This report updates on what WEFUZZ, Coinbase Crypto Community Fund grant recipient, has been working on over the first part of their year-long Crypto development grant. This specifically covers their work on a decentralized, crowdsourced security audit and bug bounty solution.
By WEFUZZ, Coinbase Crypto Community Fund grant recipient
WEFUZZ implements a fully decentralized, crowdsourced security audit and bug bounty solution: a set of smart contracts that allow developers and companies to get their smart contracts, blockchains, websites, etc., audited by the auditors and hackers community. With this work, WEFUZZ aims to become the * Hacker DAO *.
Crowdsourcing is a sourcing model in which individuals or organizations obtain goods or services – including ideas, voting, micro-tasks etc., from a large, relatively open, and rapidly evolving group of participants. Companies like Uber, Gitcoin and GoJek already use this model. Crowdsourcing model offers improved costs, speed, quality, flexibility, scalability, and diversity.
The traditional crowdsourcing system consists mainly of three roles: requesters, workers (auditors in our case), and a centralized system. Requesters submit tasks to be completed through the crowdsourcing system. A set of auditors complete this task and submit solutions to the crowdsourcing system. Requesters will then select a proper solution (usually the first or the best one that solves the task) and reward the corresponding worker.
This makes centralized systems vulnerable. User’s sensitive information (eg name, email address etc.,) and vulnerability reports are saved in the database of these centralized systems, which has the inherent risk of privacy disclosure and data loss. Centralized choke points are not only attack vectors for leaks and hacks, but also for outages.
Crowdsourcing companies are keen on maximizing their benefits and require requesters paying for services, which in turn increase user’s costs. Most crowdsourcing systems demand a 10–25% service fee.
All these issues add up to the already existing concerns of smart contract and multi-chains owners and developers (the audit requesters), freelance auditors ‘and ethical hackers’ concerns. Some of these concerns are:
- Ensuring their assets are safe from cyber theft, data hacks or any other risk that can result in a loss of funds and compromised data.
- Being able to get audits done in a cost-effective way – be it private or public security audits
- Making sure the smart contracts are audited by multiple auditors
- Hackers do not want to share sensitive personal data
- Hackers and auditors and developers need complete transparency
WEFUZZ is a fully decentralized, crowdsourced audit and bug bounty platform aiming to be the Hacker DAO. WEFUZZ aims to provide reliability, fairness, security and low service fees by design.
The decentralized platform has many advantages such as higher user security, service availability, and lower costs. Smart contracts running on a chosen blockchain are used to perform the whole process of crowdsourcing tasks which contains posting audit and bounty campaigns, submitting audit and bug reports, bounty assignment, etc.
WEFUZZ solution offers numerous added benefits to users:
- Data Security: Reports are encrypted with auditors ‘and target developers’ public key, so that the bug reports only gets read by who it is intended for. Files are encrypted and stored on the decentralized network storage. No more data breaches, hacks, password leaks or any other risk affecting existing cloud based audit and bug bounty platforms.
- Cost Effectiveness: Allowing smart contract developers, multi-chain developers, and companies to get audits performed in a cost-effective way directly by the auditors and hacker crowd on the WEFUZZ platform. This helps the developers and companies avoid huge fees and congestion issues affecting the traditional bug bounty platforms.
- Flexible anonymity: Auditors and hackers can choose to remain anonymous while submitting reports, protecting their privacy, and still getting paid.
- Communication Security: No centralized data storage, complete anonymity, no data transfers, no moderators and complete end-to-end encryption. All the data resides encrypted on the Solana blockchain and all the files reside on the IPFS blockchain.
Audit Requestors: Developers, companies or any individual can request audits or start a private / public bug bounty campaign.
Auditors: Auditors can be anyone from ethical hackers to audit firms who can perform the requested audits or participate in bug bounty campaigns.
Judges: Judges are community members who are either elected by the community or have been raised to the Judge category through reputation.
Currently, we are working on the conceptualization, technical architecture, and system design of WEFUZZ, besides building our MVP on Solana and Polygon blockchains, and testing the optimal chain for our project.
Please join our Discord and follow us on our Twitter and Medium to keep track of the progress. We are going to release the code and other tools we build as part of the research and development in this Github account.