You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Do you agree to open source all work you do on behalf of this RFP and dual-license under MIT and APACHE2 licenses?: No.
Slitherin codebase is available under AGPL-3.0 license (inherited from the original Slither project). We plan to keep it this way.
Project Description
Motivations
With the introduction of FEVM, Filecoin invited lots of Solidity developers to join the ecosystem and build decentralized projects. Regardless of devs' skills and experience, any complex smart contract might include bugs or vulnerabilities. Besides, many devs have little experience with Filecoin and its specifics, which increases risks related to the smart contracts.
Currently, performing (multiple) audits of the codebase is the main approach to mitigate smart contract risks. However, it is widely accepted that audits are not enough due to their manual nature, which means very high cost and lack of scalability. Besides, doing audits is hard and demanding, and security professionals also seek every bit of help.
A research project dedicated to helping smart contract developers and security professionals could identify bad practices and potential pitfalls, as well as provide recommendations, security checklists, and more. Creating automated checks is the most effective way to ensure that smart contracts follow best practices.
We believe that security-focused tooling is crucial for the long-term success of Filecoin. Developing and maintaining such tools might be challenging and requires lots of experience, team longevity, and incentives alignment. Reputable auditing company with a history of tool development is a natural fit for this project.
The project concept was tested at the HackFs Hackathon by ETH Global - project.
Dedicated team
Our team, Pessimistic Security, has been auditing blockchain projects since 2017. We have also developed three security tools, SmartCheck (static analysis tool), Slitherin (automated security checks) and Spotter, which are focused on enhancing security in the blockchain domain.
We are a cohesive team of blockchain security specialists, continuously advancing our knowledge and skills to protect and safeguard the web3 ecosystem. Through continuous learning and collaboration, we ensure top-tier security in decentralized technologies.
Equally important, our long-term plans include further security tools and Slitherin development, so our team will maintain any detectors delivered under this grant.
Inspirations
When looking at solutions over different ecosystems for static analysis security detectors, there are a few candidates that our project should get inspiration from. In the following section we go over some potential inspirations and their strengths.
In short, Slither is a Python-based contract security framework first proposed in a 2019 paper by Josselin Feist, Gustavo Grieco, and Alex Groce. The Slither framework offers automated detection of vulnerabilities and optimizations, as well as codebase summaries to aid developer comprehension.
A Slither plugin developed by Pessimistic. It is extremely flexible and includes detectors based on our security checklists and recently popularized weaknesses like readonly reentrancy. Among other things, it provides integration checks for UniswapV2, and one can utilize it as a template for Filecoin-specific detectors.
Deliverables
Filecoin specific security detectors and checks
We estimate that analysis of the Filecoin smart contracts library will generate ideas for around five Slitherin detectors and some additional security checks.
We plan to implement up to five detectors initially and more with later updates.
Each vulnerability detector consists of
an open source python implementation,
documentation describing potential vulnerabilities that may arise in specific circumstances,
recommendations on how to address them,
test cases covering both vulnerable and safe scenarios.
Besides, we will publish all discovered security checks that cannot be implemented as a Slitherin detector.
Articles covering results of this project
Publishing and sharing vulnerabilities with the public is of utmost importance. Therefore, we will describe all the findings in a series of blog posts. The articles will cover topics like
potential vulnerabilities, bad practices, and common pitfalls,
Filecoin integration guidelines and best practices,
ways to improve smart contract security using automated tools.
Within the scope of the grant, we propose to publish a total of four posts.
We have already undertaken similar efforts in our blog.
Further extensions
We'd love to put more effort into the security of the Filecoin and broader ecosystem.
We could perform additional research and detector development for codebases and topics selected by the Filecoin team. If proved successful, we would utilize the same structure for extra stages.
Milestones
Milestone 1: Initial Research, Development, Media coverage
Milestones n°
Name
Description
Time estimation (workdays)
1.1
Library security analysis
Our auditors will review the library and compile a list of security checks and ideas for Slitherin detectors. The size of the library is ~ 2000 lines, and initial review and results analysis would take 5 days.
5
1.2
Detectors development and testing
We will implement and test up to five detectors based on security checks identified during the previous step.All detectors will adhere to our quality standards of code, documentation, and findings quality.
10
1.3
Articles and Media Coverage
We plan to create two articles covering the Filecoin implementation and our vulnerability detectors. Both articles will take 4 days to create.We will drop tweets and posts on our social media for the initial release.
5
Total workdays: 20
Milestone 2: Support and expansion
Milestones n°
Name
Description
Time estimation (workdays)
2.1
Library updates security analysis
We will review new releases of the library and/or other relevant smart contracts.
5
2.2
Detectors suite update and expansion
We will maintain security checks and detectors for the library till the end of 2023: A) develop additional detectors for new code, B) update existing detectors to match smart contract updates, C) improve precision and recall for all implemented detectors
10
2.3
Update articles
We will share the results of our research and development in the media. It includes two additional articles and other activities.
5
Total workdays: 20
Milestone X: Program extension (Optional)
We will perform more research and development upon receiving requests from the Filecoin team. The precise quota depends on specific scope of work and will be determined later.
Total
Combined milestones workdays: 40
The cost of each stage is 10k USD.
The overall cost for the project is 20k USD.
Funding steps
Event
Funding percentage
1
Milestone 1 delivered
50%
2
Milestone 2 delivered
50%
The text was updated successfully, but these errors were encountered:
Hi @ndkirillov, thank you for your proposal and for your patience with our review. Unfortunately, we will not be moving forward with a grant at this time, but we are wishing you all the best as you continue to build!
RFP Proposal: FVM Specific Security Detectors
FVM Specific Security Detectors
RFP Category:
devtools-libraries
Proposers:
@ndkirillov
@eMarchenko
Do you agree to open source all work you do on behalf of this RFP and dual-license under MIT and APACHE2 licenses?: No.
Slitherin codebase is available under AGPL-3.0 license (inherited from the original Slither project). We plan to keep it this way.
Project Description
Motivations
With the introduction of FEVM, Filecoin invited lots of Solidity developers to join the ecosystem and build decentralized projects. Regardless of devs' skills and experience, any complex smart contract might include bugs or vulnerabilities. Besides, many devs have little experience with Filecoin and its specifics, which increases risks related to the smart contracts.
Currently, performing (multiple) audits of the codebase is the main approach to mitigate smart contract risks. However, it is widely accepted that audits are not enough due to their manual nature, which means very high cost and lack of scalability. Besides, doing audits is hard and demanding, and security professionals also seek every bit of help.
A research project dedicated to helping smart contract developers and security professionals could identify bad practices and potential pitfalls, as well as provide recommendations, security checklists, and more. Creating automated checks is the most effective way to ensure that smart contracts follow best practices.
We believe that security-focused tooling is crucial for the long-term success of Filecoin. Developing and maintaining such tools might be challenging and requires lots of experience, team longevity, and incentives alignment. Reputable auditing company with a history of tool development is a natural fit for this project.
The project concept was tested at the HackFs Hackathon by ETH Global - project.
Dedicated team
Our team, Pessimistic Security, has been auditing blockchain projects since 2017. We have also developed three security tools, SmartCheck (static analysis tool), Slitherin (automated security checks) and Spotter, which are focused on enhancing security in the blockchain domain.
We are a cohesive team of blockchain security specialists, continuously advancing our knowledge and skills to protect and safeguard the web3 ecosystem. Through continuous learning and collaboration, we ensure top-tier security in decentralized technologies.
Equally important, our long-term plans include further security tools and Slitherin development, so our team will maintain any detectors delivered under this grant.
Inspirations
When looking at solutions over different ecosystems for static analysis security detectors, there are a few candidates that our project should get inspiration from. In the following section we go over some potential inspirations and their strengths.
SmartCheck
Our team developed this static analysis tool six years ago. Recent research shows that it still performs well despite being discontinued since 2020.
Slither
In short, Slither is a Python-based contract security framework first proposed in a 2019 paper by Josselin Feist, Gustavo Grieco, and Alex Groce. The Slither framework offers automated detection of vulnerabilities and optimizations, as well as codebase summaries to aid developer comprehension.
Slitherin
A Slither plugin developed by Pessimistic. It is extremely flexible and includes detectors based on our security checklists and recently popularized weaknesses like readonly reentrancy. Among other things, it provides integration checks for UniswapV2, and one can utilize it as a template for Filecoin-specific detectors.
Deliverables
Filecoin specific security detectors and checks
We estimate that analysis of the Filecoin smart contracts library will generate ideas for around five Slitherin detectors and some additional security checks.
We plan to implement up to five detectors initially and more with later updates.
Each vulnerability detector consists of
Besides, we will publish all discovered security checks that cannot be implemented as a Slitherin detector.
Articles covering results of this project
Publishing and sharing vulnerabilities with the public is of utmost importance. Therefore, we will describe all the findings in a series of blog posts. The articles will cover topics like
Within the scope of the grant, we propose to publish a total of four posts.
We have already undertaken similar efforts in our blog.
Further extensions
We'd love to put more effort into the security of the Filecoin and broader ecosystem.
We could perform additional research and detector development for codebases and topics selected by the Filecoin team. If proved successful, we would utilize the same structure for extra stages.
Milestones
Milestone 1: Initial Research, Development, Media coverage
Milestone 2: Support and expansion
Milestone X: Program extension (Optional)
We will perform more research and development upon receiving requests from the Filecoin team. The precise quota depends on specific scope of work and will be determined later.
Total
Combined milestones workdays: 40
The cost of each stage is 10k USD.
The overall cost for the project is 20k USD.
The text was updated successfully, but these errors were encountered: