Last updated 6 months ago
During our smart contracts audits on the Cardano network, we often find many easily-preventable vulnerabilities. It stems from a lack of good educational materials in the space of Cardano security.
We will release open-source CTF challenges where developers and enthusiasts can exploit vulnerable smart contracts and learn about the most common security issues and how to prevent them.
This is the total amount allocated to Smart Contract Vulnerabilities Game – Capture the Flag (CTF). 5 out of 5 milestones are completed.
1/5
Preparation of the framework and a sample task
Cost: ₳ 25,000
Delivery: Month 1 - Nov 2023
2/5
3 more simple tasks
Cost: ₳ 37,500
Delivery: Month 2 - Dec 2023
3/5
3 more tasks
Cost: ₳ 37,500
Delivery: Month 3 - Jan 2024
4/5
3 more complex tasks
Cost: ₳ 49,000
Delivery: Month 4 - Feb 2024
5/5
Promotion and maintenance (at least 3 months)
Cost: ₳ 31,000
Delivery: Month 7 - May 2024
The rest of the Vacuumlabs auditing team
No dependencies.
Project will be fully open source.
Developing Smart Contracts (SC) on Cardano is especially challenging as the security is an integral part of every SC. Security risks and the ways to mitigate them is a far-reaching and complex subject and the community lacks educational materials to help them design secure smart contracts.
Such a predicament qualifies as a major security problem that can potentially cause staggering financial and reputational damages, sometimes escalating to millions of ADA. Evidence of this problem can be seen in numerous audits of SCs, which frequently uncover a multitude of vulnerabilities of varying degrees. We have found critical vulnerabilities in almost every single audit that we have conducted. Our public reports that show this can be found at https://github.com/vacuumlabs/audits/tree/master/reports. We also notice this trend in numerous non-public audits. These critical vulnerabilities lead to either freezing or stealing all the funds locked in the contracts.
While our audits prevented these vulnerabilities, an audit should be only one of the steps in the overall security of the code. The security of the final contract should not be based on audit findings only. This starts with raising the security awareness and a proper education in the field.
We aim to create a Capture the Flag (CTF) game to raise the security awareness of developers about SC vulnerabilities through custom-made vulnerable smart contracts that you can interact with and exploit. We plan to release:
Our solution will benefit the community in multiple ways:
The important quantitative metrics for us are:
We will also collect user feedback from successful and unsuccessful solvers in our discord channel.
All the tasks will be fully open-source. The resulting package will be an open-source GitHub repository with 10+ smart contracts and the offchain code to interact with the contracts. We will promote this repository over social media such as Twitter, Reddit and blog posts.
A few months after the release, we will share an evaluation of our performance and the results of our metrics in a blog post.
As seasoned auditors of smart contracts on Cardano, we have lots of experience with audits and design reviews, conducted in Plutus, Plutarch, and Aiken languages. We have already uncovered a variety of vulnerabilities. Our audits can be seen at https://github.com/vacuumlabs/audits. We are also starting to release a series of blogs on common Cardano vulnerabilities which can be found at https://medium.com/@vacuumlabs_auditing.
Drawing from our expertise, we're assured in our ability to develop a wide range of top-quality tasks.
Our approach is validated in other blockchains and the whole computer security community by wide adoption of CTFs. For example, very popular CTFs for EVM smart contracts include:
CTFs have a long history and attract many people. Cardano currently lacks any CTF platform.
Phase 1: Preparation of the framework and a sample task (3 weeks)
Phase 2: Preparation of 6 tasks (1.5 months)
Phase 3: Preparation of the last 3 more complex tasks (1.5 months)
Phase 4: Promotion and maintenance (at least 3 months)
Phase 1
Phase 2:
Phase 3:
Phase 4:
For each task, we need to:
Because our auditors are experienced, they can do this in a relatively short time. Therefore, our budget is:
Phase 1: 25 000 ADA
Phase 2: 75 000 ADA
Phase 3: 65 000 ADA
Phase 4: 15 000 ADA
Together, everything adds up to 180 000 ADA.
The smart contracts deployed on Cardano mainnet will potentially work with assets worth many millions of dollars. The potential reputational loss for the Cardano blockchain in the event of a major hack would be even greater, potentially costing the whole community and not only the users of the vulnerable smart contract. If our educational material can prevent at least some vulnerabilities, the potential return of the investment is huge not only in terms of the value loss prevented.
Currently, we observe many preventable vulnerabilities during our smart contract audits, largely due to the lack of quality educational resources on Cardano's security and the lack of developers' knowledge in this area. Our educational tool can greatly enhance the security knowledge within the ecosystem. As there isn't a comparable learning tool currently available for Cardano, having one created and maintained by professionals will align with the high-security standards of our blockchain, providing substantial value.
NB: Monthly reporting was deprecated from January 2024 and replaced fully by the Milestones Program framework. Learn more here
Smart Contract Auditing Team at Vacuumlabs:
https://vacuumlabs.com/blockchain/smart-contract-auditing/
Michal Porubský is the Lead Smart Contract Auditor at Vacuumlabs. As a founding member of the smart contract auditing and consultancy division, he specializes in providing expert consultation to find the optimal design of decentralized applications and conduct comprehensive Cardano smart contract audits to ensure their robustness and security. He previously worked for WingRiders, NuFi and in the traditional finance world.
Michal Sládeček is a Smart Contract Auditor, a security consultant and an ethical hacker with a very wide range of experience ranging from web exploitation to reverse engineering and cryptography. He is a holder of the OSCP certificate with experience in programming C++, C, Javascript and Python code, and a good theoretical background in algorithms. One of his biggest accomplishments is a bronze medal from the International Olympiad in Informatics (IOI).
Michal Anderle, also a Smart Contract Auditor at Vacuumlabs, honed his problem-solving skills through competitive programming during his studies. His achievements include a bronze medal from the IOI, participation in the ACM ICPC finals, and organizing programming competitions. Currently, he teaches an algorithmic course at a university. In his role, he employs these skills to identify potential vulnerabilities, enhancing the efficiency and security of Cardano clients' products.
Michal Mesároš serves as a Business Analyst and a Sales Representative at Vacuumlabs' Smart Contract Auditors team. He brings experience from traditional finance and running his own business in immersive educational and fun activities coupled with his crypto knowledge gained at a company operating on global crypto exchanges.