VESPR Wallet: Security Audit / Penetration Test

[GENERAL] Name and surname of main applicant

Derek Delgado

[GENERAL] Email address of main applicant

derek@vespr.xyz

Additional applicants

Alex Dochioiu

Andy Belichkov

[GENERAL] Please specify how many months you expect your project to last (from 2-12 months)

4

[GENERAL] Please indicate if your proposal has been auto-translated into English from another language.

No

[GENERAL] Does your project have any dependencies on other organizations, technical or otherwise?

Yes

[GENERAL] If YES, please describe what the dependency is and why you believe it is essential for your project’s delivery. If NO, please write “No dependencies.” .

Our proposal is dependent on professional auditing firms to conduct security checks on the VESPR Wallet app. These firms will provide the necessary expertise in Flutter and mobile app security to ensure the app's integrity and trust.

[GENERAL] Will your project’s output/s be fully open source?

Yes

[GENERAL] If NO, please describe which outputs are not going to be open source. If YES, please write “Project will be fully open source.”

Project will be fully open source. The final audit report will be made publicly available.

[METADATA] Category of Proposal

Wallet

[IMPACT] Please describe your proposed solution.

While VESPR Wallet is founded on rigorous security standards, we aim to elevate user trust and assurance through a professional security audit and/or penetration test. 

We plan to employ expert services with proficiency in mobile app security and the Flutter framework to conduct a comprehensive security audit and/or penetration test. This in-depth examination will identify and allow us to promptly address any hidden vulnerabilities or potential security breaches.

As a component of the Cardano ecosystem, we understand our role in shaping users' perception of Cardano. By fortifying users' confidence in our commitment to asset protection, we enhance not only VESPR Wallet but also the overall reputation of Cardano. This endeavor, in turn, will elevate Cardano's attractiveness and credibility, strengthening its position as a leading blockchain platform.

[IMPACT] How does your proposed solution address the challenge and what benefits will this bring to the Cardano ecosystem?

Our proposed solution directly addresses the challenge by fortifying trust in the Cardano ecosystem. By undertaking a professional audit and/or penetration testing of VESPR Wallet, we aim to enhance user trust in the services built on Cardano, setting a high standard for security in the ecosystem. 

Our solution's benefits to the Cardano ecosystem are multifaceted:

1. VESPR will be the first Cardano mobile wallet to undergo a security audit, providing verifiably safe access to the Cardano network on users' mobile devices – a critical factor for mass adoption.
2. It elevates user trust and confidence within the ecosystem by illustrating VESPR Wallet's commitment to strict security protocols, potentially leading to increased user engagement, volume, total value locked (TVL) in decentralized financial (DeFi) products in the Cardano ecosystem, delegation (decentralization), and adoption.
3. It positions Cardano as a robust, secure platform to attract new users, developers, and even businesses by proactively mitigating potential security risks.
4. It establishes a standard for other projects in the ecosystem to follow, urging the adoption of best security practices and protocols, ultimately strengthening Cardano's overall security posture.

[IMPACT] How do you intend to measure the success of your project?

The primary measure of success will be the successful completion of a comprehensive security audit and/or penetration test on VESPR Wallet. This rigorous examination will help identify and rectify potential vulnerabilities, thereby bolstering the app's overall security.

In the short term, the audit's success will be evident in our current users' heightened confidence and the subsequent growth in our user base. We plan to measure this through user engagement metrics and app download rates. We also value qualitative measures, such as user feedback and reviews on app stores, to assess the audit's impact on user trust and assurance.

Looking towards the long term, we hope our project sets a trend in the Cardano community, inspiring other dApp and wallet developers to undertake similar security measures. While this outcome is more challenging to quantify, we aim to track its influence by monitoring trends in ecosystem security practices and noting shifts in community discussions and perceptions around security measures.

[IMPACT] Please describe your plans to share the outputs and results of your project?

We aim to communicate the final report of this security audit and/or penetration test by publishing an overview of the process and outcomes, preserving the confidentiality of sensitive information. We'll share these results with the Cardano community and our users, through our social media channels like our official website, as well as Discord and Twitter.

