Orcfax architecture audit

[GENERAL] Name and surname of main applicant

Christian Koch

[GENERAL] Are you delivering this project as an individual or as an entity (whether formally incorporated or not)

Entity (Incorporated)

[GENERAL] Please specify how many months you expect your project to last (from 2-12 months)

4

[GENERAL] Please indicate if your proposal has been auto-translated into English from another language

No

[GENERAL] Summarize your solution to the problem (200-character limit including spaces)

Orcfax will procure auditing services for its on-chain and off-chain architecture, perform fixes and enhancements as per auditor recommendations and report on the audit status and outcomes.

[GENERAL] Does your project have any dependencies on other organizations, technical or otherwise?

Yes

[GENERAL] If YES, please describe what the dependency is and why you believe it is essential for your project’s delivery. If NO, please write “No dependencies.”

This project will be dependent on the auditing firm that is procured to perform the audit.

[GENERAL] Will your project’s output/s be fully open source?

Yes

[GENERAL] Please provide here more information on the open source status of your project outputs

The Orcfax architecture audit report will be released under an open-source Creative Commons license.

[SOLUTION] Please describe your proposed solution

Orcfax will procure services to audit the security of its on-chain and off-chain architecture, perform fixes and enhancements as per auditor recommendations and report on the audit status and outcomes. 

Our off-chain architecture includes software that collects, validates and performs calculations on real-world data. Our on-chain code publishes fact statement datum to Cardano transactions and provides data provenance guarantees. We also write audit log packages to the Arweave decentralized storage blockchain. Our off-chain code includes an archiving module to interact with Arweave and a web-based Explorer that allows users to search and browse these packages.

The use of oracles as trusted data inputs to smart contracts that control large sums of user funds raises valid concerns about the reliability of oracle architectures. Many Cardano dApps require a security audit before considering the integration of external oracle feeds. Project Catalyst has funded such work for other projects in the past and the Orcfax oracle project qualifies under the same criteria.

This audit project will ensure that the Orcfax oracle service delivers the most comprehensive, accurate and trustworthy real-world data possible to Cardano dApps and smart contracts.

[IMPACT] Please define the positive impact your project will have on the wider Cardano community

The Cardano ecosystem is desperate for viable oracle service providers. In the absence of trustworthy, audited oracle providers we lag behind other Layer 1 blockchains in DeFi adoption and expansion. Orcfax has become a key player in the Cardano oracle landscape. Our architecture audit will provide assurances that Cardano DeFi is backed by authentic and accurate real-world data.

[CAPABILITY & FEASIBILITY] What is your capability to deliver your project with high levels of trust and accountability? How do you intend to validate if your approach is feasible?

For the past two years the Orcfax team has been researching and developing a comprehensive solution to the oracle problem for Cardano-native dApps and smart contracts. We have developed an open oracle publishing protocol and have been using it to publish an ADA/USD price feed to Cardano Mainnet since early 2024.

We have an active Discord and Twitter community where our ideas, requirements and deployment progress are scrutinized and debated. We participate widely in conferences such as Cardano Summit and Rare Evo to raise awareness about our mission and product offering.

We expect to discuss and share the findings and deliverables of this auditing project in the same community-driven way to ensure trust and accountability.

[PROJECT MILESTONES] What are the key milestones you need to achieve in order to complete your project successfully?

Audit requirements & contract

A: Milestone outputs: Request for Proposal for Orcfax architecture audit. Contract for Services with audit firm. 

B: Acceptance criteria: Executed service contract.

C: Evidence of milestone completion: Auditing firm selection is announced publicly on social media.

Interim report of audit & remediations

A: Milestone outputs: First review round feedback from auditors, formatted into an audit status report. Code pull requests for software fixes and enhancements that address audit concerns.

B: Acceptance criteria: Interim report on audit status. 

C: Evidence of milestone completion: Interim audit report posted to public Github repository and shared on social media. Pull requests approved for Orcfax architecture fixes.

Interim report of audit in response to remediations

A: Milestone outputs: Second review round feedback from auditors, formatted into an audit status report, which assessed changes made in response to previous report. If necessary, Code pull requests for software fixes and enhancements that address audit concerns.

B: Acceptance criteria: Interim report on audit status. 

