Please describe your proposed solution.

Currently, DApps on Cardano have to decide between two painful options in regards to facilitating smart contract upgrades:

1. Support smart contract upgrades & place user funds at risk.
2. Do not support upgrades at the smart contract level; instead require social migration to upgrade the protocol.

Option 1 introduces a backdoor to steal from users by moving funds to an arbitrary insecure smart contract thus deactivating security mechanisms.

Option 2 has a number of obvious issues. The first and foremost of which is that if a user is not informed of the protocol migration their funds will sit inactive indefinitely, and in certain cases become inaccessible to them without special technical support or support from the protocol's authorized agents (which for instance might be required to interact with a depreciated liquidity pool on a DEX). Inactivity alone is a tremendous problem that is illustrated by the large amount of stake delegated to inactive pools.

This proposal offers a third option that facilitates smart contract upgrades without introducing a backdoor or allowing arbitrary transfers of users' funds.

Several components are required to facilitate secure DApp upgrades on Cardano.

1. A set of onchain smart contracts to facilitate:
2. The addition and removal of auditor credentials via onchain consensus.
3. The issuance and peer review of audit certificates by accredited auditors.
4. Onchain publication of audited script hashes and relevant audit information required to perform a safe smart contract upgrade; information is verified by the presence of an audit certificate.
5. An onchain utility library to facilitate the integration of the secure upgrade mechanism into existing Cardano smart contract protocols.

This upgrade mechanism is critical for the future of DJED, as-well-as for the safety of the Cardano ecosystem.

Please define the positive impact your project will have on the wider Cardano community.

This proposal will enable smart contract protocols on Cardano to upgrade without relying on social migration or introducing a backdoor that puts user's funds at risk. The lack of a secure upgrade mechanism currently is a huge security risk for the Cardano ecosystem. Many of the top TVL protocols currently support arbitrary upgrade paths that put all the funds at risk, since a malicious upgrade can steal all funds. The secure upgrade mechanism will enable protocols to support smart contract upgrades without putting user's funds at risk, while offering support to build fully decentralized protocol.

Additionally, the proposal will enable users (and wallet providers) to easily verify whether the smart contract they are interacting with is audited. This significantly reduces the risk of DApp phishing attacks.

What is your capability to deliver your project with high levels of trust and accountability? How do you intend to validate if your approach is feasible?

Our team consists of highly skilled developers with experience developing open-source tooling (Convex) in the ecosystem. Our developers are extremely experienced in all stages of DApp development on Cardano from design and architecture all the way to Mainnet releases including the Djed protocol. They are intimately familiar with the requirements of DApp protocols, and the nuances of smart contract development on Cardano. We are uniquely positioned to deliver this critical infrastructure to the Cardano ecosystem.

Historically a number of promising well-intention tools and libraries in the ecosystem did not see much traction upon release. Often this can be the result of the tooling being developed in a vacuum without feedback from integrating for production use-cases.

In order to make sure that the proposed framework is well-equipped for production use we will develop and revise it with feedback from a production use-case; namely, the DJED protocol.

What are the key milestones you need to achieve in order to complete your project successfully?

CIP 96 describes a standardized method for certificates to be published and stores on-chain and for stake-holders to be able to verify the different claims of the certificates. However, the certificates are published onchain via the transaction metadata which is, in-practice, not accessible from Plutus smart contracts.

A prerequisite of our proposed secure upgrade mechanism is that relevant information from audit certificates is accessible from within Plutus smart contracts.

This milestone encompasses updating the specification of CIP-96 with respect to the following:

• Who has the right to submit a request for posting an audit artifact to the certification contract ?
• How to guarantee that the audit artifact meets the expected standards necessary to generate the certification token (mainly to be used for on-chain upgrade verification) ?
• How to accept new auditors and who are eligible to form the committee to review the request for posting audit artifacts ?
• Update the certification contract datum to facilitate the implementation of a secure on-chain upgrade mechanism.

>Once the framework for secure smart contract upgrades is established, protocols will have to integrate the newly established standard into their smart contracts. If they have to do so from scratch the burden of work required might dissuade them or they might make mistakes in utilizing the standard.

This milestone encompasses the development and publication of a smart contract library designed to vastly simplify the process through which existing DApps can implement a secure upgrade mechanism for their smart contracts.

