You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
End users have the burden to validate and confirm that the smart contracts they interact with are legitimate and correctly associated with the project. This burden makes users susceptible to hacks and result in the irreversible loss of user funds.
Developers and wallets currently have no way of presenting verified metadata in a human readable way to end users, which would inform them when they are connecting to an unverified and potentially malicious smart contract.
Proposed solution
Our solution, called Flow Verified Project Ledger ‘FVPL’, will store and use Web2 and Web3 metadata elements provided by developers to generate a contextual risk score.
Wallets will receive this human readable risk score from FVPL and display that to users, informing them on possibly high risk transactions and smart contract interactions.
We will define a POC for FVPL with between 3-5 Key Risk Indicators (KRI’s) that will make up the FVPL contextual risk score that wallets can display. Building on top of the existing FLIP #934.
We will work alongside Flow developers to securely build a storage and aggregation application that developers can integrate with to provide their metadata securely adhering to the principles of confidentiality, integrity and availability.
Impact
We will initially look into Flow’s FLIP on “Interaction Templates” and provide an analysis of pros and cons of using this method to provide human-readable user interaction and protect users against malicious activities. This will help Flow devs in shaping their roadmap for this proposal.
We will then formulate a view on how our security product, FVPL, that stores and uses Web2 and Web3 context for risk scoring could fit in with “Interaction Templates” and the proposed stakeholder roles. This will allow us and the Flow team to better understand how everything will work together to protect its builders and users.
Our ultimate vision is to provide users with clear and actionable data so they can make better decisions when interacting with smart contracts on Flow. FVPL, along with other existing mechanisms such as “Interaction Templates” will provide users with confidence in understanding when they are interacting with verified and secure smart contracts and when they might be executing risky transactions.
Additionally, Flow developers and builders will get enhanced security that they can embed into their projects and allow third-parties to deliver human-readable security for end-users. Builders on Flow will also leverage the security tools we will be providing in the future to encourage safe composability and secure development on Flow.
Summary:
Developers will receive:
An interaction template that stores verified metadata.
Secure reference architecture for developers to interact with FVPL.
A defined mechanism to provide and update project metadata.
The ability to work with FVPL to help denominate risk scores.
Various security tools and features will be available in the future within FVPL for developer consumption.
Community / ecosystem will receive:
Human-readable security risk score without too much technical jargon, allowing them to understand exactly what they are interacting with and how.
Proactive warnings when they perform risky interactions on Flow.
Overall:
Flow will receive an in-depth analysis of security considerations for their Interaction Templates FLIP.
Flow will receive integration architecture between FVPL and the Interaction Templates.
Flow developers will be able to provide users with standardised and human readable messages about the security risk of transactions.
Milestones and funding
Milestone
Deliverable
Timeline
Risks
USD proposal
Justification
Onboarding x2 engineers (1 FTE)
Create job specification, adverts, and perform interviews to onboard 2 part time developers with experience in smart contracts and Cadence for 6 months
8 weeks
Resources not available or unable to find appropriate experience
Output with threat models and associated impact / likelihood of the existing Interaction Templates architecture
2 weeks
Design/plans change as threat modelling is conducted. Therefore we would take a snapshot at a point in time and threat model accordingly
7,000
- Deep dive into interaction template, architecture reviews - Build 3-5 threat scenarios against architecture, including attack steps, and associated risk profile - Review with interaction template team and provide recommendations
FVPL technical definition of initial set of 3 Key Risk Indicators for Flow
Define 3-5 KRI's based on a standardised methodology that are quantifiable, provide trending analysis, and provide a clear view of associated risks to Flow and Flow users
2 weeks
Delays in agreement on KRIs due to long feedback cycles
7,000
- Define the KRI logic and levels of risk - Design analytics processes to capture trends
FVPL Web2 and Web3 metadata standardisation mechanisms
Definition of Web2 and Web3 metadata elements which will be used for an inital set of KRIs (see milestone#3) and a normalisation approach for metadata
2 weeks
Sources of Web2 metadata, whether that's gaining access to private APIs, throttling on public APIs, and/or crawling data sources
7,000
- Define which metadata elements will be included for the KRI's - Design mechanism to capture the metadata - Design normalisation approach
FVPL technical build of 3 Key Risk Indicators for Flow
Build technical elements to capture and store metadata supporting the defined KRI's
2 weeks
N/A
7,000
- Build the POC scripts that captures the metadata needed for the KRIs
FVPL architecture design for metadata storage and interaction with projects / wallets
Define storage and interaction architecture for metadata
2 weeks
Dependant upon the output from milestone#6, this milestone may need revisiting
7,000
- Design and define storage and integration processes and storage architecture, including flow diagrams, user stories, etc. - Create mock ups on UI
Threat modeling and security review against FVPL POC architecture and build
Threat model architecture and build and feedback action items to the design phase
2 weeks
N/A
6,000
- Build 3-5 threat scenarios against architecture, including attack steps, and associated risk profile - Review with interaction template team and provide recommendations
FVPL technical build of POC storage components and integration points with the FLIP / projects / wallets
Build storage and interaction architecture for the FLIP, Flow projects, and wallets
4 weeks
Dependant upon milestone#5 and milestone#6 to start
15,000
- Build storage infrastructure, develop smart contract and interaction templates
Team
Name
Role
Bio
Contact
Jared
Co-Founder
An experienced cyber security professional with nearly a decade of experience. Most recently, Jared threat modelled and advised on security for a well-established Web3 company, further helping the go to market. Jared has a strong interest in business transformation and security principles. With deep understanding in secure design, threat management, and automation.