C: Evidence of milestone completion: Interim audit report posted to public Github repository and shared on social media. Pull requests approved for Orcfax architecture fixes.

Interim report of audit & final remediations

If Orcfax has passed its Audit, then proceed to final milestone, otherwise

A: Milestone outputs: Third review round feedback from auditors, formatted into an audit status report, which assessed changes made in response to previous report. If necessary, Code pull requests for software fixes and enhancements that address audit concerns.

B: Acceptance criteria: Interim report on audit status. 

C: Evidence of milestone completion: Interim audit report posted to public Github repository.

Final audit report

A: Milestone outputs: Final report containing auditor findings, recommendations and summary of Orcfax team remediation actions in response to audit.

B: Acceptance criteria: Final audit report.

C: Evidence of milestone completion: Final audit report posted to public Github repository and shared on social media. Audit upgrades pushed to Orcfax’s live mainnet architecture.

Final: Close-out report & post-mortem

A: Milestone outputs - Orcfax audit post-mortem.

B: Acceptance criteria - close-out report accepted by Project Catalyst.

C: Evidence of milestone completion - Close-out report shared on Github. Orcfax audit post-mortem published through Medium.

[RESOURCES] Who is in the project team and what are their roles?

System Analyst: Peter Van Garderen

Peter is the CEO and Founder of Orcfax. He worked for two years in the field of digital archives and electronic record-keeping. Peter is the creator of the free and open source Archivematica and Access-to-Memory (AtoM) software applications, the most widely deployed archives management solutions in the world. His area of expertise is applying records management standards and archival science research to requirements for fully decentralized architectures, including the Orcfax oracle platform.

https://www.linkedin.com/in/petervangarderen/

System Analyst: Christian Koch

Christian is an analyst, researcher and information systems professional who holds a Masters Degree in Archival Science with a focus on blockchain technology. Christian serves as the primary liaison between the development team, Orcfax clients and our community management team.

https://www.linkedin.com/in/christian-mk/

Software Engineer: Ross Spencer

Ross is Orcfax’s senior systems architect and leads the development and implementation of the Orcfax architecture infrastructure. Ross has over two decades experience developing and maintaining open-source digital preservation software that is in use at major memory institutions worldwide.

https://www.linkedin.com/in/ross-spencer-b6b9b758/

Concerning the auditing team: The Orcfax team will draft a Request for Proposal for the architecture auditing assignment and gather price quotations from respected Cardano auditing firms which include but are not limited to Certik, Anastasia Labs, MLabs, Metalamp and TxPipe.

The project management and auditor liaison will be managed by Orcfax system analysts. Our Senior Systems Architect will be the software engineer responsible for engaging directly with the auditor and implementing any corrective actions.

[BUDGET & COSTS] Please provide a cost breakdown of the proposed work and resources

Milestone 1 (30 days): Audit requirements and contract

Orcfax team: $10,000

Milestone 2 (60 days): Interim report of audit & remediations

Auditor team: $60,000

Orcfax team: $15000

Milestone 3 (10 days): Interim report of audit in response to remediations

Auditor team: $20000

Orcfax team: $15000

Milestone 4 (10 days): Interim report of audit & final remediations

Auditor team: $20000

Orcfax team: $10000

Milestone 5 (5 days): Final audit report

Auditor team: $15,000

Orcfax team: $5,000

Final Milestone 3 (5 days): n/a

To accommodate for the fluctuation in ADA price, which creates a conversion risk and a potential budget shortfall, we used the 12 month historical low of $0.25 in October 2023 to establish a budget base price of $0.35 ADA for calculating our expenses.

₳486,000 x 0.35 = $170,000

[VALUE FOR MONEY] How does the cost of the project represent value for money for the Cardano ecosystem?

The Cardano community is lagging behind other Layer 1 blockchains in its oracle infrastructure. The Orcfax project is working hard to deliver its CEX and CNT data feeds on Cardano mainnet. We have implemented a unique approach to data provenance verification and are introducing the most cost-effective model for publishing oracle data in Cardano’s eUTXO model. This audit will give our community and Cardano dApp integrators the confidence they need to rely on Orcfax’s premier data feeds to drive the next wave of Cardano DeFi innovation and market expansion.