- Team Name: CoinFabrik (Nektra S.A)
- Payment Address: 0xf488039EDe6B38D7689fDCC6A9FC2dd0EF39D54e (USDT)
- [Level]: 2
Scout: Security Analysis Tool
We are building an extensible open-source tool (or set of tools) to assist Rust Polkadot / Kusama smart contract developers to detect common security issues and deviations from best practices. To improve coverage and precision, we will persist in research efforts on static and dynamic analysis techniques.
This tool will help developers write secure and more robust smart contracts.
Our interest in this project comes from our experience in manual auditing and our usage of comparable tools in other blockchains.
We have already conducted research work with the Universidad de Buenos Aires to better comprehend the current status of analysis tools built for Rust, while foreseeing different lines of development.
We are currently working on tools to assist developers to apply best practices and to identify possible vulnerabilities.
We believe we can bring value to the Polkadot / Kusama community by offering a tool to detect security bugs from a development perspective. By including this tool in their toolchain, Polkadot / Kusama developers will be assisted to remove bugs in their code, raising the quality and security of their smart contracts.
- Ariel Wassbein, Head of Reaseach
- Valeria Caracciolo, Business Develpoment
- CoinFabrik's development and auditing team - when required.
- Contact Name: Valeria Caracciolo
- Contact Email: [email protected]
- Website: https://www.coinfabrik.com/
- Registered Address: Dr. Emilio Ravignani 2394, C1425 CABA, Argentina
- Registered Legal Entity: Nektra S.A.
We are a research and development company specialized in Web3, with a strong background in cybersecurity. Founded in 2014, we have worked on over 180 blockchain-related projects, EVM based and also for Solana, Algorand, and Polkadot. Beyond development, we offer security audits through a dedicated in-house team of senior cybersecurity, currently working on code in Substrate, Solidity, Clarity, Rust, and TEAL.
Our team has an academic background in computer science and mathematics, with work experience focused on cybersecurity and software development, including academic publications, patents turned into products, and conference presentations. Furthermore, we have an ongoing collaboration on knowledge transfer and open-source projects with the University of Buenos Aires.
- https://gitlab.com/coinfabrik-private/data/frecuencia-de-vulnerabilidades
- https://drive.google.com/drive/u/1/folders/1HoaL6EXX1Wky7e1SHYBY6oIZDGK2sgDD
We have been working on different aspects of the tool:
- Research on security analysis tools for Rust-based blockchains.
- Listing common vulnerabilities and usability issues in different systems and technologies.
- Tools to assist developers.
We briefly validated the idea of the development described in this application with David Hawig and Bhargav Bhatt from Web3 Foundation, who encourage us to apply for this grant.
- Total Estimated Duration: 1 month
- Full-Time Equivalent (FTE): 5 FTE
- Total Costs: 15,000 U$D
- Estimated duration: 1 month (Day 1 to Day 30)
- FTE: 5
- Costs: 15,000 U$D
| Number | Deliverable | Specification |
|---|---|---|
| 0a. | License | MIT |
| 0b. | Documentation | We will provide a report, listing relevant security issues introduced in smart contracts developed with ink!. This will include a summary of findings and how the results were procured, a detailed description of each vulnerability/best practice, and links to the code that exemplifies them. |
| 0c. | Testing and Testing Guide | No tests with be produced at this stage. |
| 0d. | Docker | Does not apply at this stage. |
| 0e. | Article | We will upload to our blog a report summary. |
| 1 | Research | Producing a curated list of vulnerabilities, best practices, and enhancements related to smart contracts written in ink!, considering the list of analysis categories currently used for our manual smart contract audits. |
| 2 | Development | Producing code examples and snippets of smart contracts written in ink! for each type of vulnerability from the list mentioned in 1. Research. |
| 3 | Development | Proof of concept code detecting some (relevant) issues included in the list of vulnerabilities and best practices. |
(Our original plan was to apply for a 3 months grant, to reach a public release of the tool. But we were advised to apply for a shorter objective, so we are presenting only Milestone #1 from our plan) After completing this first milestone, we are planning on applying for 2 additional iterations to reach a tool prototype (Milestones #2) and public release (Milestones #3). Our mission is to continue to work on improving automated and assisted tools for finding security vulnerabilities and writing more secure code. Our objective is to help the Polkadot / Kusama community produce better and more secure code with these tools.
How did you hear about the Grants Program? Richard Casey from Parity brought this program to our attention. Our inquiries were addressed by David Hawig and Bhargav Bhatt, who also gently advised us on this presentation.