Security Oracles - a new approach to active Smart Contracts security

[GENERAL] Name and surname of main applicant

[GENERAL] Are you delivering this project as an individual or as an entity (whether formally incorporated or not)

[GENERAL] Co proposers and Additional applicants

Itai Greenberg – CSO at Checkpoint

Albert Niderhofer - Principal Architect at Microsoft

M. Ali Modiri - Smart Contract Developer at Andamio

[GENERAL] Please specify how many months you expect your project to last (from 2-12 months)

[GENERAL] Please indicate if your proposal has been auto-translated into English from another language.

[GENERAL] Summarize your solution to the problem (200-character limit including spaces)

Proposing 'Security Oracles': An active defense approach to smart contract security, offering real-time safety data to fortify smart contract-enabled systems on Cardano.

[GENERAL] Does your project have any dependencies on other organizations, technical or otherwise?

[GENERAL] If YES, please describe what the dependency is and why you believe it is essential for your project’s delivery. If NO, please write “No dependencies.”

No dependencies

[GENERAL] Will your project’s output/s be fully open source?

[GENERAL] Please provide here more information on the open source status of your project outputs

As part of the project, we will analyse several potential business models around the proposed solution. the open-source status of the project output will depend on the analysis. While the main criteria for the decision will be the impact on the wider Cardano ecosystem, it is possible that some components of the proposed solution will remain proprietary.

[SOLUTION] Please describe your proposed solution.

Smart-contract security within the Cardano ecosystem currently relies heavily on passive methods such as code audits and static analysis. However, for smart-contract enabled systems to fully unlock their potential and attract high-value use cases, an imperative shift toward active protection mechanisms is necessary. Passive approaches alone may fall short in addressing the dynamic and evolving threats these systems face. An active approach is vital to proactively safeguarding smart contracts, ensuring their integrity and reliability amidst a rapidly evolving landscape of vulnerabilities and risks.

Our approach focuses on developing a Security Oracle framework tailored explicitly for Cardano's smart contracts. This comprehensive framework aims to mitigate vulnerabilities by integrating an off-chain security monitoring and scoring system with an on-chain oracle component, thereby providing accessible data to any smart contract running on Cardano.

Our initial step involves building a proof of concept by implementing the smart-contract component and integrating it with a simulated off-chain monitoring system. Subsequently, we will explore various technologies, approaches, and business models to advance the development of the monitoring system. Our goal is to ensure the proposed solution aligns with Cardano's standards of being open, permissionless, and decentralized.

By embracing a versatile approach, we aim to fortify the reliability and security of smart contracts. This endeavor addresses the critical need for trustworthy interactions and enhanced security measures within the Cardano ecosystem.

[IMPACT] Please define the positive impact your project will have on the wider Cardano community.

The project's success will significantly benefit the Cardano community by:

Enhancing Security: Improving smart contract security through Security Oracles will bolster trust and reliability, mitigating vulnerabilities and potential exploits, thereby safeguarding users' funds and data.

Increasing Adoption: By addressing security concerns, the project aims to instill confidence in developers and users, encouraging greater adoption of smart contracts within the Cardano ecosystem.

Measuring Impact:

Quantitatively, impact can be gauged by tracking the reduction in security incidents, vulnerabilities identified and addressed, as well as an increase in the number of secure smart contracts deployed. Qualitatively, feedback from developers, users, and security experts regarding enhanced trust and confidence in the system will be valuable indicators.

Sharing Outputs:

Outputs, such as best practices, security tools, and insights gained from the project, will be disseminated widely within the Cardano community through dedicated reports, publications, workshops, and presentations at conferences. Collaboration with developer communities, security experts, and relevant stakeholders will facilitate knowledge-sharing and promote the adoption of improved security practices.

The success of this project will bring tangible value by fortifying the security of smart contracts, fostering a more secure and reliable ecosystem, which in turn will attract more developers and users to engage with Cardano's smart contract platform. Sharing insights and tools developed through this project will empower the community to embrace and implement enhanced security measures, contributing to the long-term growth and sustainability of the Cardano network.

[CAPABILITY & FEASIBILITY] What is your capability to deliver your project with high levels of trust and accountability? How do you intend to validate if your approach is feasible?

As the project lead and with a background in software development and finance, I'll be steering this initiative. My experience in managing research-oriented projects equips me well for this role, drawing from expertise in software development and financial domains. My tenure as a DeFi hedge fund manager has provided me with profound insights into smart contract-based systems and the intricacies they entail. This firsthand experience has honed my understanding of the challenges surrounding smart contract security, making me well-versed in addressing vulnerabilities within these systems.

Joining me are distinguished experts. Itai Greenberg, presently the Chief Strategy Officer (CSO) at Check Point Software Technologies, Ltd., brings extensive knowledge in cybersecurity. His role ensures our project integrates cutting-edge security practices and benefits from his hands-on experience in addressing security vulnerabilities in complex systems.

Albert Niderhofer, currently serving as a Principal Architect at Microsoft, will further enrich our team. With a robust background in security and technical architecture, Albert's expertise, particularly in knowledge graphs, presents a unique advantage in designing innovative security frameworks.

