Pre-Deployment Program Analysis

Context

There exists a lack of Open Source security tooling that allow for Solana developers to alleviate their programs from a wide range of vulnerabilities. Open Source Formal Verification and Symbolic Analysis tooling, Fuzzing Frameworks and other technologies can better assist program developers in the journey of securing their programs before deployment or upgrades.

Please see the following RFP that outlines a request to create repeatable program analysis tooling. The Solana Foundation lays out a list of proposed solutions, but the technology used to secure programs is at the behest of the applicant.

Logistics

Take note of the application deadline (2/29/2024). The maximum grant amount is not included within the request as different security applications will have varying cost factors. The resulting finalist(s) will work with the Solana Foundation to receive an appropriate grant issued in USD-equivalent locked SOL with approachable, but rigorous milestones.

Ground Rules

This thread can be used for comments, questions, praise, and / or criticism, and is intended to be an open forum for any prospective responders. This thread is also an experiment in increasing the transparency through which RFPs are fielded by the Solana ecosystem too, so please be mindful that we’re all here to learn and grow.

Responses to this RFP are not required to be public (but recommended), but if it is helpful to share notes or combine forces, then please use this thread for such purposes


Link: Airtable - Solana Foundation Public RFP Database

1 Like

Bringing Scout to Solana

Dear Solana community,

We’re excited to present our proposal for this RFP, Scout, our open-source vulnerability detection tool. Whether you’re an entry-level developer or an expert, Scout is the perfect tool to improve the secure development lifecycle of your smart contract projects. Designed with ease of use in mind, Scout offers a seamless installation process, allowing you to focus on what matters most: creating innovative and secure smart contracts.

We are CoinFabrik, a leading research, development, and security auditing company specializing in Web3 technologies. This year marks our 10-year anniversary, and for the past 3 years, we’ve added value to the Solana ecosystem. CoinFabrik’s technical team has performed development and auditing for projects like Codigo.AI, Genopets, SmartChain, and Fitchin. Furthermore, we co-hosted the first Solana Hackathon in Argentina (Summer Sol Sessions Buenos Aires) and also had our booth at Breakpoint Amsterdam in 2023, presenting our smart contract testing tool SolBricks. Our commitment is to continue contributing to Solana’s developer growth and retention, and to foster the entry of new talent to help maintain and improve the network.

Our team has an academic background in computer science and mathematics, adding up to decades of experience in cybersecurity and software development, including academic publications, patents turned into products, and conference presentations. Furthermore, we have an ongoing collaboration on knowledge transfer and open-source projects with the University of Buenos Aires.

Tool Overview

Scout is an open-source bug detection tool designed to assist developers and auditors in identifying potential security threats and applying best practices to smart contracts. It enhances contract security by detecting issues and suggesting remediations during development, thus ensuring the security of contracts before deployment.

Scout is a static analyzer equipped with specialized lints or detectors that pinpoint specific vulnerabilities. These lints are designed for easy integration, enabling contributors to add new detectors seamlessly. Scout includes a command-line interface (CLI) offering various output formats, along with a VSCode extension that highlights vulnerable code segments and provides explanations and remediation suggestions.

As a security companion, Scout’s comprehensive documentation and open-source approach encourage community contributions, elevating ecosystem security standards and best practices.

Help us bring Scout to Solana!

We want to hear from you! We look forward to any feedback the Solana developer community wants to share concerning our proposal to bring Scout into the ecosystem.

Which types of Solana vulnerabilities would you like our bug detection tool to focus on identifying? Your suggestions will help us refine our tool’s capabilities to better meet the community’s requirements and improve the network’s security.

5 Likes

The Whale Suite

Mad Shield is the Premiere Solana auditing and security solutions, providing clients with in-depth code review, design improvement and vulnerability analysis and security tooling. As seasoned security experts in the blockchain industry with a focus on the Solana ecosystem, we are excited to offer a pre-deployment testing tool for Solana smart contracts that help teams and developers to uncover potential vulnerabilities that are hard to detect and uncover through manual code review.

Our goal is to empower the developers with a comprehensive tool that exhausts most of the categorical Solana vulnerabilities. In addition, our tool is to be used to exhibit emergent exploits that have not been discovered previously and thus potentially revealing new categories of attacks guided by educated guesses and business-logic related guidelines that the auditors suspect to cause critical deviation from program’s functionality.

The testing tool is meant to be used to monitor new program releases or upgrades before deployment to main-net/production, consistently checking the trust boundary and security guarantees between the incremental development cycles. This is significantly important as many of the programs providing infrastructure in the ecosystem such as SPL/MPL libraries have been extensively supporting user requested features that are honeypots for irregularity within the code to arise.

Mad Shield team is excited to bring this tool as a primitive for developers and smart contract designers alike to build better and higher quality code to help with the technical intricacies of the Solana smart programming model.