Smart Contract Blacklisting

Support the Cardano community in identifying unvetted contracts; define and implement protocol for wallets to access community guidance

Software developer, architect, product manager.  Passion for guarding against bad things. Protected data systems engineer.

We propose that this project will use Gimbalabs Project-Based Learning process and community-based planning - see this other proposal to understand why and how we will involve the community in every step of delivering on this proposal, on the same general plan:

https://cardano.ideascale.com/a/dtd/NFTs-derisk-Project-Capitalization/368330-48088

We propose to develop a decentralized protocol through which the Cardano technical community can blacklist or whitelist smart contract code hashes and code.  An API will then be exposed for wallet backends and DAO constructs to gain guidance for end-users about the likely level of trust people can or should have in any given set of smart contracts, including flags for malicious or known insecure contracts.

Together with the community mechanisms found in Catalyst Swarm and Gimbalabs Playground we will explore practicalities and risks in this field, develop recommendations, and iterate protocol details so that people using supported wallets can get some signal about known scam warnings and other negative-reputation information.

Who We Are

Vincent Brandon

Data and ML Engineer. Certified professional project manager. 

https://www.linkedin.com/in/vincent-brandon-b36b6728/

Randall Harmon

Software architect and full-stack developer. Asker of interesting questions. Architecture & Integration Lead

https://www.linkedin.com/in/randall-harmon-aa52765/

Addressing the Challenge

The Challenge team's key metrics are right on point for our project.  With regard to smart-contract scam reporting, we can report on all of these metrics

• Number of potential threats that have been submitted
• Grading of the submitted threats by urgency
• Number of threats that have been identified as serious and systemic
• Grouping of threat sources into categories and types to determine wider danger areas
• Number of Cardano stakeholders interacting with the threat alert mechanism

With regard to the last item on this list, we anticipate every wallet transaction interacting with a smart-contract would leverage the smart-contract blacklist mechanism.

How can we help stakeholders identify serious emerging systemic threats for the Cardano blockchain before a threat overcomes the system? ->  By providing infrastructure to enable Cardano to be a consumer-ready blockchain.

Charles Hoskinson spoke on this topic, coincidentally, just the next day after we originally wrote this proposal. Check out this timestamped link in his video:

https://youtu.be/yIRdX3x0mhE?t=676

Technical Goals and Deliverables Overview

There are many elements that are possible to include in such a code execution reputation system, and we are keen to get into the range of possibilities available. We will hold a summit for developers of wallet and DAO developers to gain insights into a better trust model and user-friendly API services.  Stakepool Operators (SPOs) will be engaged in the development of decentralized deployment strategies.  It is critical that we find a set of trust interpretations and flagging algorithms that limit false positives (false scam reports) and maximize community utility, transparency, deployability.

 After our research, we will capture and present our findings to the community and conduct two community sessions to explore the problem space further, identifying next opportunities for important additions to the protocol and establish a roadmap for further recommendations.

The whitelist/blacklist trust data structure will be available via read-only IPFS access for community metering of threat velocity, bad-actor identification.

Milestones

3 Months:

• Build a knowledge base for contract transparency, trust models, integration specifics

• Follows from two events:

• Smart Contract Developer Ecosystem & Trust Summit (identify how we flag, how we search the blockchain, how do applications digest flagged contract data/interrupt contract transactions)

• SPO & Decentralized Service Deployment Summit (Who will host this service?  Do we allow for paid channels/services?  What does that look like?)

6 Months:

• Example faucet with contract hash search and whitelist/blacklist registry
• Example wallet integration via API calls
• Sample "honey-pot" contracts on blacklist, demonstrating the blacklist in action
• Hopefully, a low number of scam contracts : )

12 Months:

• Beta wallet integration with Cardano light/web wallet (e.g. Gamechanger wallet)
• Continued small number of bad contracts
• User metric: "Cardano is a consumer-ready blockchain I can trust."

Budget

$1500 x 2: Summit Setup, Registration, Followup and Documentation

$10000: Architect smart contract blockchain search service and IPFS whitelist/blacklist storage

$5000: Build API access to search service results (whitelist/blacklist)

Total: $18000

Join us in creating this piece of critical infrastructure to guard the Cardano community.  You know where to find us!  Catalyst Swarm and Gimbalabs, of course!

...compared to other proposals...

Some other proposals in this category seek to report on Youtube and other scams outside our ecosystem.  That's a good thing to do, but we sought to create more direct impact on a larger number of Cardano users.

Gimbalabs is also proposing for a truth-in-labeling initiative, linked below. There are a number of differences between these two proposals, noteably that the contract-blacklist functionality is, first and foremost, a way for the community to respond to emerging threats.  These threats can come from any contract, including those having true and complete labeling.  Meanwhile, contract labeling is expected to be a primarily author-initiated mechanism.  Hence, two proposals for two separate scopes.

https://cardano.ideascale.com/a/dtd/Contract-Labeling-Transparency/369686-48088