Hello all. Over the last few days, I have been browsing the forums, getting familiar with the community, and looking for a way to contribute. I am particularly interested in security, as I am a security engineer by day, and thus I have decided to pursue a security-oriented project, and am looking to get feedback regarding my initial idea.
Over the last few years, we have seen a drastic increase in smart contract hacks, resulting in serious financial theft. Cardano smart contracts do address this concern as much as possible. When using a functional language such as Haskell, the attack surface area drastically reduces from what we see in the current ecosystem. It gets say ~90 percent of the way there.
However, code is only as secure as the humans who write it, and with a brand new ecosystem and not a ton of “predefined” best practices, there is room for error, especially as we head into a public release which many developers are eagerly awaiting.
The goal of the project is to get a kickstart on smart contract security for developers who plan to use Cardano. Initially, I’d like to create some tooling similar to what exists for other smart contracts already. . Should that go well, there are endless possibilities on how else to educate incoming developers such as YouTube videos, CTF style hacking challenges, auditing, or publishing best practices, news, and top vulnerabilities. The 10-year goal would be to be the Portswigger of this domain.
- I am still very new to this community, so first I want to ask if this is something that is needed? I have asked around and reviewed the resources which are available to me, but I have yet to get a true answer. Before I dive into a project (that I admittedly know very little about going into it), I want to make certain that it is not a waste of time, or if there is something I have seriously overlooked.
- If anyone is interested in reaching out and learning more, please feel free to do so. Right now, it is only me, but I would love at least one other person to work with. I would be more than happy to provide more information about myself or the project should you be curious.
As I said, I am not super familiar specifically with this space so there are a few things I am doing. If you see any major knowledge gaps or things you think I should be researching or reviewing, I would love the feedback:
- Reviewing previous smart contract exploits
- Working through smart contract hacking challenges such as Ethernaut
- Reading as many open source audits from major players (such as OpenZepplin) that I can find
- Attempting to recreate vulnerable contracts in the Plutus Playground.
- Reading about best practices for Haskell programming / functional programming in general
- Going through the YouTube Plutus Pioneer Program (I am not a student, but attempting to make do with the other information provided)
- Researching the current security measures already put in place, such as those mentioned in the Cardano 360 for March
- Standing up a landing page.
- Planning to reach out and try and speak with those in the Plutus Pioneers Program in an effort to learn more about what is being taught when it comes to security.
- Creating social media eventually
- I am still not 100 percent sure how the project proposal site works, but maybe doing that at some point??
Again, I am a total noob when it comes to this stuff, but I see an area that I think is very very interesting, and I want to invest in and work with the Cardano community in security, which is a domain I am extremely passionate about. I would love to hear what you all think!