Decentralized Security Marketplace

caution

This Request for Proposals is currently considered under development, meaning one or more grants have been signed to address the topic. We might be interested in additional implementations, but it’s better to double check this with the grants team.

• Status: Under Development
• Proposer: Matteo Casonato, Bhargav Batt

Project Description 📄

According to the Immunefi's 2022 annual report, there has been a total loss of ~$3.77B because of hacks in the web3 space. To increase a protocol's security, audits and bug bounties can be a useful tool.

A decentralized security marketplace would allow projects to find reviewers/testers/auditors/whitehats and vice versa to pursue structured tests and audits. This would benefit everyone:

• Projects would increase their security;
• Developers would have the possibility to earn while using their skills, improving them;
• The ecosystem would be more secure, with more projects being audited and more developers learning about security.

Ideally, this marketplace would be built as a smart contract platform deployable on any existing parachain (that supports WASM smart contracts, such as Astar or Watr) using ink! (here you can see some examples).

Note: This use case can be extended/applied to other areas. The main problem to solve here is to find a way to manage the delayed transaction between two parties (i.e., escrow), and to ensure fairness and transparency (e.g., a reviewer is not able to deliver all the reports in time, and the project's team would like to decide whether to extend the escrow duration or just to pay a lower percentage of the established bounty).

Actors 👥

To ensure fairness and transparency, the marketplace could have the following actors:

• Projects - The projects that want to be reviewed / tested;
• Auditors - The developers that want to perform audits / hunt bugs;
• Arbiters - The developers that will arbitrate the disputes between projects and auditors (they will be useful if a project opens a dispute for any reason). They could get a small percentage of the bounty.

Deliverables 🔩

The followings could be the initial deliverables of the project. Of course, improvements and additions are more than welcome.

1. Initial research and design of the protocol:
   • You can refer to what Immunefi and Code4rena are doing (but bring that on-chain);
   • How to ensure the trustless interaction (e.g., projects could lock a percentage of the bounty to open the request);
   • What types of disputes could be risen and how to solve them;
   • How to manage time delays;
   • Look for other use cases (in or outside the security field);
2. Development of the protocol:
   • Development of the governance smart contract (e.g. to add/remove projects, auditors, arbiters, etc.);
   • Development of the auditing smart contract (e.g. to create audits);
   • Development of the arbitration smart contract (e.g. to create/solve disputes);
3. Development of the frontend, that enables the actors to interact with the protocol.