Our collective knowledge base, coupled with firsthand experience addressing security challenges in sophisticated systems, bolsters our capability to deliver a pioneering security solution for Cardano's smart contracts.

Regarding fund management, our team values transparency and accountability. We will meticulously outline the budget, aligning it with the project's objectives. This disciplined approach ensures prudent use of funds, strictly adhering to the project scope while upholding the highest financial integrity standards.

Through the combined expertise of our team, we are confident in developing a robust security solution that enhances smart contract security within the Cardano ecosystem.

As an experienced professional with a background in software development and finance, I am well-equipped to lead this project. My track record includes successfully managing and delivering research-oriented projects, leveraging my expertise in both software development and financial domains.

[Project Milestones] What are the key milestones you need to achieve in order to complete your project successfully?

Research and Planning

This milestone involves conducting comprehensive research and planning for the Security Oracle Proof of Concept (PoC). It aims to gather insights into existing smart contract vulnerabilities within the Cardano ecosystem and outline the design and architecture of the proposed Security Oracle PoC.

4 weeks, 15k ADA

Milestone outputs:

• Research report detailing identified smart contract vulnerabilities and challenges.
• Detailed plan and architecture outline for the Security Oracle PoC.

Acceptance criteria:

• Research report includes an analysis of at least 5 documented vulnerabilities or security challenges specific to Cardano's smart contract environment.
• The detailed plan and architecture outline should specify the proposed approach for integrating the Security Oracle, including data sources, verification mechanisms, and initial design specifications.

Verifiable Info:

• link to research report PDF

Security Oracle Proof of Concept Implementation in Smart Contracts with Mock Off-chain Security Monitoring

This milestone involves integrating a mock off-chain security monitoring system with a smart contract within the Cardano ecosystem. The goal is to demonstrate the feasibility of the Security Oracle concept by implementing basic functionalities using a simulated off-chain monitoring system.

10 weeks, 60k ADA

Milestone outputs:

• API specification for the off-chain monitoring system
• Implementation of the smart contract part of the oracle
• Demonstration of basic Security Oracle functionalities utilizing a mock monitoring system within the smart contract environment.

Acceptance criteria:

• Successful integration of the mock off-chain security monitoring system with simulated smart contracts, showcasing data retrieval and basic validation processes.
• The Security Oracle implementation within the smart contracts should demonstrate fundamental functionalities related to security monitoring or data validation using the mock system.

Verifiable Info:

• Testnet addresses of all smart contract deployed
• Github repository with smart contracts’ code
• Link to Specification document

Exploration of Potential Approaches and Business Models for Off-chain Security Monitoring Systems

This milestone focuses on researching and presenting various potential approaches for developing off-chain Security Monitoring Systems, alongside exploring diverse business models that could encourage the creation and implementation of such systems within the Cardano ecosystem.

4 weeks, 15k ADA

Milestone outputs:

• Report detailing multiple potential approaches for developing off-chain Security Monitoring Systems, and identifying critical benchmarks such as transaction throughputs, data freshness, and optimal response times.
• Analysis of diverse business models suitable for fostering the creation and adoption of these systems.

Acceptance criteria:

• The report should encompass a comprehensive exploration of at least three potential approaches for developing off-chain Security Monitoring Systems, providing insights into their technical feasibility, advantages, and challenges.
• Analysis of various business models, considering factors such as incentivization mechanisms, sustainability, and potential stakeholders' involvement.

Verifiable Info:

• Link to report pdf 

Conclusion, Documentation, and Suggested Next Steps

This final milestone aims to conclude the Proof of Concept project on Security Oracles for smart contracts within the Cardano ecosystem. It includes summarizing findings, compiling comprehensive documentation, and suggesting potential next steps for future development or implementation.

3-4 weeks, 10k ADA

Milestone output(s):

• Conclusion report summarizing the outcomes, lessons learned, and key findings from the Proof of Concept. Suggested next steps or recommendations for further development, research, or implementation based on the project's outcomes.
• Comprehensive documentation encompassing all aspects of the project, including methodologies, achievements, challenges, and recommendations.

Acceptance criteria:

• The conclusion report should encapsulate a summary of achievements, insights gained, and any limitations encountered during the Proof of Concept. Suggested next steps should provide clear recommendations for future initiatives, such as improvements, further research, or potential real-world implementations based on the project's findings.
• Comprehensive documentation should cover all project aspects, including methodologies, processes, technical details, and outcomes.

Verifiable Info:

• Link to conclusion report PDF
• Link to documentation

[RESOURCES] Who is in the project team and what are their roles?

Shay Gammer - Project Lead/Manager

Seasoned professional with a diverse background in computer science and finance, adept at leveraging blockchain technologies to drive innovation. Demonstrated expertise in overseeing multifaceted projects and fostering cross-disciplinary collaborations.

Responsible for overseeing the project, coordinating efforts, managing resources, and ensuring the project's overall success.

https://www.linkedin.com/in/shay-gammer-8046966/

Itai Greenberg - Security Expert

As the Chief Strategy Officer (CSO) at Check Point Software Technologies, Itai brings extensive experience in cybersecurity and strategic planning. With a wealth of knowledge in security methodologies and a comprehensive understanding of threat landscapes, Itai is well-versed in identifying and mitigating security risks. His role in the project involves providing expert insights into security practices, advising on potential vulnerabilities, and contributing to the Security Oracle framework design. Furthermore, Itai will also spearhead the validation of business models and assess the viability of off-chain Security Monitoring components, ensuring the feasibility and efficacy of proposed solutions.

https://www.linkedin.com/in/itai-greenberg-bb3984/

Albert Niderhofer - Security Expert & Solution Architect

Albert, currently serving as a Principal Architect at Microsoft, possesses a profound background in security architecture and solution design. His expertise lies in formulating robust security strategies and architectural frameworks for complex systems. Albert's contributions to the project encompass aiding in the development of the Security Oracle framework, providing architectural insights, and contributing to the security aspects of the project.

https://www.linkedin.com/in/albert-niderhofer/

Ali Modiri – Smart Contract Development

A versatile individual with experience in Mechatronic studies and a background in the Iranian young mathematics association. With a cybersecurity background as a malwares analyst and penetration tester, he excels at addressing digital threats. Ali's programming proficiency spans from low-level languages like Assembly and C to high-level languages like Golang and TypeScript. As a proud student of Gimbalabs, he specialized in Plutus smart contract development for blockchain projects. He contributes to the Cardano community as a member of the Cardano Certification Working Group and an author of CIP 96, while his ultimate passion lies in helping humanity transcend its current struggles. Ali will be responsible for the technical implementation aspects related to the smart contract component.

https://www.linkedin.com/in/m-a-modiri/

[BUDGET & COSTS] Please provide a cost breakdown of the proposed work and resources.

Milestone 1 - Research & Planning - 15,000 ADA

• Technical Research - 6,000 ADA

Team ~ 25 hours

• Architectural Framework - 7,000 ADA

Solution Architect ~25 hours

• Project Plan - 2,000 ADA

Project Lead ~10 hours

Milestone 2 - Security Oracle Proof of Concept Implementation - 60,000 ADA

• API Specifications - 10,000 ADA

Team ~40 hours

• Oracle Framework Development - 25,000 ADA

Blockchain Developer ~100 hours

• Implementing a basic off-chain monitoring system - 15,000 ADA
• Software Developer ~60 hours
• Integration and Testing - 10,000 ADA
• Software Developer ~40 hours

Milestone 3 - Exploration of Potential Approaches and Business Models - 15,000 ADA

• Research & Analysis - 10,000 ADA

Security Experts ~ 20 hours

Team ~ 20 hours

• Reporting - 5,000 ADA

Project Lead ~ 20 hours

Final Milestone - Conclusion, Documentation, and Suggested Next Steps - 7,000 ADA

• Documentation - 3,000 ADA

Team ~ 15 hours

• Reporting & Community Engagement - 4,000 ADA

Project Lead ~ 20 hours

Total - 97,000 ADA

[VALUE FOR MONEY] How does the cost of the project represent value for money for the Cardano ecosystem?

This proposal endeavors to introduce and implement active security measures tailored for smart contracts within the Cardano ecosystem. By fortifying the security infrastructure of smart-contract based systems, our aim is to instill a heightened level of trust, reliability, and integrity within the Cardano network. We firmly believe that establishing this robust security framework will serve as a catalyst, clearing the path for broader and more confident adoption of Cardano-powered applications, transactions, and decentralized solutions.

Collaborating with leading cybersecurity experts from established organizations serves as a pivotal step in ensuring the effectiveness and credibility of our approach. Leveraging the insights and expertise of these experts will significantly contribute to fortifying the security layers of smart contracts, addressing vulnerabilities, and establishing best-in-class security practices within the Cardano ecosystem. This collaboration not only validates our approach but also signifies a collective effort towards fostering a more secure and resilient environment, setting new benchmarks for security standards in the blockchain space.

The outlined costs in our proposal are meticulously calculated to drive impactful advancements in the development of Security Oracles within the Cardano ecosystem. This initiative aims to address critical gaps in smart contract security, emphasizing not only immediate security enhancements but also the attraction of a more extensive user base and increased trust in the system's reliability.

These costs are justified by the anticipated outcomes, focusing on bolstering security measures and establishing Cardano as a secure and trustworthy platform for decentralized applications. The envisioned value created by fortifying the Security Oracles system transcends the initial investment. This project is poised to fortify the ecosystem, instilling confidence and reliability that far surpasses the project's initial expenses.

Leveraging our team's extensive expertise in cybersecurity, blockchain technology, and collaboration with leading experts, we ensure judicious allocation of funds to achieve tangible and robust security solutions. Our ultimate goal is to establish a long-lasting security infrastructure for the Cardano community, making smart contracts more resilient, trustworthy, and attractive for developers and users alike.

[IMPORTANT NOTE] The Applicant agrees to Fund Rules and also that data in the submission form and other data provided by the project team during the course of the project will be publicly available.