-
Notifications
You must be signed in to change notification settings - Fork 2.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Application for research on User account security analysis for wallets Update research_wallets.md
- Loading branch information
Showing
1 changed file
with
133 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,133 @@ | ||
| # User Account Access Security Analysis for Wallets | ||
|
|
||
| - **Team Name:** Zondax AG | ||
| - **Payment Address:** (DAI ERC 20) 0xf50a09731dc32a64431920e10e1e58dce28e6b11 | ||
| - **[Level](https://github.com/w3f/Grants-Program/tree/master#level_slider-levels):** 2 | ||
|
|
||
| ## Project Overview :page_facing_up: | ||
|
|
||
| This application aims to complete [User Account Access Security Analysis for Wallets RFP](https://grants.web3.foundation/docs/RFPs/user-account-access-analysis). | ||
|
|
||
| ### Overview | ||
|
|
||
| This research proposal targets analyzing Polkadot's user-facing security protocols, focusing on complex account generation and access mechanisms, including multi-signatures and proxies. It plans to model and evaluate these processes in popular Polkadot wallets, aiming to identify security loopholes and user lockout scenarios while streamlining authentication and enhancing user experience. | ||
|
|
||
| This project will serve as the basis for the Bachelor Thesis of [Carlo Sala](https://github.com/carlosala), who has been working during the last two years at zondax contributing in building and maintaining several Ledger apps in the Polkadot ecosystem. This research will lead him towards completing his degree in Mathematics at [Universtat Autònoma de Barcelona](https://www.uab.cat/). | ||
|
|
||
| ### Project Details | ||
|
|
||
| #### Research Goals | ||
|
|
||
| #### 1. Extend and Formalize account access graphs for blockchain: | ||
|
|
||
| The proposed research involves expanding the framework outlined in the _User Account Access Graphs_ ([paper](https://people.inf.ethz.ch/rsasse/pub/AccountAccessGraphs-CCS19.pdf)) to accommodate the unique features of blockchain technology, with a specific focus on the Polkadot ecosystem. | ||
|
|
||
| This expansion entails incorporating the distinct aspects of Polkadot, such as multisignature (multisig) accounts, stashing (a mechanism for securing assets), proxy accounts (which allow one account to act on behalf of another), and the use of hardware wallets (physical devices that store private keys). The objective is to adapt and refine the account access graph model to accurately represent and analyze the complex and varied ways in which users can interact with and access their assets within the Polkadot blockchain environment. This adaptation will consider the intricate security and operational dynamics of Polkadot's features, ensuring that the model remains relevant and effective in this advanced blockchain context. | ||
|
|
||
| #### 2. Access Security analysis and evaluation | ||
|
|
||
| We aim to conduct comprehensive evaluations of User Account Access Security across a range of wallets, including but not limited to: | ||
|
|
||
| - [Polkadot-JS](https://polkadot.js.org) | ||
| - [SubWallet](https://www.subwallet.app) | ||
| - [Talisman](https://www.talisman.xyz) | ||
| - [Subkey](https://docs.substrate.io/reference/command-line-tools/subkey/) | ||
|
|
||
| Our methodology will incorporate automated and/or manual assessment techniques, the selection of which will be determined based on preliminary findings to ensure the most effective evaluation approach. | ||
|
|
||
| Additionally, the scope extends to examining hardware wallets such as: | ||
|
|
||
| - [Polkadot Vault](https://signer.parity.io/) | ||
| - [Ledger](https://www.ledger.com/) | ||
| - [Kampela](https://www.kampe.la/) | ||
|
|
||
| and will focus be on identifying potential security vulnerabilities and assessing the risk of user lockouts. | ||
|
|
||
| During the security evaluations, we will also try to identify and suggest UX improvements. Our goal is to streamline user access while maintaining the highest security standards. | ||
|
|
||
| ### What your project is _not_ or will _not_ provide or implement | ||
|
|
||
| This project will not: focus on exhaustive pentesting. Our goal is to provide a theoretical framework to assess User Account Access Security in Polkadot ecosystem. | ||
