From 31251985b4942d5b116487709ff8c561797b7307 Mon Sep 17 00:00:00 2001 From: Arsalaan Alam <69048139+Arsalaan-Alam@users.noreply.github.com> Date: Wed, 24 Jan 2024 03:23:36 +0530 Subject: [PATCH 1/5] Create security analysis of user accounts.md --- .../security analysis of user accounts.md | 187 ++++++++++++++++++ 1 file changed, 187 insertions(+) create mode 100644 applications/security analysis of user accounts.md diff --git a/applications/security analysis of user accounts.md b/applications/security analysis of user accounts.md new file mode 100644 index 00000000000..e09f7743d56 --- /dev/null +++ b/applications/security analysis of user accounts.md @@ -0,0 +1,187 @@ +# User Account Access Security Analysis for Wallets + + +- **Team Name:** Zime +- **Payment Address:** Fiat Jan 23, 2024, 11:15 AM EST +- **[Level](https://github.com/w3f/Grants-Program/tree/master#level_slider-levels):** 2 + + +## Project Overview :page_facing_up: + +This application is in response to the RFP: [User Account Access Security Analysis for Wallets](https://grants.web3.foundation/docs/RFPs/user-account-access-analysis) + +### Overview + +This proposal outlines a comprehensive security analysis of popular Polkadot wallets (Polkadot-JS Browser Extension, Parity Signer, Talisman, etc) aiming to fortify the gateway to user assets and foster a more safe and user-friendly ecosystem. + +Polkadot's advanced account access features, including multi-signatures, proxies, account-abstraction and social recovery mechanisms, offer unprecedented flexibility and control. However, the inherent complexity of these mechanisms can create unintended security pitfalls and introduce vulnerability. Inadequate UI/UX, intricate user interactions, and potential vulnerabilities or loopholes in underlying implementations can expose user accounts to unauthorized access, lock-out risks, and user experience challenges. + +This project goes beyond simply identifying vulnerabilities. We aim to provide actionable solutions and technical enhancements for a more secure yet easy to use Polkadot wallet ecosystem. + + + +### Project Details + +#### Research Objectives + +Currently, we have a rough idea of what our multi-layered analysis & research will encompass: + +#### 1. Objective 1: Formalize and Analyze Account Access: +- Employ User Account Access Graphs (UAGs) (as mentioned [here](https://people.inf.ethz.ch/rsasse/pub/AccountAccessGraphs-CCS19.pdf)) to formally model account generation, access, backup, and recovery mechanisms in popular wallets like Polkadot-JS Browser Extension, subkey, and Talisman. +- Analyze model outputs to identify potential vulnerabilities and understand user interaction patterns impacting security. + +#### 2. Objective 2: Evaluate Security of Implementations and Protocols: +- Utilize automated scanners and fuzzers to discover vulnerabilities in wallet software codebases and underlying blockchain protocols. +- Conduct manual code reviews to identify logic flaws and security weaknesses not detected by automated tools. + +#### 3. Objective 3: Assess Server-Side Infrastructure Security: +- Investigate potential security weaknesses in server infrastructure interacting with wallets, focusing on data security, access control, and communication protocols. +- Analyze server-side logs and event data to identify suspicious activity and potential attack vectors. + +#### 4. Objective 4: Balance Security and Usability: +- Analyze user interactions and feedback to understand usability challenges that compromise security practices. +- Based on the security analysis findings, propose intuitive and user-friendly access control methods and security features that optimize user experience without compromising security. + +#### Methodology + +1. For formal modeling we’ll use the User Account Access Graphs (UAGs) as described in this [Paper](https://people.inf.ethz.ch/rsasse/pub/AccountAccessGraphs-CCS19.pdf) to analyze the security and recoverability of a user's account setup. +2. We’ll conduct comprehensive threat modeling exercises to identify potential attack vectors and assess their feasibility and impact. We’ll also be using automated scanners & fuzzers to detect anomalous behavior of wallets. +3. We will also conduct interviews with avid polkadot users who have used or faced issues with using proxies or social recovery mechanisms. From this we’ll identify usability issues, and gather feedback on security features. +4. We will actively collaborate with the Web3 Foundation for ongoing guidance, validation of findings, and alignment with Polkadot security best practices. + +#### Expected Results + +We would provide 3 different documents (2 analysis reports) & open-source code we use to perform analysis. + +#### 1. Threat Model and Analysis Scope Document: +Within the first few weeks, we’ll provide a foundational document outlining the identified threat models, the scope of our analysis encompassing wallets like