The insights and improvements that come from this audit will play an essential role in our future development plans. The findings will allow us to enhance our security practices and incorporate any learned best practices into our development process. This audit isn't just a one-time event, but a stepping stone in our ongoing commitment to security, ensuring that every feature we add and every update we make keeps VESPR Wallet secure.

[CAPABILITY/ FEASIBILITY] What is your capability to deliver your project with high levels of trust and accountability?

We are an agile team of three individuals equipped with both the technical expertise and operational prowess necessary to execute this project successfully and responsibly. 

Our work with VESPR Wallet, not only speaks to our deep understanding of Cardano's architecture, but it also showcases our vested interest in preserving a positive reputation within the Cardano ecosystem. The success of the VESPR Wallet and the trust it has earned from its user base serve as evidence of our team's dedication and integrity.

Alex, our Lead Senior Architect, has significant experience in mobile app development and has led projects on security-critical mobile applications for leading financial institutions like American Express, Virgin Money, and Tesco Bank. His stringent emphasis on security and industry best practices guarantees a high standard of delivery in our projects.

Derek, our UI/UX Designer, Product Owner, and Social Media Manager, has been instrumental in shaping VESPR Wallet, manifesting not just his creative prowess in designing intuitive and engaging user interfaces, but also his strategic acumen in product management. Derek's diligent social media efforts have also been key in fostering a vibrant and supportive community around VESPR Wallet, underlining our commitment to ongoing engagement and responsiveness to our user base. As a result, VESPR Wallet has become a notable success in the Cardano ecosystem and serves as both a testament to Derek's skills and a validation of our team's overall competence and commitment.

On the operational front, we’re very fortunate to have Andy, who brings over a decade of leadership experience in business management, specializing in operational efficiency and financial goal attainment. He has a proven track record, most recently coordinating and spearheading the 2022 CNFT Con Afterparty in Las Vegas, successfully managing five different teams contributing to the event, and showcasing his adeptness at fund management and event organization. His expertise ensures diligent and transparent handling of funds as well as strategic business direction.

Our unique blend of technical knowledge, proven record in Cardano-based project execution, and solid business management make us highly capable of delivering this project.

[CAPABILITY/ FEASIBILITY] What are the main goals for the project and how will you validate if your approach is feasible?

The primary objectives for our project are:

• Security Audit: We plan to engage professional audit and penetration testing services to conduct an exhaustive evaluation of the VESPR Wallet. The audit will encompass all aspects of the application, with the goal of identifying any potential vulnerabilities, bugs, or attack vectors.

• Addressing Identified Security Risks: Upon completion of the audit, we will systematically rectify each of the detected vulnerabilities. Our objective is to resolve all significant issues uncovered during the audit, thereby enhancing the security robustness of the VESPR Wallet.

• Enhancing User Confidence and Trust: By undertaking this audit and addressing any discovered risks, we aim to strengthen user confidence and trust in our product, indirectly contributing to enhancing the perception and reputation of the Cardano ecosystem as a whole.

We will consider our project successful if the audit reveals no critical vulnerabilities after we have addressed all detected issues.

[CAPABILITY/ FEASIBILITY] Please provide a detailed breakdown of your project’s milestones and each of the main tasks or activities to reach the milestone plus the expected timeline for the delivery.

We plan to adopt the Agile project management methodology, facilitated by bi-weekly meetings to assess progress and resolve issues. Our team will use Discord for continuous communication and Trello for task and deadline management. Regular updates will be provided to the community, enhancing transparency and accountability. 

We anticipate the entire project to span approximately two to three months, commencing from the time of funding receipt. These estimates, however, do not factor in potential unforeseen challenges or delays.

• Milestone 1: Selection of Audit Firm  

Expected Duration: weeks

Expected Cost: $1,000

We will select the audit firm based on costs, industry reputation, and alignment with our project's needs.

Success Criteria: Finalize and contract an audit firm for the project.

• Milestone 2: Initiating Audit

Expected Duration: 1-2 weeks

Expected Cost: $20,000

The initiation of the security audit and/or penetration test conducted by the chosen security firm.

Success Criteria: Paying the audit firm and initiating the audit process.

• Milestone 3: Initial Audit Report

Expected Duration: 2-6 week

Expected Cost: $0 (included in audit costs)

Delivery of the audit report will detail any potential vulnerabilities or issues that need to be addressed by our team. We will regularly monitor and communicate with the firm to ensure the audit is progressing as planned.

