RFP Proposal: FVM Specific Security Detectors

[ndkirillov]

RFP Proposal: FVM Specific Security Detectors

FVM Specific Security Detectors

RFP Category: devtools-libraries

Proposers:
@ndkirillov
@eMarchenko

Do you agree to open source all work you do on behalf of this RFP and dual-license under MIT and APACHE2 licenses?: No.
Slitherin codebase is available under AGPL-3.0 license (inherited from the original Slither project). We plan to keep it this way.

Project Description

Motivations

With the introduction of FEVM, Filecoin invited lots of Solidity developers to join the ecosystem and build decentralized projects. Regardless of devs' skills and experience, any complex smart contract might include bugs or vulnerabilities. Besides, many devs have little experience with Filecoin and its specifics, which increases risks related to the smart contracts.
Currently, performing (multiple) audits of the codebase is the main approach to mitigate smart contract risks. However, it is widely accepted that audits are not enough due to their manual nature, which means very high cost and lack of scalability. Besides, doing audits is hard and demanding, and security professionals also seek every bit of help.

A research project dedicated to helping smart contract developers and security professionals could identify bad practices and potential pitfalls, as well as provide recommendations, security checklists, and more. Creating automated checks is the most effective way to ensure that smart contracts follow best practices.

We believe that security-focused tooling is crucial for the long-term success of Filecoin. Developing and maintaining such tools might be challenging and requires lots of experience, team longevity, and incentives alignment. Reputable auditing company with a history of tool development is a natural fit for this project.

The project concept was tested at the HackFs Hackathon by ETH Global - project.

Dedicated team

Our team, Pessimistic Security, has been auditing blockchain projects since 2017. We have also developed three security tools, SmartCheck (static analysis tool), Slitherin (automated security checks) and Spotter, which are focused on enhancing security in the blockchain domain.

We are a cohesive team of blockchain security specialists, continuously advancing our knowledge and skills to protect and safeguard the web3 ecosystem. Through continuous learning and collaboration, we ensure top-tier security in decentralized technologies.

Equally important, our long-term plans include further security tools and Slitherin development, so our team will maintain any detectors delivered under this grant.

Inspirations

When looking at solutions over different ecosystems for static analysis security detectors, there are a few candidates that our project should get inspiration from. In the following section we go over some potential inspirations and their strengths.

SmartCheck

Our team developed this static analysis tool six years ago. Recent research shows that it still performs well despite being discontinued since 2020.

Slither

In short, Slither is a Python-based contract security framework first proposed in a 2019 paper by Josselin Feist, Gustavo Grieco, and Alex Groce. The Slither framework offers automated detection of vulnerabilities and optimizations, as well as codebase summaries to aid developer comprehension.

Slitherin

A Slither plugin developed by Pessimistic. It is extremely flexible and includes detectors based on our security checklists and recently popularized weaknesses like readonly reentrancy. Among other things, it provides integration checks for UniswapV2, and one can utilize it as a template for Filecoin-specific detectors.

Deliverables

Filecoin specific security detectors and checks

We estimate that analysis of the Filecoin smart contracts library will generate ideas for around five Slitherin detectors and some additional security checks.

We plan to implement up to five detectors initially and more with later updates.

Each vulnerability detector consists of

• an open source python implementation,
• documentation describing potential vulnerabilities that may arise in specific circumstances,
• recommendations on how to address them,
• test cases covering both vulnerable and safe scenarios.

Besides, we will publish all discovered security checks that cannot be implemented as a Slitherin detector.

Articles covering results of this project

Publishing and sharing vulnerabilities with the public is of utmost importance. Therefore, we will describe all the findings in a series of blog posts. The articles will cover topics like

• potential vulnerabilities, bad practices, and common pitfalls,
• Filecoin integration guidelines and best practices,
• ways to improve smart contract security using automated tools.

Within the scope of the grant, we propose to publish a total of four posts.

We have already undertaken similar efforts in our blog.

Further extensions

We'd love to put more effort into the security of the Filecoin and broader ecosystem.

We could perform additional research and detector development for codebases and topics selected by the Filecoin team. If proved successful, we would utilize the same structure for extra stages.

Milestones

Milestone 1: Initial Research, Development, Media coverage

Milestones n°	Name	Description	Time estimation (workdays)
1.1	Library security analysis	Our auditors will review the library and compile a list of security checks and ideas for Slitherin detectors. The size of the library is ~ 2000 lines, and initial review and results analysis would take 5 days.	5
1.2	Detectors development and testing	We will implement and test up to five detectors based on security checks identified during the previous step.All detectors will adhere to our quality standards of code, documentation, and findings quality.	10
1.3	Articles and Media Coverage	We plan to create two articles covering the Filecoin implementation and our vulnerability detectors. Both articles will take 4 days to create.We will drop tweets and posts on our social media for the initial release.	5
			Total workdays: 20

Milestone 2: Support and expansion

Milestones n°	Name	Description	Time estimation (workdays)
2.1	Library updates security analysis	We will review new releases of the library and/or other relevant smart contracts.	5
2.2	Detectors suite update and expansion	We will maintain security checks and detectors for the library till the end of 2023: A) develop additional detectors for new code, B) update existing detectors to match smart contract updates, C) improve precision and recall for all implemented detectors	10
2.3	Update articles	We will share the results of our research and development in the media. It includes two additional articles and other activities.	5
			Total workdays: 20

Milestone X: Program extension (Optional)

We will perform more research and development upon receiving requests from the Filecoin team. The precise quota depends on specific scope of work and will be determined later.

Total

Combined milestones workdays: 40

The cost of each stage is 10k USD.

The overall cost for the project is 20k USD.

Funding steps	Event	Funding percentage
1	Milestone 1 delivered	50%
2	Milestone 2 delivered	50%

[ErinOCon]

Hi @ndkirillov, thank you for your proposal and for your patience with our review. Unfortunately, we will not be moving forward with a grant at this time, but we are wishing you all the best as you continue to build!