Polkadot-JS Browser Extension, subkey, Polkadot-JS UI, Parity Signer, Talisman, etc., and the chosen methodologies for each research objective. This document represents the first phase of risk assessment. + +#### 2. Security Analysis Report: +Within the first month, we will also deliver a report that'll deeply elaborate on the detected vulnerabilities across all layers (UI, implementations, protocols, server-side) related to account generation, access, back-up, and restoring mechanism. The rough breakdown of the report would be: +1. Sound and complete detection of unauthorized access vulnerabilities: A detailed inventory of potential security breaches we find, allowing for immediate prioritization and mitigation. +2. Minimal counterexamples for potential exploits: Concise demonstrations of exploitable weaknesses, acting as blueprints for patching critical security gaps. +3. User lockout risk assessment and mitigation strategies: Identifying potential scenarios for user lockouts and providing strategies to minimize such risks. + +#### 3. Usability & Security Improvement Report: +In the following month, we will provide a dedicated report that will translate security findings into practical suggestions for optimizing user experience without compromising security. It will focus on: +1. Recommendations for specific security enhancements and implementations: A concrete roadmap outlining steps to strengthen wallet's defenses against identified vulnerabilities. +2. User-friendly security enhancements: Proposing intuitive ways to implement robust security features seamlessly integrated with the user experience & interface. + +#### 4. Open Source Models & Code: +We want to foster collaboration and benefit the broader community, hence at the end of our project we'll share: +1. Developed Models: Models for formalizing and analyzing different wallets, empowering others to build upon our work. +2. Automated Analysis Code: Any code created during the project, fostering continuous improvement and innovation. + +### What your project is *not* or will *not* provide or implement + +**This project will not:** +1. Implement security fixes: Our role is to identify and prioritize vulnerabilities; the responsibility for implementing recommended mitigations rests with individual wallet developers or other teams. +2. Go beyond wallet vulnerabilities: We won't be digging deep into all server intricacies or attempting full-fledged pentesting beyond the critical server aspects directly interacting with wallets. Identifying and prioritizing wallet vulnerabilities remains our core focus. + + +### Ecosystem Fit + +By safeguarding the gateways to user assets, this project strengthens the very foundation of the Polkadot ecosystem. Our comprehensive analysis and actionable recommendations will enable wallet developers to address critical vulnerabilities, enhancing user trust and confidence. Streamlined access control and intuitive security features developed through our findings will improve user experience, attracting wider adoption and fostering a more vibrant Polkadot community. + + +## Team :busts_in_silhouette: + +### Team members + +- Name of team leader: Arsalaan Alam +- Names of team members: Arsalaan Alam & Krishanu Dhar & some security consultants. + +### Contact + +- **Contact Name:** Arsalaan Alam +- **Contact Email:** arsalaanalamcollege@gmail.com + +### Legal Structure + +- **Registered Address:** No registered entity +- **Registered Legal Entity:** No registered entity + +### Team's experience + +We are a team of two talented full-stack web3 developers and have been in the web3 ecosystem for the past 3 years. Our main domain is privacy & security and we have been developing solutions for enhancing privacy for decentralized solutions since a while. + +Arsalaan is a sophomore at university studying computer science and is a full-stack web3 developer. Krish is a full-time storage & data security engineer by profession. We both have a lot of full-time experience of development and programming. + +Fun-fact: The combined number of hackathon victories for both of us is over 20. + +### Team Code Repos + +- Arsalaan - https://github.com/Arsalaan-Alam +- Krish - https://github.com/ronykris + +### Team LinkedIn Profiles (if available) + +- Arsalaan - https://www.linkedin.com/in/arsalaan-alam-375b281bb/ +- Krish - https://www.linkedin.com/in/krishanu-dhar + + +## Development Status :open_book: + +Not Commenced. + +## Development Roadmap :nut_and_bolt: + +### Overview + +- **Total Estimated Duration:** 10 weeks +- **Full-Time Equivalent (FTE):** 2 +- **Total Costs:** 29,000 USD + +### Milestone 1 Example — Literature Review and Data Collection + +- **Estimated duration:** 4-6 weeks +- **FTE:** 2 +- **Costs:** 15,000 USD + + + +| Number | Deliverable | Specification | +| -----: | ----------- | ------------- | +| **0a.** | License | Apache 2.0 | +| **0b.