DApp upgrades are an extreme security risk for the Cardano ecosystem because there is no widely adopted on-chain solution to enforce a secure upgrade path.
This is the total amount allocated to On-chain Certifications & Secure Smart Contract Upgrade Mechanism.
A framework that can enforce a secure upgrade path for on-chain smart contracts.
No dependencies
Apache License
Currently, DApps on Cardano have to decide between two painful options in regards to facilitating smart contract upgrades:
Option 1 introduces a backdoor to steal from users by moving funds to an arbitrary insecure smart contract thus deactivating security mechanisms.
Option 2 has a number of obvious issues. The first and foremost of which is that if a user is not informed of the protocol migration their funds will sit inactive indefinitely, and in certain cases become inaccessible to them without special technical support or support from the protocol's authorized agents (which for instance might be required to interact with a depreciated liquidity pool on a DEX). Inactivity alone is a tremendous problem that is illustrated by the large amount of stake delegated to inactive pools.
This proposal offers a third option that facilitates smart contract upgrades without introducing a backdoor or allowing arbitrary transfers of users' funds.
Several components are required to facilitate secure DApp upgrades on Cardano.
This upgrade mechanism is critical for the future of DJED, as-well-as for the safety of the Cardano ecosystem.
This proposal will enable smart contract protocols on Cardano to upgrade without relying on social migration or introducing a backdoor that puts user's funds at risk. The lack of a secure upgrade mechanism currently is a huge security risk for the Cardano ecosystem. Many of the top TVL protocols currently support arbitrary upgrade paths that put all the funds at risk, since a malicious upgrade can steal all funds. The secure upgrade mechanism will enable protocols to support smart contract upgrades without putting user's funds at risk, while offering support to build fully decentralized protocol.
Additionally, the proposal will enable users (and wallet providers) to easily verify whether the smart contract they are interacting with is audited. This significantly reduces the risk of DApp phishing attacks.
Our team consists of highly skilled developers with experience developing open-source tooling (Convex) in the ecosystem. Our developers are extremely experienced in all stages of DApp development on Cardano from design and architecture all the way to Mainnet releases including the Djed protocol. They are intimately familiar with the requirements of DApp protocols, and the nuances of smart contract development on Cardano. We are uniquely positioned to deliver this critical infrastructure to the Cardano ecosystem.
Historically a number of promising well-intention tools and libraries in the ecosystem did not see much traction upon release. Often this can be the result of the tooling being developed in a vacuum without feedback from integrating for production use-cases.
In order to make sure that the proposed framework is well-equipped for production use we will develop and revise it with feedback from a production use-case; namely, the DJED protocol.
CIP 96 describes a standardized method for certificates to be published and stores on-chain and for stake-holders to be able to verify the different claims of the certificates. However, the certificates are published onchain via the transaction metadata which is, in-practice, not accessible from Plutus smart contracts.
A prerequisite of our proposed secure upgrade mechanism is that relevant information from audit certificates is accessible from within Plutus smart contracts.
This milestone encompasses updating the specification of CIP-96 with respect to the following:
Once the framework for secure smart contract upgrades is established, protocols will have to integrate the newly established standard into their smart contracts. If they have to do so from scratch the burden of work required might dissuade them or they might make mistakes in utilizing the standard.
This milestone encompasses the development and publication of a smart contract library designed to vastly simplify the process through which existing DApps can implement a secure upgrade mechanism for their smart contracts.
Our goal is to provide extensive developer documentation to ensure that this framework is not only user-friendly but also highly intuitive for developers to utilize effectively.
We will develop a series of tests for the secure upgrade mechanism smart contract library. These tests will serve to offer a degree of confidence in the security and reliability of the framework.
This milestone encompasses the development and publication of the overarching DApp Certification framework.
This milestone entails the creation of testing procedures and the execution of a high level security analysis for the DApp certification framework.
Jean-Frédéric Etienne has more than 15 years of experience in safety and threat analysis and is an expert in several formal verification techniques. He is currently the architecture and technical lead for the Djed implementation on Cardano and has put in place a property-based testing methodology to extensively assess the correctness and robustness of Plutus smart contracts against all potential attacks. He has also specified and proved the adaptation of the Djed protocol on the EUTxO model and has developed a set of Plutus libraries to produce optimized on-chain code.
Jean-Frédéric will be working on the design and architecture of the secure upgrade mechanism as-well-as safety analysis of the onchain framework.
Philip DiSarro has an MS in Compiler Development & Programming Language Theory. He was the lead smart contract architect of many features on WingRiders DEX. Philip has also made significant contributions to the Cardano developer ecosystem. As a co-chair of the IOHK developer experience working group he worked to identify and resolve pain points that DApp developers experience in Cardano, and had an integral role in getting Lucid & Plutus Simple Model included in the Plutus Pioneer Program. He has a vast wealth of experience in smart contract auditing and security on Cardano.
Philip is a senior Haskell developer on the Cardano Stablecoin Venture team, a consultant and lecturer for Emurgo and a founder of Anastasia Labs.
Philip will be contributing to the implementation of the secure upgrade mechanism smart contract library.
Romain Soulat has more than a decade of experience in the development and application of verification tools for high-profile certified products. He has been a research engineer for almost 10 years and is now the Technical Lead for Certification at IOG, where he has been leading the development of testing tools. He has also been actively involved in the Certification working group and is the main author of CIP-0096.
Romain will be working on the new design of CIP-0096, using CIP-0068 style metadata. He will lead discussions with different stakeholders to ensure that the new design of CIP-0096 meets all the previously identified requirements, as well as the new ones from the types of applications described in this proposal. Additionally, he will ensure that the design will well be adopted by the community.
Total cost: 400,000 Ada
The schedule accounts for delays such that if the timeline exceeds the above, the work will be continued until the proposal is feature complete.
Simply put, right now users' funds in many DApps are at risk of being stolen via a malicious smart contract upgrade. This proposal intends to bring in a tangible and secure solution.
The proposed project's cost is valuable for the Cardano ecosystem by addressing critical security and usability concerns related to DApp upgrades. By investing in the development of a secure upgrade mechanism and associated components, Cardano can mitigate the risk of user funds being compromised during smart contract updates. This not only safeguards the ecosystem's reputation but also fosters user trust and confidence in Cardano-based DApps. Additionally, the project's commitment to testing and integration with real use cases, such as the DJED protocol, ensures that the solution is practical and effective. Furthermore, the provision of a smart contract library to have integrate this secure upgrade mechanism and comprehensive documentation streamlines adoption for existing DApps, reducing development overhead and potential errors. In essence, the project's cost translates into enhanced security, usability, and overall ecosystem stability, making it a sound investment for Cardano.