|
|
||
| ### Ecosystem Fit | ||
|
|
||
| User Account Access is a key security concern in any digital environment. Developing a practical model and applying it to top wallet providers within the Polkadot ecosystem can greatly improve both trust and security. This approach aims to make the ecosystem safer and more secure. | ||
|
|
||
| ## Team :busts_in_silhouette: | ||
|
|
||
| ### Team members | ||
|
|
||
| - Mathematician / Engineer: Carlo Sala | ||
| - GitHub: https://github.com/carlosala | ||
| - LinkedIn: https://linkedin.com/in/carlosalagancho | ||
| - 1 x Project Manager | ||
|
|
||
| ### Contact | ||
|
|
||
| - **Contact Name:** Juan Leni and Ainhoa Aldave | ||
| - **Contact Email:** [email protected] / [email protected] | ||
| - **Website:** [zondax.ch](https://www.zondax.ch/) | ||
|
|
||
| ### Legal Structure | ||
|
|
||
| Zondax AG | ||
|
|
||
| Dammstrasse 16 | ||
|
|
||
| Zug 6300, Switzerland | ||
|
|
||
| UID CHE-491.796.576 | ||
|
|
||
| ### Team's experience | ||
|
|
||
| Over the last few years, Zondax has been involved in a large number of projects for most of the key players in the blockchain industry. | ||
| Our team includes experts in most blockchain aspects, from cryptography to data and protocol engineering. | ||
|
|
||
| Carlo Sala is a Mathematics student at [Universtat Autònoma de Barcelona](https://www.uab.cat/) and Software Engineer at Zondax for 2+ years in the Security team. He maintains as well a big OSS project outside of blockchain ecosystem. | ||
|
|
||
| Carlo has been working during the last two years building and maintaining several Ledger apps in the Polkadot ecosystem, such as Polkadot, Kusama, Acala, Astar, among others; as well as building tooling to test and improve them. | ||
|
|
||
| This project will serve as the basis for his Bachelor Thesis, culminating in the completion of his degree in Mathematics. | ||
|
|
||
| ### Team Code Repos | ||
|
|
||
| Most of our contributions to the blockchain ecosystem can be found in our GitHub organization [zondax](https://github.com/zondax) | ||
|
|
||
| ## Development Status :open_book: | ||
|
|
||
| Not initiated. | ||
|
|
||
| ## Development Roadmap :nut_and_bolt: | ||
|
|
||
| ### Overview | ||
|
|
||
| - **Total Estimated Workload:** 16 weeks | ||
| - **Delivery Time:** 18 to 22 weeks | ||
| - **Full-Time Equivalent (FTE):** 0.5 | ||
| - **Total Costs:** 25'600 DAI | ||
|
|
||
| ### Milestone 1 — User Account Access Security Analysis for Wallets | ||
|
|
||
| - **Total Estimated Workload:** 16 weeks | ||
| - **Delivery Time:** 18 to 22 weeks | ||
| - **Full-Time Equivalent (FTE):** 0.5 | ||
| - **Total Costs:** 25'600 DAI | ||
|
|
||
| | Number | Deliverable | Specification | | ||
| | ------: | ----------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------- | | ||
| | **0a.** | License | Apache 2.0 | | ||
| | **0b.** | Documentation | Document describing the threat model, scope of the analysis, and description of the approach/methodology used. | | ||
| | **1a.** | Analysis report: detection of unauthorized access vulnerabilities | Find (if any) vulnerabilities present in any wallet analyzed across all layers of investigation: account generation, restoring mechanisms, etc | | ||
| | **1b.** | Analysis report: minimal counterexamples for potential exploits | Provide (if any) minimal reproducible examples of all errors found in (2a). | | ||
| | **1c.** | Analysis report: user lockout risk assessment | Find (if any) potential lockout risk and describe strategies to minimize them. | | ||
| | **1d.** | Analysis report: non-critical improvements | Find (if any) potential improvements in user experience without compromising security. | | ||
| | **2a.** | Research paper | Paper defining and describing all models used to analyse User Account Access Security. | | ||
| | **2b.** | Code | By the end of the project, we'll make any code used public allowing anyone to use/extend our work. | | ||
|
|
||
| ## Future Plans | ||
|
|
||
| Zondax long-term vision will always be to investigate and improve every layer of Polkadot ecosystem. | ||
|
|
||
| ## Additional Information :heavy_plus_sign: | ||
|
|
||
| This project will conform the Bachelor Thesis in Mathematics of Carlo Sala. |