Background
Solidified is a community based smart contract security project, helping Ethereum users gain wide access to the proper security tools and competent audit experts for a reasonable price.
We have built a bug bounty platform (web.solidified.io) that has been used by Gnosis, Melonport, Polymath, Kleros and other major clients. On this platform users can post their smart contracts for review with a large community of security auditors (we have gathered over 200 pre-vetted experts since 2017). The platform is specific to smart contract peer-review and itself runs on Ethereum blockchain. It allows users to fund their bounties (setting the values for each bug severity), respond to bug reports, get notifications about progress and also has a simple arbitration built-in. The platform has been running on Rinkeby for several months and we are actively working to move it to the mainnet (just performed a 2nd audit of the platform).
We also have been running community audits since 2017 where a group of three community members are selected (based on their background experience and relevance to the project) and a peer-review audit process is performed, with a consensus report produced. All audit reports are publicly available here: https://github.com/solidified-platform/audits.
Clients include: Argent, Bankera, Gnosis, Melonport, Nexus Mutual, Polymath, Wyvern and 60 others.
Grant Proposal
We are seeking a grant of 25,000 USD to fund the development of an audit marketplace that will replace our manual process of running community audits and utilize our already created bug bounty platform for the UI/UX and backend blockchain operations. Our vision for this product is an automatic unstoppable marketplace for both security professionals and clients, where Ethereum developers or enthusiasts can post their smart contracts for review with reputable security experts. We expect that this marketplace will lower the barrier of entry for aspiring security professionals and also the cost of security engagements for the whole community.
We will then become simply a participant in this market, like any other security specialist.
We plan on integrating one of the open-source tools like Mythril or Slither into the first-stage of our audit marketplace, to automatically find low-hanging bugs before the audit begins. We believe that while tools cannot alone be relied upon in an audit, they serve as a useful pre-check to help auditors concentrate on the non-trivial issues.
By combining the human audits with bug bounties and further empowering them with automated verification tools, we are creating a multi-stage approach to auditing that is much more effective at catching bugs than the current methods.
All stakeholders should benefit from this dapp. Developers and companies building on top of Ethereum can use it to seek for specialist advice for fair market set prices. Security specialists will have a source of work. The wider security community can benefit from information and bugs to improve their skills and discuss new found vulnerabilities. The wider Ethereum community benefits from safer smart contracts, and a place to check if the dapp they intend to use was scrutinized and tested by competent auditors.
How the funding will be used
The grant will be used to cover the engineering costs of developing the audit marketplace. We already have the best talent working together on this platform (one of the winners of Solidity underhanded contest and several top security auditors in the space). We’ve been working together as a team for almost two years.
Progress so far
The bug bounty platform has been online for over a year now at web.solidified.io, already used by Gnosis, Melonport, Wyvern, Kleros and over 50 other companies. In it anyone can upload their smart contracts and fund bounties, the code is made available to the whole community, and bounties are automatically paid. Although the bug bounty platform is in beta, the bug bounties listed there are real, and we are currently coordinating mainnet ETH payments after the the automated payments are made in the Rinkeby testnet ETH. We are on the final stages of developing the mainnet version of the smart contracts, that will work in a fully permissionless and decentralized manner, requiring no signup/login or identity. The frontend is being reduced to become a presentation layer, while also supporting some functions not feasible to be made on chain right now (such as storing source code files).
We will reuse the design and components of the bug bounty platform for the marketplace and by doing so we expect to reduce the amount of work needed.
We have also been performing the manual audit process in ways we think will fit well within a decentralized context. For each audit, three experts are selected, quote their prices and work independently. In the group debrief meeting, all reports are then opened and consensus-merged into a final audit report. By requiring the auditors to work independently we create a healthy competition that pushes each expert to deliver their best work while keeping the process unbiased.
We have the high level design of the process already done. Once a request for audit is posted in the marketplace (along with the value the client is willing to pay and specification, we will assist him into setting an effective price by using the smart contract complexity analyser already developed for the bug bounty platform). Experts will bid their way into the audit. The client will then select the auditors based on price, in-system reputation and also previous work (we will allow companies/experts to identify themselves so they can leverage their reputation, while also making it easier for clients to make a decision).
Security auditors will receive the fees from the client upon delivery of the report. Their bids and corresponding stakes are locked in through the duration of the audit, and will be used later on to fund a bug bounty right after the audit ends, for a predefined period of time. This bug bounty will leverage the community to verify the audit quality, and should work well for new entrants in the market to gather reputation that enables them to apply for audits. We believe that by doing it this way we incentivise the experts to perform their best work, while at the same time holding them accountable for work performed poorly.
Once the bug bounty is over, auditors’ stakes are returned (proportionally if bugs were found/payed out).
The process will remain available publicly for security professionals to study issues/bugs, and for users to check if the dapp has been sufficiently scrutinized.
Milestones:
- Month 1: Have the marketplace smart contracts ready for community review and bug bounty. Work on the frontend runs in parallel.
- Month 2: Have the first beta version of the dapp working on a testnet. Smart contracts’ bug bounty is still active. We invite our clients that need an audit to use the tool and provide feedback, while tweaking the process incrementally as needed. The community will also be invited to test it at this time.
- Month 3: Wrap up the bug bounty, finalize fixes resulting from it. Open up the marketplace on a testnet for both users and auditors. While the marketplace should be ready for use, we feel the wise thing to do is to let it run on a testnet (while processing payments manually) for at least 3~4 months, before pushing it to the mainnet.
Relevant links
- Solidified.io
- web.solidified.io (beta bug bounty platform)
- https://github.com/solidified-platform/audits