No Witness - Common Vulnerabilities Patterns

[Proposal setup] Proposal title

Please provide your proposal title

No Witness - Common Vulnerabilities Patterns

[Proposal Summary] Budget Information

Enter the amount of funding you are requesting in ADA

87000

[Proposal Summary] Time

Please specify how many months you expect your project to last

4

[Proposal Summary] Translation Information

Please indicate if your proposal has been auto-translated

No

Original Language

en

[Proposal Summary] Problem Statement

What is the problem you want to solve?

Cardano's security knowledge is scattered across only 2 incomplete sources. No LLM-ready vulnerability database exists to train AI security agents for automated code analysis.

[Proposal Summary] Supporting Documentation

Supporting links

• https://nowitnesslabs.com/
,
• https://github.com/no-witness-labs

[Proposal Summary] Project Dependencies

Does your project have any dependencies on other organizations, technical or otherwise?

No

Describe any dependencies or write 'No dependencies'

No dependencies

[Proposal Summary] Project Open Source

Will your project's outputs be fully open source?

Yes

License and Additional Information

Fully open source with MIT license

[Theme Selection] Theme

Please choose the most relevant theme and tag related to the outcomes of your proposal

Developer Tools

[Campaign Category] Category Questions

Mention your open source license and describe your open source license rationale.

This project will be fully open source under MIT license from day one. We belive all developer tooling should be open source which helps teams build new products, but also improve and develop tooling by collaboaration

How do you make sure your source code is accessible to the public from project start, and people are informed?

Our project will be open source from day on at:

https://github.com/no-witness-labs

We will also be sharing all develpment and updates regularly on our X account:

https://x.com/nowitnesslabs

How will you provide high quality documentation?

Jonathan, lead developer is taking all the lessons learned from creating Lucid Evolution library and applying them to this project to have high quality documentation having in mind developers transitioning to Cardano as well as those that have been building here for years.

[Your Project and Solution] Solution

Please describe your proposed solution and how it addresses the problem

Cardano's security knowledge lives in just two incomplete sources - a GitHub markdown file and MLabs documentation.

New developers, especially those using Aiken, have a hard time finding comprehensive vulnerability information that actually fits their development setup, leading to the same security mistakes happening over and over across projects. There's no structured format for building automated security tools either.

We're building a comprehensive vulnerability database designed specifically for Cardano developers, with a special focus on Aiken developers and newcomers. This resource brings together existing security knowledge while adding Aiken-specific vulnerabilities into one well-organized place that will be hosted on developers.cardano.org for maximum accessibility.

Each vulnerability entry gives you clear descriptions with Aiken-specific context, working exploit code that shows how attacks actually happen on Aiken contracts, step-by-step fixes with tested Aiken code, prevention best practices for secure Aiken development, and coverage of common Aiken misconceptions and edge cases that trip people up.

Our database covers all vulnerabilities from existing sources but expanded for Aiken, Aiken-specific vulnerabilities and development pitfalls, and smart contract security approaches tailored to how Aiken actually works.

Each example comes with Aiken code, making it practical for developers to actually learn and implement fixes. Content gets structured for both human reading and future AI tool integration.

The biggest chunk of work is Aiken-specific vulnerability research and verification, taking up 40% of our effort. Creating and testing Aiken exploit examples takes another 30%, while developing comprehensive Aiken fixes and prevention guides accounts for 20%. Quality assurance and peer review handles the remaining 10%.

[Your Project and Solution] Impact

Please define the positive impact your project will have on the wider Cardano community

The primary impact of this project centers on dramatically improving the onboarding experience for new Cardano developers while preventing costly security incidents across the ecosystem.

Currently, new developers entering Cardano face a steep security learning curve. They must hunt through scattered documentation, piece together incomplete information, and often learn security lessons the hard way through trial and error. This creates significant barriers to entry and leads to repeated vulnerabilities in new projects. Our comprehensive vulnerability database eliminates this friction by providing everything new developers need to build securely from day one.

For Aiken developers specifically, this resource addresses a critical gap. As Aiken becomes the preferred smart contract language for Cardano, new developers need security guidance tailored to this environment. Our database provides Aiken-specific examples, common pitfalls, and secure coding practices that help developers avoid mistakes before they happen.

The structured format of our database also enables the development of AI powered automatic tooling for code analysis. Future tools can be trained on our comprehensive vulnerability examples to automatically scan Aiken code, identify potential security issues, and suggest fixes in real time. This transforms security from a manual learning process into automated assistance that guides developers as they write code.

The cost savings potential is substantial. Smart contract vulnerabilities can cost projects significant funds in lost assets, damaged reputation, and recovery efforts. Even smaller security incidents can devastate early-stage projects that lack resources to recover from mistakes. Prevention through proper education and automated tooling is exponentially more cost effective than dealing with security breaches after they occur.

Beyond direct financial losses, security incidents damage the entire Cardano ecosystem's reputation and slow adoption.

The multiplier effect is significant. Each developer who learns secure practices from our database goes on to build better protocols, mentor other developers, and contribute to a culture of security first development.

[Your Project and Solution] Capabilities & Feasibility

What is your capability to deliver your project with high levels of trust and accountability? How do you intend to validate if your approach is feasible?

No Witness Labs is founded by seasoned blockchain developers with a proven track record of delivering high-quality, impactful open-source tools and protocols in the Cardano ecosystem.

Our co-founder, Jonathan Rodriguez, is the creator and lead maintainer of Evolution SDK—the next generation of the widely adopted Lucid—which has become a cornerstone for off-chain transaction building on Cardano. His work has enabled countless developers to rapidly build, test, and deploy Cardano dApps with improved developer experience and reliability.

