Add more and easier levels to Cardano Capture the Flag (CTF)

[GENERAL] Name and surname of main applicant

Michal Porubsky

[GENERAL] Are you delivering this project as an individual or as an entity (whether formally incorporated or not)

Entity (Incorporated)

[GENERAL] Co-proposers and additional applicants

The rest of the Vacuumlabs Auditing team.

[GENERAL] Please specify how many months you expect your project to last (from 2-12 months)

7

[GENERAL] Please indicate if your proposal has been auto-translated into English from another language

No

[GENERAL] Summarize your solution to the problem (200-character limit including spaces)

We want to lower the barrier to entry to our open-source educational smart contract vulnerability CTF game by making more and easier challenges so that it is easier than ever to start learning.

[GENERAL] Does your project have any dependencies on other organizations, technical or otherwise?

No

[GENERAL] If YES, please describe what the dependency is and why you believe it is essential for your project’s delivery. If NO, please write “No dependencies.”

No dependency.

[GENERAL] Will your project’s output/s be fully open source?

Yes

[GENERAL] Please provide here more information on the open source status of your project outputs

All the outputs will be open sourced on Github under the open-source GPL-3.0 license.

[SOLUTION] Please describe your proposed solution

Developing Smart Contracts (SC) on Cardano is especially challenging as the security is an integral part of every SC. Security risks and the ways to mitigate them is a far-reaching and complex subject and the community lacks educational materials to help them design secure smart contracts. 

Such a predicament qualifies as a major security problem that can potentially cause staggering financial and reputational damages, sometimes escalating to millions of ADA. Evidence of this problem can be seen in numerous audits of SCs, which frequently uncover a multitude of vulnerabilities of varying degrees. We have found critical vulnerabilities in almost every single audit that we have conducted. Our public reports that show this can be found in our public archive. We also notice this trend in numerous non-public audits. These critical vulnerabilities lead to either freezing or stealing all the funds locked in the contracts.

While our audits prevented these vulnerabilities, an audit should be only one of the steps in the overall security of the code. The security of the final contract should not be based on audit findings only. This starts with raising the security awareness and a proper education in the field.

For these reasons and thanks to Catalyst fund 10, we created Cardano Capture the Flag (CTF) – A hands-on learning experience for enthusiasts to try to exploit purposely vulnerable smart contracts. You can check the milestones and their timely delivery in the milestone module.

We explored how we could provide and gamify this hands-on learning experience around Cardano smart contract security and provided 10 levels of increasing complexity and difficulty. We received very good feedback from people that were solving it. Alongside, we published a series of blog posts explaining more about the vulnerabilities, see our Medium.

We aim to continue with the project. There are a lot of levels we can imagine adding which would serve two purposes:

• Provide materials to new vulnerabilities or different flavors of the same vulnerabilities.
• Make the complexity of the levels more manageable by introducing more of the easier tasks. We believe that this will help with getting more people successfully solving more levels.

The delivery would follow a similar process as before. We plan to:

• Add 14 levels to the game - together with 14+ smart contracts that provide clear examples of common smart contract vulnerabilities.
• All levels will contain a simple-to-use documented offchain code that developers can use to deploy and interact with these vulnerable smart contracts in the emulator and on the testnet.
• A series of blog posts related to the solutions to the tasks, broader materials on the vulnerabilities and ways to prevent them.
• Tweets about the tasks.
• Continue maintaining a Discord channel where users can interact, ask for help and share their results.

[IMPACT] Please define the positive impact your project will have on the wider Cardano community

Continuing on our solution will further benefit the community in multiple ways:

• Security education – Developers who complete the tasks will gain a much better understanding of smart contract vulnerabilities, thereby reducing the likelihood of designing or implementing vulnerable smart contracts. This will increase the safety and trust of Cardano users. 
• Cheaper smart contract development – Currently, audits are often prolonged because there are many vulnerabilities and auditors need to review each fix. When the contracts are designed with security in mind and all the findings and fixes are small, the audit can take less time. This means cheaper audits and faster deployment of new smart contracts.
• Open source material – We will release 14+ different small open source smart contracts, which will substantially contribute to the ecosystem of Cardano. New developers will be able to use these smart contracts and learn new code patterns from them.
• Talent attraction – CTFs often attract many problem-solvers with a security mindset. These individuals will have the motivation to learn the Cardano smart contracts just to be able to solve the vulnerabilities and share the results with their own communities. By this, we could attract new developers and users to the Cardano community.
• Money loss prevention – The community can benefit greatly from increased security as any vulnerability can potentially cost huge amounts of money. For example, our auditors have found vulnerabilities which, if exploited, would have cost the Cardano users more than 220 million USD. Most of these vulnerabilities were preventable by increased security knowledge.

[CAPABILITY & FEASIBILITY] What is your capability to deliver your project with high levels of trust and accountability? How do you intend to validate if your approach is feasible?

As seasoned auditors of smart contracts on Cardano, we have lots of experience with audits and design reviews, conducted in Plutus, Plutarch, and Aiken languages. We have already uncovered a variety of vulnerabilities. Our audits can be seen at https://github.com/vacuumlabs/audits. We are also releasing a series of blogs on common Cardano vulnerabilities which can be found at https://medium.com/@vacuumlabs_auditing.

Drawing from our expertise, we're assured in our ability to develop a wide range of top-quality tasks.

Furthermore, thanks to Catalyst 10, we have already developed and delivered 10+1 levels into the Capture the Flag game. Our timely delivery can be seen in the milestone module. The game itself is open source in a public repository. The project was finished exactly according to our original plan without any delays, proving our experience in delivering Catalyst projects.

As this project is a direct continuation of the Cardano CTF project, we have no doubts that we will deliver well.

[PROJECT MILESTONES] What are the key milestones you need to achieve in order to complete your project successfully?

Since we will add new tasks to the Cardano CTF and we will try to maintain the structure, every milestone will look exactly the same. We will add 2 new tasks every month which makes it 7 milestones in total. Detailed, every milestone will include:

Adding 2 new levels – Details

• Brainstorming 2x innovative suitable smart contract attack vector.
• Creating 2x new Cardano CTF levels, each including:
• On-chain smart contracts including documentation.
• Task assignment.
• Off-chain code interacting with the smart contracts, deploying the scripts, including documentation.
• Happy case interaction.
• Tests determining successful task completion.
• Open-sourcing the new levels in the already open-source public GitHub repository.
• Announce the tasks on Discord.

Additionally, by implementing new levels, we will cover new interesting vulnerabilities which were not covered in the previous levels. For any such general vulnerability, we will publish a Medium blog post delving deeper into the topic. We expect at least 3 such additional blog posts. Any blog post will be shared on Twitter, Reddit and Discord.

Finally, in the end, we will publish a blog post providing hints and solutions to all the tasks.

Milestone 1: Add 2 new levels

• Duration: 1 month
• Objectives: Add 2 new levels.
• Outputs and Acceptance Criteria: 2 new levels are added to the repository, containing all the details described above.

Milestone 2: Add 2 new levels

• Same as the previous milestone.

Milestone 3: Add 2 new levels

• Same as the previous milestone. There should be at least 1 Medium blog post published.

Milestone 4: Add 2 new levels

• Same as the previous milestone.

Milestone 5: Add 2 new levels

• Same as the previous milestone. There should be at least 2 Medium blog posts published so far.

Final Milestone covers Milestone 6 and 7 below:

Milestone 6: Add 2 new levels

• Same as the previous milestone.

Milestone 7: Add 2 new levels

• Same as the previous milestone. There should be at least 3 Medium blog posts published so far.
• Provide a comprehensive closeout report and video.
• Publish a Medium blog post discussing hints and solutions of all the newly added tasks.

