Grant request: QRUCIAL_DAO.md #989
Conversation
|
|
There was a problem hiding this comment.
Thanks for the application. This sounds really interesting. But could you add a little bit more detailed (technical) information to the proposal. What kind of functions will ExoSys, ExoTool and HackRep support? In general it would be nice to introduce these as part of the proposal. Which programming language are you going to use? Additionally we usually ask teams to add the default deliveries of our template 0a-0d to each milestone. And your last milestone is usually something which we don’t support via grants (part of it can be integrated into the other milestone). In generally we don’t support the deployment of the project, but only the technical development, which is also helpful for others or might reused for other projects.
We have reconsidered the milestones and developer availability for the grant.
|
@Noc2 Thank you for the feedback. We have updated our Grant Request based on your comment and added more details. |
There was a problem hiding this comment.
Thanks for the update. I have a few follow-up questions:
- Don’t you need to implement the DAO itself or do you plan to use an existing pallet for this?
- Do you have any mock-ups or designs for the frontend, that you can share?
- My suggestion would also be to remove ExoTool - Slither at this stage and simply focus on the initial Poc for ink!/wasm smart contracts. After you finished the grant, you could for example apply for a soliditiy focused grant here: https://moonbeam.foundation/grants/
Noc2 was suggesting that we should focus on the WASM based smart contracts first and later request a grant from MoonBeam for the Solidity based exo audit system.
We plan to use the Governance pallet, similarly as Polkadot does, but tailored to QDAO's needs.
At the beginning we use PolkadotJS and later we plan to create a beautiful QDAO interface, based on our current design/colors: https://qrucial.io/
We seriously considered your suggestion and decided to focus our attention to ink!/wasm smart contract audits. Even though there are not so many tools available for automation here, we can build a core tool based on clippy/cargo-audit. |
We plan to use the substrate front-end template, but with out own design. Our designer team already prepared the looks, you can find it in the docs of QRUCIAL DAO: https://github.com/Qrucial/QRUCIAL-DAO/blob/main/docs/QRUCIAL%20DAO%20UI.png |
Noc2
added
ready for review
Thank you! We had a talk with our team and we could reduce the price somewhat. What would you consider appropriate? |
|
@smilingSix Thank you for applying. I am happy to see the deep technical expertise of your team and trust in your ability to build security tools and substrate pallet, etc. However, I am skeptical of your business model. Is there truly a supply of independent auditors who would use your product/service? To my knowledge, high-quality Polkadot eco security auditors are extremely scarce and either part of an established security team or successful independent contractors. I think before building a business marketplace/DAO for independent security engineers, there are more fundamental problems to solve. I am happy to be proven wrong, however, and I would very much appreciate your team working on a valuable grant for w3f. Thank you again for your application! |
|
@cruikshankss thank you for challenging our business model, I am happy to address your concerns and explain you exactly what we are building. We achieve this by running auditing tools on chain triggered through a blockchain transaction, the output of this security tools is then written into a non-transferable NFT which is bound to the audited smart contract itself. Let me give you some usecases of who would use our tool. Be it Independent auditors who want to make sure they get the agreed upon amount of money by a project for the work they have done. Auditing companies who want to make sure their logo and reputation not used without permission by scam projects. IT-security professionals who want to make sure they have a reproduceable environment with the right tools in the right configuration on every machine every time. The community who wants to make sure their favorite project's audit is up-to-date. Cryptoprojects who want to distinguish between good and bad auditors and showcase honesty and transparency. The polkasama ecosystem. An additional point I want to add is currently we don't have a lot of rust auditors you are right on this, that is why we build our system to not just be compatible to rust/wasm but also to EVM/solidity we are starting out with Wasm though because @Noc2 recommended it to us, we originally wanted to start with EVM. |
|
Hi @Ra33it0, Thank you very much for your detailed business model explanations. I want to applaud and thank you for your plans to solve such complicated problems. If I understand correctly, you aim to solve security, identity, payments, deterministic compilation, education, and in general the evolution of smart contracts from (EVM/Solidity to ink!/wasm/Rust). Firstly, I am glad you have all these ideals. I agree with @Noc2 that idealizing EVM/Solidity audits is likely short-sighted in blockchain evolution since wasm/Rust smart contracts seem to have the only true chance of being sustainably secure and evolvable. However, I have low confidence in your step-by-step business plan. To even solve the first ideal I listed--security--you'd have to be Layer 0 experts. Layer 0 expertise involves expertise in blockchain engineering, the substrate runtime & pallet engineering, P2P networking, as well as Rust. Furthermore, each of those topics requires additional expertise in various types of complicated mathematics and engineering. I believe your team may have the expertise necessary, but you haven't explicitly convinced me so thus far. In my opinion, to even considering working on the next ideal--identity--then you must first have solved security, otherwise a DAO & identity is fundamentally vulnerable. I do agree that deterministic compilation and education could be mutually beneficial to solve in the same project, but those are highly complex problems and I have low confidence in your ability to solve them given the lack of information I have from you about your strategy. The fact that you wish to solve these problems as well as security and identity makes me think you underestimate the complexity of all these projects, which gives me low confidence in your current plan, but I am to help you refine this plan, since I am grateful for your team & I only wish to help. :) And perhaps I just don't have all the info necessary yet, but you've already thought of this. :) An additional point: I believe the journey to transparent and trustless on-chain audits is a truly noble path, but I believe it takes a great deal of navigation of power dynamics and secrecy, given the discovery and disclosure of vulnerabilities is a very delicate process. What is your strategy regarding this? To summarize, I applaud you for your idealism and vision, but I advise you provide a much more detailed business plan on which aspects of your project you would work on first. What's the foundation? Perhaps, where can your team be of use to the current Layer 0 efforts towards security? Where do you fit into the ecosystem and the current efforts towards each of the ideals you strive for? I hope this critical feedback is received with only enthusiasm, because merely having this discussion is educational for me and I'm grateful for the work you've put in towards your application. I believe applications themselves are extremely valuable in the conception of ideals. My highest wish is to help you succeed and build the ideal web 3.0 technology stack together as an ecosystem. Thank you again! |
There was a problem hiding this comment.
A few follow-up questions from my side as well. But I think my main concern is with auditing companies being interested in signing up for this. The ones I know seem to do well with providing PDFs with audit results to their clients, who in turn publish them as they please. Have you talked to any auditing firms whether they would be willing to use your platform as described?
The use of logos and reputation without permission would only be solved if it was known that the only legitimate Auditor X audit is published through your platform, which not every client might be excited about. They might wish to publish the report after fixing severe vulnerabilities.
Have you thought about making it possible to enable and reward responsible disclosure? It might not always be in the best interest of a project for an auditor to publish vulnerabilities on the spot.
| | 0b. | Documentation | We will provide both **inline documentation** of the code and a basic **tutorial** that explains how a user can (for example) spin up one of our Substrate nodes and send test transactions, which will show how the new functionality works. | | ||
| | 0c. | Testing Guide | Core functions will be fully covered by unit tests to ensure functionality and robustness. In the guide, we will describe how to run these tests. | | ||
| | 0d. | Docker | We will provide a Dockerfile(s) that can be used to test all the functionality delivered with this milestone. | | ||
| | 1. | Substrate runtime | The runtime config and compilable code for QRUCIAL DAO. | |
There was a problem hiding this comment.
Can you provide a list of functions/functionalities that will be implemented under this?
There was a problem hiding this comment.
- Documentation will include everything needed to configure and run a QDAO node.
- Testing guide will allow the node operators test that all functionalities are working (eg. docker images are executing the requests, API is accessible, QDAO extrinsics succeed, etc)
- The docker images will take commands, arguments from ExoSys. Example: extrinsics call of cargo_audit() -> ExoSys notices the successful tx -> executes Docker -> takes output -> encrypts it -> publishes after delay.
- Docker images are to be provided by QRUCIAL at the start and later the governance will be able to add/remove/modify such images.
- We already put together our core runtime here: https://github.com/Qrucial/QRUCIAL-DAO/blob/main/rust/runtime/src/lib.rs
| | 0d. | Docker | We will provide a Dockerfile(s) that can be used to test all the functionality delivered with this milestone. | | ||
| | 1. | Substrate runtime | The runtime config and compilable code for QRUCIAL DAO. | | ||
| | 2. | Substrate pallet: ExoSys | Core system that handles the extrinsics that request ExoTool execution. | | ||
| | 3. | Substrate pallet: AuditorRep | Reputation system for the manual auditors who verify the output recorded by ExoSys. | |
There was a problem hiding this comment.
Who provides this reputation? How do you prevent people from gaming this system?
There was a problem hiding this comment.
We use ELO rating system. At the first stage, CCTF top players and QRUCIAL auditors/contractors are automatically in the auditor pool, then as the project moves on ELO rating should be able to keep the system healthy.
