CTF — Gamifying Cardano Security
We often find many easily-preventable vulnerabilities during our smart contracts audits on the Cardano network. This problem stems from the lack of educational materials on the topic of smart contract security. The information about many security issues is simply not available online and is passed through word-of-mouth from auditor to auditor.
We started our blog to create high-quality educational materials so that future developers can start their journey with a better understanding of the potential issues. So far, we tackled the Double Satisfaction (part 1 and part 2) and the Untrusted UTxO vulnerabilities. We will continue writing our blog as we have lots of interesting research we plan to share. Our plans do not stop there, though.
Capture the Flag
CTFs represent a gamification of learning by hacking and securing computers. Each task is a challenge that needs to be solved in a creative way. CTFs have a long history and are very popular among cybersecurity professionals and enthusiasts. Most CTFs today even have a blockchain category, where the participants can test their skills by exploiting various smart contracts. There are CTFs designed purely for Ethereum, such as Ethernaut or Damn Vulnerable Defi.
Cardano currently completely lacks any such resource. At Vacuumlabs, we decided to take on the task and create one, containing ten tasks with common vulnerabilities often present in Cardano smart contracts. We would really love to create such a game, and we believe we can do a great job thanks to our experience during various audits. However, as we would be the first to create such a game on Cardano, we need to prepare a framework and solve several challenges. To create these tasks in high quality we need to put serious time into it and we therefore need help from you, the Cardano community. We created a Catalyst proposal which you can read into for more details about our plan and the challenges we face.
We believe that having a CTF would benefit our community in many ways:
- Security education — Developers who complete the tasks will gain a much better understanding of smart contract vulnerabilities, thereby reducing the likelihood of designing or implementing vulnerable smart contracts. This will increase the safety and trust of Cardano users.
- Cheaper smart contract development — Currently, audits are often prolonged because there are many vulnerabilities found and auditors need to review each fix. When the contracts are designed with security in mind and all the findings and fixes are small, the audit can take less time. This means cheaper audits and faster deployment of new smart contracts.
- Open source material — We will release 10+ different small open-source smart contracts which will substantially contribute to the ecosystem of Cardano. New developers will be able to use these smart contracts and learn new code patterns from them.
- Talent attraction — CTFs often attract many problem-solvers with a security mindset. These individuals will have the motivation to learn the Cardano smart contracts just to be able to solve the presented problems and share the results with their own communities. By this, we could attract new developers and users to the Cardano community.
- Money loss prevention — The community can benefit greatly from increased security as any vulnerability can potentially cost huge amounts of money. For example, our auditors have found vulnerabilities which, if exploited, would have cost the Cardano users more than 220 million USD. Most of these vulnerabilities were preventable by increased security knowledge.
For more information, please visit our proposal page and comment, leave us a clap and spread the word. If you really like our proposal you can even vote for us once the voting phase begins. Let’s make future smart contracts safer together!
To read more about us and our work, you can check out our webpage and our archive of public reports. You can also follow us on Medium or Twitter for more information about Cardano Security.
