CoinFabrik | Scout for Secret Network | First static analyzer for Smart Contract vulnerabilities

[rialalejo]

Scout - CoinFabrik

Project Description

We want to build Scout, Secret Network’s first static analyzer for smart contract vulnerabilities. Our development includes:

• An application that reads smart contracts and finds vulnerabilities based on an extensible set of detectors, these detectors implemented using static analysis tools available CLI.
• A set of smart contracts exemplifying relevant vulnerability examples; and associated detectors,
• VSCode Extension that instantiates the application so that the developer experience is enhanced by the application finding the security issues and the extension highlighting and annotating the offending code in the developer's IDE.
• A GitHub action to ensure a security review is present for every pull request of Secret Network smart contract projects.

Problem / Solution

In 2023 alone, over $1.8 billion in crypto funds were lost due to hacks and scams in the Web3 ecosystem.
The primary resource currently used to mitigate this risk is manual audits. However, they are costly and time-consuming. Therefore, it is essential for developers to produce high-quality, security-conscious code.

At CoinFabrik, where we engage in both auditing and development of crypto projects, we understand this issue firsthand. This is why we created Scout, a vulnerability detection app, a static analyzer designed to assist developers and auditors in identifying potential security threats and to encourage the application of best practices during development.

Detailed product description

With the help of the Web3 Foundation, Aleph Zero, and Stellar, we´ve built an app with security detectors for a list of prioritized vulnerabilities, which are implemented as lints, for Ink! and Soroban. The app is already been used by developers of both communities to build more secure smart contracts. We want to extend it to help Secret Network developers too.

Scout is built on top of a static analyzer that interfaces with the Rust compiler, providing access to the High-Level Intermediate Representation and the Mid-Level Intermediate Representation. These capabilities enable the accurate detection of many vulnerabilities. The lints are specifically designed to identify certain types of vulnerabilities. Each lint is pre-compiled separately and then run at contract compilation time, making it straightforward for contributors to add their own detectors. We have further made contributions to the project that allow us to work on the output, generating PDF reports, dynamic HTML, and Markdown..

The VSCode extension utilizes the CLI and, once executed, highlights the code segments that contain vulnerabilities. Additionally, it provides an explanation of the bug along with suggestions for resolving it.

The project has an integration testing suite that tests all detectors against a growing set of examples, always raising the precision of the tool and making sure it works properly.

Scout is an open-source tool currently available on GitHub for Polkadot’s ink! (scout-ink) and Stellar’s Soroban (scout-soroban). The implementation of Scout for Secret Network will follow the same roadmap as with these other blockchains, building on top of scout-audit core implementation.

Tool Architecture Diagram

Go-to-Market plan

Stage 1 - Build it

Build the tool a make it available for early adopters to give feedback and recommendations on improvements and future detectors.

Stage 2 - Community Adoption

Active participation on secret network forums including new vulnerabilities and best practices to scout and encouraging the community to do so as well through our contribution guidelines.

Upon Scout for Secret Network Public release, we will promote the tool in social media and perform an open Webinar, showing the usage of the tool to the community.

We will also post an article on detection of vulnerabilities in Secret Network smart contracts, to be published in CoinFabrik blog.
We will contact audit companies from the ecosystem to help them include scout in their process and gather recommendations for new detectors and improvements

We will partner with the secret network marketing team to promote the tool and their use for developing safer smart contracts on the secret network.

Stage 3 - Community driven growth

Community continues to improve the tool
Further grants to extend scout capabilities on Secret network.

Value capture for Secret Network ecosystem

Our tool will serve as a valuable resource for discovering security bugs for developers in the Secret Network ecosystem for several reasons.

1. Firstly, it will aid smart contract developers during the development process by helping them avoid common security issues and adhere to best practices. We will provide integration with widely-used Integrated Development Environments (IDEs), such as -VSCode. We will also provide a GitHub action that will allow developers to run Scout on every Secret Network smart contract project pull requests, ensuring a security assessment is available for the reviewer.

2. We also plan to build a comprehensive knowledge base about security issues in Secret Network, which will include a list of vulnerability classes, descriptions, examples, and methods to avoid them.

3. Furthermore, our tool is open source and will feature clear documentation and contribution guidelines, enabling others to add their detectors and enhance the tool's capabilities.

4. Lastly, by making it easier to detect and fix an increasing number of security issues, our tool will raise the complexity threshold in Secret Network for potential attacks.

Team members

• Ariel Wassbein - Head of Research
• Alejo Rial - Ecosystem Lead
• Federico Pinho - Project manager
• CoinFabrik's development and auditing team - when required.

Team Website

• https://www.coinfabrik.com/

Team's experience

CoinFabrik is a research, auditing and development company specialized in Web3, with a strong background in cybersecurity. Founded in 2014, we have worked on over 200 blockchain-related projects, EVM-based and also for Solana, Algorand, and Polkadot. We offer security audits through a dedicated in-house team of senior cybersecurity professionals, currently working on code in Rust, Solidity, Clarity, and TEAL.

Our team has an academic background in computer science and mathematics, with work experience focused on cybersecurity and software development, including academic publications, patents turned into products, and conference presentations. Furthermore, we have an ongoing collaboration on knowledge transfer and open-source projects with the Universidad de Buenos Aires.

Team Code Repos

• https://github.com/CoinFabrik

Team LinkedIn Profiles

• https://www.linkedin.com/in/arielwaissbein/

Development Roadmap

We will require 8 weeks to complete this project.

We intend to have 2 developers full-time, a part time Technical Lead and a part time Project Manager, at a total cost of $ 60,000.

Milestone 1:Research & Proof of Concept (30K USD)

(4 weeks)
Deliverables:

• A curated list of vulnerabilities, best practices, and enhancements related to Secret Network smart contracts. We will focus on vulnerabilities whose detection is approachable with static analysis, considering, but not limited to, classic smart contract vulnerabilities known in other blockchains (e.g: Overflows, DoS, Reentrancy, etc) and well documented vulnerabilities specific to Secret Network.

• Proof of concept code for an app + CLI that detects at least 5 security issues from the above list.

• Associated repository for scout-secret-network.

Milestone 2: Prototype (30K USD)

(4 weeks)
Deliverables:

• At least 9 new detectors: including more vulnerability classes than those included in Milestone 1.*
• Complete Tool Documentation on Docusaurus.
• Article on detection of vulnerabilities in Secret Network smart contracts, to be published in CoinFabrik blog.
• Scout Webinar and Public Release in Social Media.

Integrated functionalities from Scout core:

• Command line interface (CLI) for the tool.
• Ability to generate output formatted as text, JSON, HTML, Markdown, SARIF and PDF.
• A VSCode extension that integrates the tool with the ability to list security issues, highlight issues with squiggles and hover-over descriptions.
• Integration tests for all detectors. Improving detectors, if needed, to precisely detect vulnerabilities listed in Milestone 1.
• Scout GitHub Action. Allowing developers to obtain a Scout Markdown Report upon every pull request of their Secret Network smart contract projects in GitHub.
• Public project repo and website.

Additional Information

CoinFabrik page | https://www.coinfabrik.com/
Scout page | https://www.coinfabrik.com/products/scout/
Scout for ink! GitHub | https://github.com/CoinFabrik/scout
Scout for ink! Docusaurus Documentation | https://coinfabrik.github.io/scout/
Scout for Soroban GitHub | https://github.com/CoinFabrik/scout-soroban
Scout Audit Github | https://github.com/CoinFabrik/scout-audit
Twitter | https://twitter.com/coinfabrik