current Project Status
Unfunded
Amount
Received
₳0
Amount
Requested
₳275,000
Percentage
Received
0.00%
Solution

Our build of a concept is nearing completion and we want to fund the second phase of the Bug Bounty platform development. The plan is to include smart contracts to minimize required trust.

Problem

Cardano eco needs community-driven bug bounty audits. Vacuumlabs is building a concept Bug Bounty platform funded in F11 and wants to progress to launch a more trustless MVP.

Image file

Impact Alignment
Feasibility
Value for Money

Team

1 member

Peter Hucik bio pic
Bug Bounty Platfrom: move from concept to MVP

Please describe your proposed solution

Our solution is a community-driven Bug Bounty platform on the Cardano Blockchain. Recognizing the importance of security in blockchain projects, we aim to create an ecosystem where founders can submit their projects for auditing. Users called Bounty Hunters will be incentivized through ADA rewards to find and report vulnerabilities. In this way we aim to strengthen project security and increase collaboration within the ecosystem.

We intend to engage both experienced auditors and enthusiastic community members, offering a unique blend of expertise and fresh perspectives. The platform aims to improve Cardano ecosystem's overall integrity and reliability. Our solution is unique because it combines community engagement with professional auditing, benefiting developers, auditors, and ultimately, the Cardano network.

The PoC version of our website, funded in previous round, is nearly complete. Now in the MVP phase we want to make it more decentralized and trustless by adding a smart contract funtionality that ensures no funds will ever get lost or locked, and that every decision is transparently stored onchain. We will also add multiple new UX features that we added to our backlog during the discovery phase.

Smart Contract Functionality:

  • Submission of Audit Requests:
  • Developers can submit their code repositories to the platform along with a specified amount of ADA tokens to be held in escrow by the smart contract.
  • The submission would include details such as the repository URL, contact information, scope of the audit, and the bounty amount.
  • Bounty Allocation and Locking Funds:
  • The smart contract locks the submitted ADA tokens as a bounty for the duration of the audit period.
  • Conditions for bounty distribution are predefined, such as types of vulnerabilities or issues that qualify for a reward.
  • Verification and Claim Process:
  • Auditors or community members who find vulnerabilities submit proof, such as a detailed report or code patch.
  • The smart contract will have a function to allow the admin team to review submissions and verify their validity and severity
  • Reward Distribution:
  • Upon multisig approval, the smart contract automatically distributes the bounty to the finders of the vulnerabilities based on predetermined rules.
  • The distribution could be a flat fee per bug or a percentage based on the severity of the issue.
  • Dispute Resolution:
  • In case of disputes regarding the validity of a bug or the reward amount, the smart contract can hold the funds until the dispute is resolved through a predefined governance process.

Please define the positive impact your project will have on the wider Cardano community

Our project will significantly enhance the security and reliability of the Cardano ecosystem. By incentivizing bug discovery and reporting, we encourage a proactive approach to identifying vulnerabilities. This not only improves individual projects but also elevates the overall trust in the Cardano network.

We plan to measure impact quantitatively by tracking the number of vulnerabilities reported and resolved, and qualitatively through community feedback. Success will be shared via regular updates and reports, detailing the vulnerabilities found and fixed. This transparency will promote a culture of security and trust, benefiting the entire Cardano community.

This proposal benefits wide array of groups within the community:

  • Developers: will have a way to demonstrate their knowledge and increase their income streams. Also, seeing previous vulnerabilities increases knowledge sharing, helps the community to learn about smart contract anti-patterns that should be avoided.
  • Users: more trust in protocols that participated in bug bounty.
  • Projects: ability to further increase security and trustworthiness.
  • ADA holders: each new utility is good for ADA

What is your capability to deliver your project with high levels of trust and accountability? How do you intend to validate if your approach is feasible?

As seasoned developers and auditors of smart contracts on Cardano, we possess extensive experience with audits and design reviews conducted in Plutus, Plutarch, and Aiken languages. We have already identified various vulnerabilities, viewable at https://github.com/vacuumlabs/audits. Additionally, we are launching a series of blogs on common Cardano vulnerabilities, accessible at https://medium.com/@vacuumlabs_auditing.

Drawing from our expertise and experience, we are confident in our ability to create a website that will be well designed for both sides: the projects in need of audit and the community of auditors and security experts. The PoC version of the website has been funded in the previous round and the build is underway - first milestones already reached and approved. Now we want to bring our Smart Contract architects and developers into the process.

What are the key milestones you need to achieve in order to complete your project successfully?

Milestone 1: Begin designing the smart contracts' architecture utilizing our Auditing department's expertise. Output should be a design document describing the smart contract's parameters, inputs and outputs.

Milestone 2: Parallel to Milestone 1, we want to start designing additional UX features to make the UX flows for both project founders and bounty hunters easier. Output of the milestone is a Figma document with prepared UX designs.

Milestone 3: By the third milestone, we will deliver the Smart Contract code for review by our auditing department. The output will be code of the contract shared from Github.

Milestone 4: In parallel with SC code we will be implementing the proposed design and UX improvements to the website, with Milestone 4 we want then to be testable on staging deployment of the website.

Final Milestone: The final milestone is deploying the working MVP of the website. It will utilize the audited version of the Smart Contract, as well as UX and UI improvements. We will prepare a blog post and link it to the website that will describe the parameters of the contract and how it translates into more trustless operation of the Bug Bounty platform.

Who is in the project team and what are their roles?

The same team that developed the concept phase with the addition of Smart Contract engineers.

Project management:

<https://www.linkedin.com/in/peterhucik/>

Auditing know-how and exploit severity decisions, smart contract design:

<https://www.linkedin.com/in/sladecekmichal/>

<https://www.linkedin.com/in/michal-porubsky/>

Full stack development:

https://www.linkedin.com/in/matej-falat/

FE development:

<https://www.linkedin.com/in/sebastian-jakabcin-6a28b1220/>

Design:

https://www.linkedin.com/in/denisabrichtova/

Product:

https://www.linkedin.com/in/carolinasoares84/

Please provide a cost breakdown of the proposed work and resources

Development Costs:

  • Smart Contract Architecture Design: 20,000 ADA
  • Smart Contract development: 50,000 ADA
  • Smart Contract audit: 70,000 ADA
  • New FE UX development: 80,000 ADA

Other cost:

  • User Interface Design and Enhanced Testing: 20,000 ADA.
  • Marketing and Community Engagement: 10,000 ADA.
  • Project Management and Reporting: 20,000 ADA.
  • Contingency and Miscellaneous: 5,000 ADA.

Total: 275,000 ADA.

No dependencies.

How does the cost of the project represent value for money for the Cardano ecosystem?

The budget is crafted to offer maximum value for the Cardano ecosystem. Developer and auditor costs are based on market rates. Investment in community engagement and marketing ensures widespread adoption and contribution. Efficient project management and regular reporting demonstrate our commitment to transparency and accountability. Each ADA spent aims to fortify Cardano's security. We aim to deliver a website that holds up to highest standards in both UX perspective and trustless and decentralized operation.

By preventing high-severity bugs and ensuring the reliability of smart contracts, the platform will potentially save significant funds that would otherwise be lost to vulnerabilities and exploits, thereby offering high value for the money invested. This will also indirectly boost user confidence and investment in the Cardano ecosystem.

close

Playlist

  • EP2: epoch_length

    Authored by: Darlington Kofa

    3m 24s
    Darlington Kofa

  • EP1: 'd' parameter

    Authored by: Darlington Kofa

    4m 3s
    Darlington Kofa

  • EP3: key_deposit

    Authored by: Darlington Kofa

    3m 48s
    Darlington Kofa

  • EP4: epoch_no

    Authored by: Darlington Kofa

    2m 16s
    Darlington Kofa

  • EP5: max_block_size

    Authored by: Darlington Kofa

    3m 14s
    Darlington Kofa

  • EP6: pool_deposit

    Authored by: Darlington Kofa

    3m 19s
    Darlington Kofa

  • EP7: max_tx_size

    Authored by: Darlington Kofa

    4m 59s
    Darlington Kofa
0:00
/
~0:00