[RESOURCES] Who is in the project team and what are their roles?

Vacuumlabs Smart Contract Auditing Team: website

Michal Porubský is the Lead Smart Contract Auditor at Vacuumlabs. As a founding member of the smart contract auditing and consultancy division, he specializes in providing expert consultation to find the optimal design of decentralized applications and conduct comprehensive Cardano smart contract audits to ensure their robustness and security. He previously worked for WingRiders, NuFi and in the traditional finance world. During high school he competed at several national and international competitions where he won several regional and national ones. Later at the university he helped to organize and prepare tasks for similar programming competitions.

Michal Sládeček is a Smart Contract Auditor, a security consultant and an ethical hacker with a very wide range of experience ranging from web exploitation to reverse engineering and cryptography. He is a holder of the OSCP certificate with experience in programming C++, C, Javascript and Python code, and a good theoretical background in algorithms. One of his biggest accomplishments is a bronze medal from the International Olympiad in Informatics (IOI). During his university studies, he also helped organize national competition in programming.

Michal Anderle, also a Smart Contract Auditor at Vacuumlabs, honed his problem-solving skills through competitive programming during his studies. His achievements include a bronze medal from the IOI, participation in the ACM ICPC finals, and organizing programming competitions. Currently, he teaches an algorithmic course at a university. In his role, he employs these skills to identify potential vulnerabilities, enhancing the efficiency and security of his clients' products.

[BUDGET & COSTS] Please provide a cost breakdown of the proposed work and resources

For each task, we need to involve multiple people to:

1. Design the task.
2. Write the smart contracts (SC) — in case of a more complex level, multiple are needed.
3. Write offchain code that deploys and interacts with the smart contract.
4. Write documentation of the SC and the problem statement.
5. Test the smart contracts and the offchain code.
6. Maintain the task after its release, communicate with users and incorporate the feedback. 

Additionally, for some tasks we will write blog posts. That includes:

• Researching the topic in depth.
• Writing it. If diagrams are desired, their generation.
• Proofreading the text.
• Publishing them and promoting on social media.

Our budget is 14,200 ADA per task which is a little less than in the last proposal. That’s because the ADA price is currently a bit higher than the last time, with the difference more or less proportional to this amount. To bring the most value, we rather computed the amount of tasks we can deliver given the budget.

Since there are 14 tasks, that yields 14 x 14,200 ₳ = 198,800 ₳ in total.

[VALUE FOR MONEY] How does the cost of the project represent value for money for the Cardano ecosystem?

The smart contracts deployed on Cardano mainnet work and will work with assets worth many millions of dollars. The potential reputational loss for the Cardano blockchain in the event of a major hack would be even greater, potentially costing the whole community and not only the users of the vulnerable smart contract. If our educational material can prevent at least some vulnerabilities, the potential return of the investment is huge not only in terms of the value loss prevented.

Currently, we observe many preventable vulnerabilities during our smart contract audits, largely due to the lack of quality educational resources on Cardano's security and the lack of developers' knowledge in this area. Our educational tool can greatly enhance the security knowledge within the ecosystem. Improving on our tool and adding more levels developed and maintained by professionals will align with the high-security standards of our blockchain, providing substantial value.

In the previous proposal, we created the first version of Cardano CTF containing 10 levels. We might have set the bar too high, covering just a few easy levels and trying to explain more complex vulnerabilities too soon. That resulted in just a few people solving all the levels so far. By providing more and easier levels, we can motivate learners better by the next task being just slightly harder. We want to lower the barrier to learning about Cardano smart contract vulnerabilities. The existing tasks will stay open and public, of course. By adding 14 tasks into the Cardano CTF repository, Cardano developers will have 24 open-source smart contracts available in total, which they can learn smart contract vulnerabilities from! We consider this an invaluable addition to learning basics like from the Plutus Pioneer Program.