This is experimental at this point. My guess is that we will need some moderators who verify PoC exploits in questionable cases (similarly as Polkadot Council works).
| | 0c. | Testing Guide | Core functions will be fully covered by unit tests to ensure functionality and robustness. In the guide, we will describe how to run these tests. | | ||
| | 0d. | Docker | We will provide a Dockerfile(s) that can be used to test all the functionality delivered with this milestone. | | ||
| | 0e. | Article | We will publish an **article**/workshop that explains QRUCIAL DAO (what was done/achieved as part of the grant). (Content, language and medium should reflect your target audience described above.) | ||
| | 1. | ExoSys Deamon | This is the glue system which listens to events on QRUCIAL DAO and executes the requested tools. | |
There was a problem hiding this comment.
According to the diagram above, this is part of the QRUCIAL node. Does that mean each request is executed on every node in the network? Or how do you choose which node runs the request?
There was a problem hiding this comment.
At this stage, all nodes are expected to run all tools, but on the long run we want to implement a more efficient system where nodes are selected randomly and are incentivized to be honest.
Notably, the docker images provided for automated tests can be run by anyone in the ecosystem and if there is a suspicion, it can be reported and taken care of QDAO governance.
|
|
||
| ### Overview | ||
|
|
||
| QRUCIAL DAO is a system for trustless audits, and certification using non-transferable NFTs, exogenous tooling and decentralized Consensus. |
There was a problem hiding this comment.
NFTs aren't mentioned in any of your deliverables. Is this already implemented, or not part of this grant?
There was a problem hiding this comment.
NFTs are not implemented yet. In this grant request we want get to the point where QDAO is working as an automated audit provider blockchain where manual auditors can finalize the NFT reports.
This does not include NFT designs, report designs, etc. so we left it out from the deliverables. However the tech/logic is part of the grant request. These NFTs are created on QDAO's chain at this point, later we want to do it cross-chain.
|
Hello All, My answer for cruikshankss: My answer to everyone in this discussion: Answer for @Noc2: |
There was a problem hiding this comment.
Thank you for your detailed reply. I am approving this (one approval).
Some Rust/wasm work can be considered part of Layer 0. If in the course of your project, you find it necessary to work on Layer 0, feel free to keep us updated. If you don't find it necessary to work on Layer 0, I see the potential value for your core system in the other layer(s) of course. Thank you again for applying!
|
Congratulations and welcome to the Web3 Foundation Grants Program! Please refer to our Milestone Delivery repository for instructions on how to submit milestones and invoices, our FAQ for frequently asked questions and the support section of our README for more ways to find answers to your questions. |
|
Thank you all for approving it and also for challenging us with very helpful questions, recommendations! We are already in the process of development (20%) and we plan to deliver everything written in milestone 1 by the end of August. After this, milestone 2 is planned to be finished by the end of October. |
|
Thanks for the update |
|
Hello, |
|
Thanks for the update @sixTheDave, sounds good. If you think it will be significantly delayed from beginning of March please consider submitting an amendment to extend the timeline. Thanks! |
Thank you. Our realistic deadline is end of March/April. Should we submit an "amendment"? Does that mean we should make an update (PR) to the proposal with the deadline? |
|
@sixTheDave exactly yep, you can update the original proposal by creating a PR for us to approve. It's usually relatively easy to get it approved if just changing the timeline. You'll just need the same amount of approvals that was needed originally, although please note that under current levels your grant now falls under level 3, meaning it will need 5 approvals. |
No problem, we send the PR. Thank you for helping us. |
|
@Noc2 @keeganquigley I have created an update about the project, including the final deadline: Please review the PR and thank you for your patience. |
|
Hello, A short update on the state: we are about to send M2 delivery in the next days and preparing now https://qrucial.io/ to host a testnet node. You will be able to see and test the main features of QDAO through the app site. |
Testnet is live: https://qrucial.io/ We will make some improvements and send the M2 delivery. |
|
Hi @sixTheDave any updates? |
Hi, thank you! We were super busy with our Decoded 2023 participation! I just sent the PR: w3f/Grant-Milestone-Delivery#899 |
Project Abstract
QRUCIAL DAO is a system for trustless audits, and certification using non-transferable NFTs, exogenous tooling and decentralized Consensus.
To us, it is ironic that web3 and trustless systems are trusting web2 auditors and legacy security companies to protect them from threat actors. This is the reason we want to build a system in which the community and the projects can trust that a security assessment has in fact been done professionally. Too often, security audits of web3 projects are performed in a way that relies on intransparency and blind trust in a company logo instead of a proof of computation as well as a proof that the auditor is knowledgeable of the task at hand. It seems that many auditing companies are not in security, but the PDF business. We want to change this.
For which grant level are you applying?
Application Checklist
project_name.md) and updated.@hexff:matrix.orgHow Did You Hear About our grants program?