Our team collectively has extensive experience building both open-source and production-grade blockchain solutions. Members have contributed to many ecosystem projects and several protocol-level designs including cross-chain bridges, staking systems, and Layer 2 frameworks.

No.Witness Labs operate with transparency and accountability as core principles and all significant of our work are developed open-source, ensuring community visibility, code review, and independent audit potential.

Our deep experience, combined with a proven history of delivering developer-focused infrastructure, ensures that No Witness Labs can execute this project with the highest standards of trust, transparency, and technical excellence.

[Milestones] Project Milestones

Milestone Title

Research & Foundation

Milestone Outputs

• Analysis of current Cardano security sources with a prioritized list of 15–20 Aiken-specific vulnerabilities to document (IDs, descriptions, severity).
• Published database schema and contribution guide, including fields for exploit, fix and prevention.
• Initial web interface deployed with search/filter functionality

Acceptance Criteria

• Repository contains a signed-off gap analysis report and a tracked backlog of 15–20 Aiken items
• Schema and templates merged to main with CI checks along with contribution guide readable in /docs.
• Preview website is live with search returning results from at least 5 entries

Evidence of Completion

• Link to GitHub commit for the gap analysis, templates, CI config, and labeled issue backlog.
• Short demo video walkthrough
• Live site URL showing working search

Delivery Month

1

Cost

20000

Progress

20 %

Milestone Title

Core Content Development

Milestone Outputs

• 10–12 high-priority vulnerability entries published with: description, working Aiken exploit, tested fix, prevention tips, and references.
• Categorization & metadata system finalized with an LLM-ready JSON schema and examples.
• Downloadable code packs for every entry

Acceptance Criteria

• All entries compile and pass CI: exploit reproduces issue in a controlled harness; fixed version fails exploit tests and passes integration tests.
• Each entry includes required metadata fields and appears in JSON export (batch file and endpoint) that validates against the published schema.

Evidence of Completion

• Links to GitHub showing 10 entries
• Schema file and validated JSON export sample
• Demo video walking through one entry showing exploit and fix, running tests, and downloading/using the code pack

Delivery Month

2

Cost

20000

Progress

40 %

Milestone Title

Content Expansion & Quality Assurance

Milestone Outputs

• Publish remaining 10 vulnerabilities to reach 20 total entries, each with full prevention guides, best practices, and tested Aiken code (exploit + fix).
• Release a consolidated “Secure Aiken Best Practices” guide (patterns, anti-patterns, checklists) cross-linked to all entries.
• Run a structured QA & beta program with 3 external Aiken developers, logging issues, usability notes, and remediation actions.

Acceptance Criteria

• Repository and site show 20 total entries, every entry includes a prevention section, and appears in search & category views.
• Best Practices guide published under /docs
• Test outcome: 3 developers complete scripted tasks and all issues resolved with linked fixes.

Evidence of Completion

• Links to GitHub for new entries
• Link of the site showing 20 entries.
• Link to the Best Practices document and checklist; CHANGELOG summarizing QA/beta-driven changes, issues with references

Delivery Month

3

Cost

20000

Progress

80 %

Milestone Title

Final Milestone — Launch & Closeout

Milestone Outputs

• Public launch of the database with 15–20 documented vulnerabilities, full search/filter UI on the website, JSON export for AI tools, and versioned v1.0.0 release with downloadable code packs.
• Closeout package: closeout report with analytics setup, video closeout, and a prioritized maintenance plan.

Acceptance Criteria

• Live site reachable over HTTPS; search returns results and categories correctly
• Closeout report can be found at https://github.com/no-witness-labs
• Video closeout can be found at https://github.com/no-witness-labs

Evidence of Completion

• URL to live site, v1.0.0 release tag, demo video showcasing search, JSON export submitted
• Closeout report can be found at https://github.com/no-witness-labs
• Video closeout can be found at https://github.com/no-witness-labs

Delivery Month

4

Cost

27000

Progress

100 %

[Final Pitch] Budget & Costs

Please provide a cost breakdown of the proposed work and resources

The total budget for the proposed project is estimated at 87,000 ADA, equivalent to 70,000 USD at the current ADA price of 0.81 USD. This plan is designed to efficiently deliver the project within 3 - 4 months, ensuring quality while addressing all cost considerations.

Senior Developers:

Hiring two senior developers is essential for the successful completion of this project within the specified timeframe. Their expertise will be crucial for delivering high-quality code.

Senior developers' rate: Range from 80-120 USD per hour.

Estimated Total Cost in ADA (3 months):

80 USD/hour: For two developers working full time (40 hours per week for 3 months), the total cost would be 76,800 USD, equivalent to 109,740 ADA.

However, since the total project budget is 87.000 ADA, the cost per developer will be split, bringing each developer's effective budget allocation down to 43,500 ADA for the duration of the project.

[Final Pitch] Value for Money

How does the cost of the project represent value for the Cardano ecosystem?

We’re delivering a shared, open source security knowledge base for Cardano exploits that any team, educator, auditor, or tool can use.

This database systematically removes common classes of mistakes for Aiken. Even a single prevented production bug is a huge benefit for the project and the ecosystem

On top of that we are looking for AI-readiness with LLM-structured entries which will be powering code assistants and CI bots that could flag vulns at PR time, training datasets for Cardano-focused security agents

This will lead to savings through shorter audits (auditors start from known pitfalls and patterns).

[Required Acknowledgements] Consent & Confirmation

Terms and Conditions:

Yes