$195 MILLION TVL HACK AVOIDED

If we don’t embed proactive mitigation strategies against security vulnerabilities now, then ultimately we risk reputational damage.

A solution that is incorporated into IOGs strategy of building security integrity and resilience into the Cardano DApp ecosystem.

• number of security related issues found in open source code.
• number of security Audits bounties created and published to a network
• number of security Audits bounties closed
• Frequency of security audits performed
• number of security audits performed
• Length of time from when a Cardano DApp code is published until a security audit is performed. (How fast can we get the network to swarm on new Cardano projects?)
• reduction on the cost associated to performing audit and security in proportion to the average professional audit and security firm.

How might we incentivize ‘white hat’ hacker types of behaviour at the edges and swarm for vulnerabilities in the Cardano DApp marketplace before bad actors? 

If Wingriders are not an Audit and security company but still managed to save one of their competitors from losing $195 million in TVL by reviewing and finding a vulnerability in open source code, how can we encourage this sort of behaviour with novel solutions?  

It was not WingRiders intention to be compensated for acting in good faith however Minswap recognized their contribution as a good faith actor and offered them a bug bounty reward.

Startups are typically cash strapped and can’t afford some of the higher costs of third party security Audits but they still desire to publish code that is not intentionally vulnerable. 

Outputs for this challenge are not limited to but could include.

• A Cardano security watchdog/fraud squad group.
• A Cardano security Audit competition/web application.
• A new stand alone Cardano security bug bounty application.
• A working code concept that shows how the challenge can be solved as an API hooked into the Cardano DApp marketplace.

IOG’s Dapp Marketplace & Certifications teams submit this challenge to prioritize focus towards these critical capabilities.

See Charles Hoskinson speaking about this at the 16:50 mark here:

The Ethereum community has a dedicated security team called Diligence who acts in the best interest of the Ethereum protocol, this is an example of a watchdog/fraud squad group that Charles spoke about at the Catalyst town hall on June 1st. Diligence acts as a community steward at hackathons and industry events proactively educating DApp developers to shift ‘security thinking’ left in their software development cycle.

https://consensys.net/diligence/

Cardano doesn’t have such an educational campaign strategy yet, we have third party partnerships with security firms but we are not their number one priority, without a proactive community steward driving the importance of security risk management, developers are late in the discovery of the implementation of security audits.

Security Audit competitions like code4rena but focused on Cardano.

https://code4rena.com/

Security bug bounty system like hackerone who is trusted by industry names such as Amazon.

https://hackerone.com/amazonvrp?type=team

A high fidelity design concept or working code concept that shows how the challenge can be solved as an API hooked into the Cardano DApp marketplace.

Here is an example of the DApp Store that will be launched as part of the Light Wallet announced at Consensus2022 by Charles Hoskinson.

Challenge amounts should only be proposed in increments of 25K ₳. Other amounts not in these increments will be rounded up. E.g. 27,500₳ will be rounded up to 50,000₳.