Success Criteria: Receipt of a comprehensive audit report.

• Milestone 4: Issue Addressal

Expected Duration: 3-4 weeks

Expected Cost: $8,000

Post-audit, we will address any vulnerabilities or issues highlighted in the audit report. 

Success Criteria: Successful resolution of identified vulnerabilities and issues.

• Milestone 5: Validation of Fixes, Final Audit Report, & Marketing

Expected Duration: 2-4 weeks

Expected Cost: $1,000

The audit firm will validate the addressed issues, ensuring that all vulnerabilities have been effectively rectified. 

Success Criteria: Obtain validation from the audit firm on the effective resolution of all identified issues.

These timeframes and costs are best estimates as of now, and adjustments will be made as necessary based on actual progress and costs.

[CAPABILITY/ FEASIBILITY] Please describe the deliverables, outputs and intended outcomes of each milestone.

• Milestone 1: Selection of Audit Firm  
• Deliverables: Selection of security firm.
• Outcome: We will select the security firm based on costs, industry reputation, and alignment with our project's needs.
• Progress Measurement: Confirmation of the formal agreement with the chosen firm.

• Milestone 2: Initiating Audit
• Deliverables: Successful initiation of the audit process.
• Outcome: This phase allows us to identify potential vulnerabilities and areas of improvement in our system. It is an essential step towards securing our wallet.
• Progress Measurement: Confirmation of audit completion from the audit firm.

• Milestone 3: Initial Audit Report
• Deliverables: Confirmation of receipt of initial audit report.
• Outcome: The initial audit report is crucial to understanding the state of our security. It gives us a roadmap of what needs to be addressed to enhance the security of our wallet.
• Progress Measurement: Receipt and review of the detailed audit report.

• Milestone 4: Issue Addressal  
• Deliverables: An internal report detailing resolved vulnerabilities and improvements made.
• Outcome: This milestone ensures that potential security concerns raised in the audit report have been addressed effectively.
• Progress Measurement: Completion of the internal report.

• Milestone 5: Validation of Fixes  
• Deliverables: A final validation report from the audit firm, affirming that the identified issues have been effectively addressed.
• Outcome: The validation report provides us assurance of the enhanced security of our wallet.
• Progress Measurement: Receipt and review of the final validation report.

[RESOURCES & VALUE FOR MONEY] Please provide a detailed budget breakdown of the proposed work and resources.

Our budget of $30,000 or roughly ~₳105,000 at the time of writing will be allocated across the following areas: security auditing, vulnerability resolution, project management, and community engagement. Here is the detailed breakdown:

Security Audit: 70,000₳ (~$20,000)

The majority of the funds will be allocated for the security audit. This includes penetration tests, code reviews, and vulnerability scanning. The estimate is based on the average quotes from several reputable security firms.

Vulnerability Resolution: 28,000₳ (~$8,000)

Following the security audit, these funds will be utilized to address any vulnerabilities or issues identified. Our experienced development team will rectify these vulnerabilities, ensuring our wallet's security and reliability.

Project Management, Administration, & Marketing: 7,000₳ (~$2,000)  

This allocation will go towards the effective coordination and management of the project, ensuring that milestones are reached timely and efficient. We will also allocate some of these funds for marketing the successful audit.

[RESOURCES & VALUE FOR MONEY] How does the cost of the project represent value for money for the Cardano ecosystem?

The majority of the budget is allocated towards professional security audit services. These specialized firms provide thorough evaluations of our application, pinpoint potential vulnerabilities, and thereby safeguard our users' assets and maintain the Cardano network's overall integrity. The costs associated with these services reflect industry standards and are based on quotes received from multiple reputable security audit firms.

Funds have also been designated for the development team to address any security flaws discovered during the audit.

Additionally, a small portion of our budget is set aside for project management, administration, marketing, and community engagement. This allocation ensures that project timelines are efficiently met, expectations are effectively managed, and consistent updates are provided to the community.

Our budget determination is rooted in industry standards, prior professional experience, and a detailed analysis of project requirements.

[IMPORTANT NOTE] The Applicant agreed to Fund10 rules and also that data in the Submission Form and other data provided by the project team during the course of the project will be publicly available.

I Accept