Please describe your proposed solution
The DApp Certification framework has been a long-anticipated feature for the Cardano ecosystem. The DApp Certification program described in CIP-0096 is a framework for the on-chain publication of audit certificates for DApps. Interested parties can then query these certificates and inspect and verify their claims. In its current form, this framework is extremely useful for products such as DApp catalogues and wallets because it enables them to provide this information to users, for instance, to notify them that they are interacting with an unaudited and potentially malicious contract. This can safeguard users against phishing and spoofing scams which seek to trick users into signing a malicious transaction by pretending to be a legitimate application or contract.
However, in its current form, the DApp Certification framework is missing several features which are critical to mass adoption. The certificates are published on-chain via the transaction metadata, which is not accessible from Plutus smart contracts. In this proposal, we will extend the DApp Certification program such that the relevant information from audit certificates will be made available for Plutus smart contracts. This will provide the building blocks required for developers to introduce dynamic interoperability into DApp protocols on Cardano. As it stands currently, without this feature developers must explicitly hard code all possible external interactions. For instance, if a lending DApp must swap liquidated collateral on a DEX then it needs to explicitly define each and every smart contract and state NFT through which the swap is allowed. This is not only laborious but also quite dangerous. With this feature, DApps will no longer have to explicitly define all possible external interactions. In place of enforcing that a swap is performed with a specific pool in a specific DEX, a contract can instead enforce that a swap is performed on any pool on any DEX as long as: the liquidity is sufficient; the price is amicable; or any other arbitrary criteria the developers want to establish. This allows smart contract protocols to be designed with very strong interoperability properties. Any smart contract protocol can leverage this by simply allowing UTxOs that contain DApp Certificates to be included as reference inputs. By doing so, the smart contract will have access to the audit certificate information and will be able to perform complex interactions without specific knowledge of the protocol.
One powerful use-case of these on-chain audit certificates is to enable a secure smart contract upgrade mechanism. In fact, DApps on Cardano have to decide between two painful options in regard to facilitating smart contract upgrades:
- Support smart contract upgrades & place user funds at risk.
- Do not support upgrades at the smart contract level but instead rely on a social migration to upgrade the protocol.
Option 1 introduces a backdoor to steal from users by moving funds to an arbitrary insecure smart contract thus deactivating security mechanisms.
Option 2 has a number of obvious issues. The first and foremost of which is that, if users are not informed of the protocol migration their funds will sit inactive indefinitely. In certain situations, their funds may even become inaccessible to them without special technical support or support from the protocol's authorized agents (which for instance might be required to interact with a depreciated liquidity pool on a DEX). Inactivity alone is a tremendous problem that is illustrated by the large amount of stake delegated to inactive pools.
This proposal offers a third option that facilitates smart contract upgrades without introducing a backdoor or allowing arbitrary transfers of users' funds.
Several components are required to facilitate secure DApp upgrades on Cardano.
- A set of onchain smart contracts to facilitate:
- The addition and removal of auditor credentials via onchain consensus.
- The issuance and peer review of audit certificates by accredited auditors.
- Onchain publication of audited script hashes and relevant audit information required to perform a safe smart contract upgrade. Information is verified by the presence of an audit certificate.
- An onchain utility library to facilitate the integration of the secure upgrade mechanism into existing Cardano smart contract protocols.
This secure upgrade mechanism seems to be critical for safety of most DApps requiring upgrades as well as for the whole Cardano ecosystem.