Smart Contract Vulnerabilities Game – Capture the Flag (CTF)

[GENERAL] Name and surname of main applicant

[GENERAL] Email address of main applicant

Additional applicants

The rest of the Vacuumlabs auditing team

[GENERAL] Please specify how many months you expect your project to last (from 2-12 months)

[GENERAL] Please indicate if your proposal has been auto-translated into English from another language.

[GENERAL] Does your project have any dependencies on other organizations, technical or otherwise?

[GENERAL] If YES, please describe what the dependency is and why you believe it is essential for your project’s delivery. If NO, please write “No dependencies.” .

No dependencies.

[GENERAL] Will your project’s output/s be fully open source?

[GENERAL] If NO, please describe which outputs are not going to be open source. If YES, please write “Project will be fully open source.”

Project will be fully open source.

[METADATA] Category of Proposal

[IMPACT] Please describe your proposed solution.

Developing Smart Contracts (SC) on Cardano is especially challenging as the security is an integral part of every SC. Security risks and the ways to mitigate them is a far-reaching and complex subject and the community lacks educational materials to help them design secure smart contracts. 

Such a predicament qualifies as a major security problem that can potentially cause staggering financial and reputational damages, sometimes escalating to millions of ADA. Evidence of this problem can be seen in numerous audits of SCs, which frequently uncover a multitude of vulnerabilities of varying degrees. We have found critical vulnerabilities in almost every single audit that we have conducted. Our public reports that show this can be found at https://github.com/vacuumlabs/audits/tree/master/reports. We also notice this trend in numerous non-public audits. These critical vulnerabilities lead to either freezing or stealing all the funds locked in the contracts.

While our audits prevented these vulnerabilities, an audit should be only one of the steps in the overall security of the code. The security of the final contract should not be based on audit findings only. This starts with raising the security awareness and a proper education in the field.

We aim to create a Capture the Flag (CTF) game to raise the security awareness of developers about SC vulnerabilities through custom-made vulnerable smart contracts that you can interact with and exploit. We plan to release:

• 10 levels in the game - 10+ smart contracts that provide clear examples of common smart contract vulnerabilities.
• A simple-to-use documented offchain code that developers can use to deploy and interact with these vulnerable smart contracts on the testnet.
• A series of blog posts with solutions to the tasks, broader materials on the vulnerabilities and ways to prevent them.
• Tweets about the tasks.
• A Discord channel where users can interact and share their results.

[IMPACT] How does your proposed solution address the challenge and what benefits will this bring to the Cardano ecosystem?

Our solution will benefit the community in multiple ways:

• Security education – Developers who complete the tasks will gain a much better understanding of smart contract vulnerabilities, thereby reducing the likelihood of designing or implementing vulnerable smart contracts. This will increase the safety and trust of Cardano users. 
• Cheaper smart contract development – Currently, audits are often prolonged because there are many vulnerabilities and auditors need to review each fix. When the contracts are designed with security in mind and all the findings and fixes are small, the audit can take less time. This means cheaper audits and faster deployment of new smart contracts.
• Open source material – We will release 10+ different small open source smart contracts, which will substantially contribute to the ecosystem of Cardano. New developers will be able to use these smart contracts and learn new code patterns from them.
• Talent attraction – CTFs often attract many problem-solvers with a security mindset. These individuals will have the motivation to learn the Cardano smart contracts just to be able to solve the vulnerabilities and share the results with their own communities. By this, we could attract new developers and users to the Cardano community.
• Money loss prevention – The community can benefit greatly from increased security as any vulnerability can potentially cost huge amounts of money. For example, our auditors have found vulnerabilities which, if exploited, would have cost the Cardano users more than 220 million USD. Most of these vulnerabilities were preventable by increased security knowledge.

[IMPACT] How do you intend to measure the success of your project?

The important quantitative metrics for us are:

• Number of times the repository with tasks was cloned
• Number of users in our discord channel
• Retweets/mentions of the tasks shared on Twitter
• Number of readers of our blogs

We will also collect user feedback from successful and unsuccessful solvers in our discord channel.

[IMPACT] Please describe your plans to share the outputs and results of your project?

All the tasks will be fully open-source. The resulting package will be an open-source GitHub repository with 10+ smart contracts and the offchain code to interact with the contracts. We will promote this repository over social media such as Twitter, Reddit and blog posts. 

A few months after the release, we will share an evaluation of our performance and the results of our metrics in a blog post.

[CAPABILITY/ FEASIBILITY] What is your capability to deliver your project with high levels of trust and accountability?

As seasoned auditors of smart contracts on Cardano, we have lots of experience with audits and design reviews, conducted in Plutus, Plutarch, and Aiken languages. We have already uncovered a variety of vulnerabilities. Our audits can be seen at https://github.com/vacuumlabs/audits. We are also starting to release a series of blogs on common Cardano vulnerabilities which can be found at https://medium.com/@vacuumlabs_auditing.

Drawing from our expertise, we're assured in our ability to develop a wide range of top-quality tasks.

[CAPABILITY/ FEASIBILITY] What are the main goals for the project and how will you validate if your approach is feasible?

1. Teach developers and anyone interested in Cardano about the most common vulnerabilities and ways to avoid or mitigate them.
2. Increase security awareness across the Cardano community. By having more resources about security online, the users of the Cardano community can understand audit reports better and make more informed decisions.
3. Give seasoned developers, new people learning Cardano and also enthusiasts not only an option to read about various vulnerabilities but also an option to challenge themselves by finding vulnerabilities in actual code. 
4. Attract problem-solvers to Cardano smart contracts by giving them a series of simple and fun challenges.

Our approach is validated in other blockchains and the whole computer security community by wide adoption of CTFs. For example, very popular CTFs for EVM smart contracts include:

• https://ethernaut.openzeppelin.com/
• https://www.damnvulnerabledefi.xyz/

CTFs have a long history and attract many people. Cardano currently lacks any CTF platform.

[CAPABILITY/ FEASIBILITY] Please provide a detailed breakdown of your project’s milestones and each of the main tasks or activities to reach the milestone plus the expected timeline for the delivery.

Phase 1: Preparation of the framework and a sample task (3 weeks)

• Designing a framework for deploying, interacting and exploiting the smart contracts.
• Creation of a sample, one easy task with tests.
• Creation of tests to determine successful task completion.

Phase 2: Preparation of 6 tasks (1.5 months)

• We use the framework and experience from building the sample task to create 6 more tasks.

Phase 3: Preparation of the last 3 more complex tasks (1.5 months)

• The last 3 tasks will be more complex and difficult to solve than the rest.

Phase 4: Promotion and maintenance (at least 3 months)

• Sharing the tasks with the community through the open GitHub repo.
• Promoting the tasks on various social media.
• Publishing blogs with detailed explanations and solutions.
• Evaluating user feedback.
• Interacting with the users on social media s.a. Discord and Twitter. 
• Potentially expanding the platform if many users show interest.

[CAPABILITY/ FEASIBILITY] Please describe the deliverables, outputs and intended outcomes of each milestone.

Phase 1

• A sample task
• Task where users have to exploit a simple double satisfaction vulnerability
• The task consists of a vulnerable smart contract, off chain code to deploy and interact with the contract and documentation to help understand the code

Phase 2: 

• 6 more tasks similar in scope to the sample task

Phase 3: 

• 3 more complex tasks
• Larger smart contracts with multiple steps 
• More secured smart contracts where the vulnerability is not that simple to find

Phase 4:

• Promotion of the challenges through tweets, blogs and other social media
• Collection and evaluation of the aforementioned metrics and user feedback
• Series of blog posts 
• Detailed blogs with solutions to the tasks
• Description of exploited vulnerabilities
• Security tips from auditors
• Interaction with the community and solvers of the challenges

[RESOURCES & VALUE FOR MONEY] Please provide a detailed budget breakdown of the proposed work and resources.

For each task, we need to:

1. Design the task.
2. Write the smart contracts (SC) — in case of a more complex level, multiple are needed.
3. Write offchain code that deploys and interacts with the smart contract.
4. Write documentation of the SC and the problem statement.
5. Test the smart contracts and offchain code.
6. Maintain the task after its release, communicate with users and incorporate the feedback. 

Because our auditors are experienced, they can do this in a relatively short time. Therefore, our budget is:

Phase 1: 25 000 ADA

Phase 2: 75 000 ADA

Phase 3: 65 000 ADA

Phase 4: 15 000 ADA

Together, everything adds up to 180 000 ADA.

[RESOURCES & VALUE FOR MONEY] How does the cost of the project represent value for money for the Cardano ecosystem?

The smart contracts deployed on Cardano mainnet will potentially work with assets worth many millions of dollars. The potential reputational loss for the Cardano blockchain in the event of a major hack would be even greater, potentially costing the whole community and not only the users of the vulnerable smart contract. If our educational material can prevent at least some vulnerabilities, the potential return of the investment is huge not only in terms of the value loss prevented.

Currently, we observe many preventable vulnerabilities during our smart contract audits, largely due to the lack of quality educational resources on Cardano's security and the lack of developers' knowledge in this area. Our educational tool can greatly enhance the security knowledge within the ecosystem. As there isn't a comparable learning tool currently available for Cardano, having one created and maintained by professionals will align with the high-security standards of our blockchain, providing substantial value.

[IMPORTANT NOTE] The Applicant agreed to Fund10 rules and also that data in the Submission Form and other data provided by the project team during the course of the project will be publicly available.