With a decade of experience in cyber security across New York and London, Danny has deep expertise in threat modelling methodologies and helping Fortune 100 companies in securing their critical assets both on premise and in the cloud. Danny has a special interest in business development as well as a deep understanding of threats, risks, and end user security awareness.
A security professional with 7+ years of experience in technical advisory. Youssef has supported global players within the financial services industry with improving their cyber security capabilities. Youssef has a special interest in security architecture design, threat modelling and vulnerability management with keen awareness of the Web3 space. Youssef is also an early investor in Flow and a Nine Lives Lounge member in NBA Topshot.
Thanks for this submission, we needed a bit of time to review to ensure the deliverables and timelines could map well into some of our plans for FLIP 934. We also needed to orient the milestones to be weighted heavier on deliverables that would help evaluate the efficacy of the proposed solution and adoption of it.
Here is our proposed amendments to the milestones, let us know what you think:
Milestone
Deliverables
Suggested Deadline
USD Suggested
1 - Security review and threat modeling
Threat models and associated impact / likelihood of the existing Interaction Templates architecture
September 15th, 2022
10,000
2 - Key Risk Indicators for Flow
Define 3-5 KRI's based on a standardized methodology that are quantifiable, provide trending analysis, and provide a clear view of associated risks to Flow and Flow users
October 15th, 2022
5,000
3 - FVPL Metadata standards
Definition of Web2 and Web3 metadata elements which will be used for an inital set of KRIs (see milestone#3) and a normalisation approach for metadata.
October 30th, 2022
5,000
4 - Risk Indicator Service MVP
A service that is capable of calculating and storing the risk indicators in any format. Demonstrates and validates the need and effectiveness of the key indicators.
October 30th, 2022
15,000
5 - Risk Indicator Service Production
A production level build of the risk indicator service with threat modelling.
November 15th, 2022
20,000
6 - Adoption
At least 2 existing wallet providers must tentatively agree to the usage of this service.
Inconfido: Flow Verified Projects Ledger (FVPL)
Grant category
Please select one or more of:
Description
Problem statement
End users have the burden to validate and confirm that the smart contracts they interact with are legitimate and correctly associated with the project. This burden makes users susceptible to hacks and result in the irreversible loss of user funds.
Developers and wallets currently have no way of presenting verified metadata in a human readable way to end users, which would inform them when they are connecting to an unverified and potentially malicious smart contract.
Proposed solution
Impact
We will initially look into Flow’s FLIP on “Interaction Templates” and provide an analysis of pros and cons of using this method to provide human-readable user interaction and protect users against malicious activities. This will help Flow devs in shaping their roadmap for this proposal.
We will then formulate a view on how our security product, FVPL, that stores and uses Web2 and Web3 context for risk scoring could fit in with “Interaction Templates” and the proposed stakeholder roles. This will allow us and the Flow team to better understand how everything will work together to protect its builders and users.
Our ultimate vision is to provide users with clear and actionable data so they can make better decisions when interacting with smart contracts on Flow. FVPL, along with other existing mechanisms such as “Interaction Templates” will provide users with confidence in understanding when they are interacting with verified and secure smart contracts and when they might be executing risky transactions.
Link to “Interaction Templates” FLIP: FLIP #934
Additionally, Flow developers and builders will get enhanced security that they can embed into their projects and allow third-parties to deliver human-readable security for end-users. Builders on Flow will also leverage the security tools we will be providing in the future to encourage safe composability and secure development on Flow.
Summary:
Developers will receive:
Community / ecosystem will receive:
Overall:
Milestones and funding
- Engage recruiter
- Define pay schedule
- Perform interviews / onboarding
- Get job board posting
- Build 3-5 threat scenarios against architecture, including attack steps, and associated risk profile
- Review with interaction template team and provide recommendations
- Design analytics processes to capture trends
- Design mechanism to capture the metadata
- Design normalisation approach
- Create mock ups on UI
- Review with interaction template team and provide recommendations
Team
The text was updated successfully, but these errors were encountered: