Skip to content

Commit

Permalink
Application research_wallets.md
Browse files Browse the repository at this point in the history
  • Loading branch information
ainhoa-a authored Jan 26, 2024
1 parent 8e15a78 commit 6d5869b
Showing 1 changed file with 133 additions and 0 deletions.
133 changes: 133 additions & 0 deletions applications/research_wallets.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,133 @@
# User Account Access Security Analysis for Wallets

- **Team Name:** Zondax AG
- **Payment Address:** (DAI ERC 20) 0xf50a09731dc32a64431920e10e1e58dce28e6b11
- **[Level](https://github.com/w3f/Grants-Program/tree/master#level_slider-levels):** 2

## Project Overview :page_facing_up:

This application aims to complete [User Account Access Security Analysis for Wallets RFP](https://grants.web3.foundation/docs/RFPs/user-account-access-analysis).

### Overview

This research proposal targets analyzing Polkadot's user-facing security protocols, focusing on complex account generation and access mechanisms, including multi-signatures and proxies. It plans to model and evaluate these processes in popular Polkadot wallets, aiming to identify security loopholes and user lockout scenarios while streamlining authentication and enhancing user experience.

This project will serve as the basis for the Bachelor Thesis of [Carlo Sala](https://github.com/carlosala), who has been working during the last two years at zondax contributing in building and maintaining several Ledger apps in the Polkadot ecosystem. This research will lead him towards completing his degree in Mathematics at [Universtat Autònoma de Barcelona](https://www.uab.cat/).

### Project Details

#### Research Goals

#### 1. Extend and Formalize account access graphs for blockchain:

The proposed research involves expanding the framework outlined in the _User Account Access Graphs_ ([paper](https://people.inf.ethz.ch/rsasse/pub/AccountAccessGraphs-CCS19.pdf)) to accommodate the unique features of blockchain technology, with a specific focus on the Polkadot ecosystem.

This expansion entails incorporating the distinct aspects of Polkadot, such as multisignature (multisig) accounts, stashing (a mechanism for securing assets), proxy accounts (which allow one account to act on behalf of another), and the use of hardware wallets (physical devices that store private keys). The objective is to adapt and refine the account access graph model to accurately represent and analyze the complex and varied ways in which users can interact with and access their assets within the Polkadot blockchain environment. This adaptation will consider the intricate security and operational dynamics of Polkadot's features, ensuring that the model remains relevant and effective in this advanced blockchain context.

#### 2. Access Security analysis and evaluation

We aim to conduct comprehensive evaluations of User Account Access Security across a range of wallets, including but not limited to:

- [Polkadot-JS](https://polkadot.js.org)
- [SubWallet](https://www.subwallet.app)
- [Talisman](https://www.talisman.xyz)
- [Subkey](https://docs.substrate.io/reference/command-line-tools/subkey/)

Our methodology will incorporate automated and/or manual assessment techniques, the selection of which will be determined based on preliminary findings to ensure the most effective evaluation approach.

Additionally, the scope extends to examining hardware wallets such as:

- [Polkadot Vault](https://signer.parity.io/)
- [Ledger](https://www.ledger.com/)
- [Kampela](https://www.kampe.la/)

and will focus be on identifying potential security vulnerabilities and assessing the risk of user lockouts.

During the security evaluations, we will also try to identify and suggest UX improvements. Our goal is to streamline user access while maintaining the highest security standards.

### What your project is _not_ or will _not_ provide or implement

This project will not: focus on exhaustive pentesting. Our goal is to provide a theoretical framework to assess User Account Access Security in Polkadot ecosystem.

### Ecosystem Fit

User Account Access is a key security concern in any digital environment. Developing a practical model and applying it to top wallet providers within the Polkadot ecosystem can greatly improve both trust and security. This approach aims to make the ecosystem safer and more secure.

## Team :busts_in_silhouette:

### Team members

- Mathematician / Engineer: Carlo Sala
- GitHub: https://github.com/carlosala
- LinkedIn: https://linkedin.com/in/carlosalagancho
- 1 x Project Manager

### Contact

- **Contact Name:** Juan Leni and Ainhoa Aldave
- **Contact Email:** juan.leni@zondax.ch / ainhoa.aldave@zondax.ch
- **Website:** [zondax.ch](https://www.zondax.ch/)

### Legal Structure

Zondax AG

Dammstrasse 16

Zug 6300, Switzerland

UID CHE-491.796.576

### Team's experience

Over the last few years, Zondax has been involved in a large number of projects for most of the key players in the blockchain industry.
Our team includes experts in most blockchain aspects, from cryptography to data and protocol engineering.

Carlo Sala is a Mathematics student at [Universtat Autònoma de Barcelona](https://www.uab.cat/) and Software Engineer at Zondax for 2+ years in the Security team. He maintains as well a big OSS project outside of blockchain ecosystem.

Carlo has been working during the last two years building and maintaining several Ledger apps in the Polkadot ecosystem, such as Polkadot, Kusama, Acala, Astar, among others; as well as building tooling to test and improve them.

This project will serve as the basis for his Bachelor Thesis, culminating in the completion of his degree in Mathematics.

### Team Code Repos

Most of our contributions to the blockchain ecosystem can be found in our GitHub organization [zondax](https://github.com/zondax)

## Development Status :open_book:

Not initiated.

## Development Roadmap :nut_and_bolt:

### Overview

- **Total Estimated Workload:** 16 weeks
- **Delivery Time:** 18 to 22 weeks
- **Full-Time Equivalent (FTE):** 0.5
- **Total Costs:** 25'600 DAI

### Milestone 1 — User Account Access Security Analysis for Wallets

- **Total Estimated Workload:** 16 weeks
- **Delivery Time:** 18 to 22 weeks
- **Full-Time Equivalent (FTE):** 0.5
- **Total Costs:** 25'600 DAI

| Number | Deliverable | Specification |
| ------: | ----------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------- |
| **0a.** | License | Apache 2.0 |
| **0b.** | Documentation | Document describing the threat model, scope of the analysis, and description of the approach/methodology used. |
| **1a.** | Analysis report: detection of unauthorized access vulnerabilities | Find (if any) vulnerabilities present in any wallet analyzed across all layers of investigation: account generation, restoring mechanisms, etc |
| **1b.** | Analysis report: minimal counterexamples for potential exploits | Provide (if any) minimal reproducible examples of all errors found in (2a). |
| **1c.** | Analysis report: user lockout risk assessment | Find (if any) potential lockout risk and describe strategies to minimize them. |
| **1d.** | Analysis report: non-critical improvements | Find (if any) potential improvements in user experience without compromising security. |
| **2a.** | Research paper | Paper defining and describing all models used to analyse User Account Access Security. |
| **2b.** | Code | By the end of the project, we'll make any code used public allowing anyone to use/extend our work. |

## Future Plans

Zondax long-term vision will always be to investigate and improve every layer of Polkadot ecosystem.

## Additional Information :heavy_plus_sign:

This project will conform the Bachelor Thesis in Mathematics of Carlo Sala.

0 comments on commit 6d5869b

Please sign in to comment.