>Our goal is to provide extensive developer documentation to ensure that this framework is not only user-friendly but also highly intuitive for developers to utilize effectively.

>We will develop a series of tests for the secure upgrade mechanism smart contract library. These tests will serve to offer a degree of confidence in the security and reliability of the framework.

>This milestone encompasses the development and publication of the overarching DApp Certification framework.

>This milestone entails the creation of testing procedures and the execution of a high level security analysis for the DApp certification framework.

Who is in the project team and what are their roles?

Jean-Frédéric Etienne has more than 15 years of experience in safety and threat analysis and is an expert in several formal verification techniques. He is currently the architecture and technical lead for the Djed implementation on Cardano and has put in place a property-based testing methodology to extensively assess the correctness and robustness of Plutus smart contracts against all potential attacks. He has also specified and proved the adaptation of the Djed protocol on the EUTxO model and has developed a set of Plutus libraries to produce optimized on-chain code.

Jean-Frédéric will be working on the design and architecture of the secure upgrade mechanism as-well-as safety analysis of the onchain framework.

Philip DiSarro has an MS in Compiler Development & Programming Language Theory. He was the lead smart contract architect of many features on WingRiders DEX. Philip has also made significant contributions to the Cardano developer ecosystem. As a co-chair of the IOHK developer experience working group he worked to identify and resolve pain points that DApp developers experience in Cardano, and had an integral role in getting Lucid & Plutus Simple Model included in the Plutus Pioneer Program. He has a vast wealth of experience in smart contract auditing and security on Cardano.

Philip is a senior Haskell developer on the Cardano Stablecoin Venture team, a consultant and lecturer for Emurgo and a founder of Anastasia Labs.

Philip will be contributing to the implementation of the secure upgrade mechanism smart contract library.

Romain Soulat has more than a decade of experience in the development and application of verification tools for high-profile certified products. He has been a research engineer for almost 10 years and is now the Technical Lead for Certification at IOG, where he has been leading the development of testing tools. He has also been actively involved in the Certification working group and is the main author of CIP-0096.

Romain will be working on the new design of CIP-0096, using CIP-0068 style metadata. He will lead discussions with different stakeholders to ensure that the new design of CIP-0096 meets all the previously identified requirements, as well as the new ones from the types of applications described in this proposal. Additionally, he will ensure that the design will well be adopted by the community.

Please provide a cost breakdown of the proposed work and resources.

Total cost: 400,000 Ada

• 1 x update CIP-96 ( 8 weeks) - 125,000 Ada
• Update spec
• Meeting with CIP editors and working group
• Discuss with Lace team to change spec
• Discuss with CIP-72 team - present use case
• 1 x engineer (14 weeks) - 137,500 Ada
• Safety analysis on the CIP-96 spec
• Draft a design specification for upgrade mechanism together with the development libraries to integrate a secure upgrade to any smart contract.
• Formal verification on the merkle tree algorithm
• Internally outside of proposal
• DJED implementation on-chain code
• Property-based testing ( 1 property modification STO31)
• 1 x engineer ( 14 weeks) - 137,500 Ada
• Implementation of development libraries
• On/Off-chain code - certification contract
• Property-based testing depends on no. of properties identified.
• Best effort up to 50 properties

The schedule accounts for delays such that if the timeline exceeds the above, the work will be continued until the proposal is feature complete.

How does the cost of the project represent value for money for the Cardano ecosystem?

Simply put, right now users' funds in many DApps are at risk of being stolen via a malicious smart contract upgrade. This proposal intends to bring in a tangible and secure solution.

The proposed project's cost is valuable for the Cardano ecosystem by addressing critical security and usability concerns related to DApp upgrades. By investing in the development of a secure upgrade mechanism and associated components, Cardano can mitigate the risk of user funds being compromised during smart contract updates. This not only safeguards the ecosystem's reputation but also fosters user trust and confidence in Cardano-based DApps. Additionally, the project's commitment to testing and integration with real use cases, such as the DJED protocol, ensures that the solution is practical and effective. Furthermore, the provision of a smart contract library to have integrate this secure upgrade mechanism and comprehensive documentation streamlines adoption for existing DApps, reducing development overhead and potential errors. In essence, the project's cost translates into enhanced security, usability, and overall ecosystem stability, making it a sound investment for Cardano.