** | Documentation | We will document our whole research and provide articles at the end which will explain all the steps towards a safer wallet access mechanism for Polkadot Users. | +| **1.** | Threat Model and Analysis Scope Document| Within the first month, we’ll provide a foundational document outlining the identified threat model, the scope of our analysis encompassing wallets like Polkadot-JS Browser Extension, subkey, Polkadot-JS UI, Parity Signer, Talisman, etc., and the chosen methodologies for each research objective. This document represents the first phase of risk assessment. | +| **2.** | Security Analysis Report | In the second month, we will deliver a comprehensive report delving deep into detected vulnerabilities across all layers (UI, implementations, protocols, server-side) related to account generation, access, back-up, and restoring mechanisms. | +| **2a.** | Sound and complete detection of unauthorized access vulnerabilities | We'll provide a detailed inventory of potential security breaches we find, allowing for immediate prioritization and mitigation. | +| **2b.** | Minimal counterexamples for potential exploits | We'll provide concise demonstrations of exploitable weaknesses in the form of examples, acting as blueprints for patching critical security gaps. | +| **2c.** | User lockout risk assessment | We'll identify potential scenarios for temporary user lockouts and provide strategies to minimize such risks. | + + + +### Milestone 2 Example — Data Analysis + +- **Estimated Duration:** 4-6 Weeks +- **FTE:** 2 +- **Costs:** 14,000 USD + +| Number | Deliverable | Specification | +| -----: | ----------- | ------------- | +| **0a.** | License | Apache 2.0 | +| **0b.** | Documentation | We will document our whole research and provide articles at the end which will explain all the steps towards a safer wallet access mechanism for Polkadot Users. | +| **1.** | Usability & Security Improvement Report | We will provide a dedicated report that will translate security findings into practical suggestions for optimizing user experience without compromising security. | +| **1a.** | Security Recommendations for Infrastructure| We'll provide recommendations for specific security enhancements and implementations through a concrete roadmap that will outline steps to strengthen wallet's infra against identified vulnerabilities.| +| **1b.** | Security recommendations on the UX | We'll propose intuitive ways to implement robust security features based on the user-feedback that can directly be integrated with the user experience & interface. | +| **2.** | Open Source Models & Code| We want to encourage collaboration and benefit the broader community, hence at the end of our project we'll share: | +| **2a.** | Developed Models | We'll share the models for formalizing and analyzing different wallets, empowering others to build upon our work. | +| **2b.** | Automated Analysis Code | We'll share any code created during the project for automated analysis of Polkadot systems , fostering continuous improvement and innovation | + + +## Future Plans + +Our long-term vision extends beyond securing individual wallets. We aim to evolve into a comprehensive security resource for the entire Polkadot ecosystem, where we will research about emerging threats in smart contracts, cross-chain interactions, and beyond. + +## Referral Program (optional) :moneybag: + +You can find more information about the program [here](../README.md#moneybag-referral-program). + +- **Referrer:** N/A +- **Payment Address:** N/A + +## Additional Information :heavy_plus_sign: + +**How did you hear about the Grants Program?** Web3 Foundation Website + From 758688d8fa43ad1af291799e1a6acab46a7a7fe6 Mon Sep 17 00:00:00 2001 From: Arsalaan Alam <69048139+Arsalaan-Alam@users.noreply.github.com> Date: Wed, 24 Jan 2024 03:24:19 +0530 Subject: [PATCH 2/5] Create security-analysis-of-user-accounts.md --- ...s of user accounts.md => security-analysis-of-useraccounts.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename applications/{security analysis of user accounts.md => security-analysis-of-useraccounts.md} (100%) diff --git a/applications/security analysis of user accounts.md b/applications/security-analysis-of-useraccounts.md similarity index 100% rename from applications/security analysis of user accounts.md rename to applications/security-analysis-of-useraccounts.md From 6c37041e255d8584a4a5584696d3a8ea765b3d9a Mon Sep 17 00:00:00 2001 From: Arsalaan Alam <69048139+Arsalaan-Alam@users.noreply.github.com> Date: Thu, 25 Jan 2024 09:37:00 +0530 Subject: [PATCH 3/5] Update security-analysis-of-useraccounts.md --- applications/security-analysis-of-useraccounts.md | 13 +++---------- 1 file changed, 3 insertions(+), 10 deletions(-) diff --git a/applications/security-analysis-of-useraccounts.md b/applications/security-analysis-of-useraccounts.md index e09f7743d56..3068d48f080 100644 --- a/applications/security-analysis-of-useraccounts.md +++ b/applications/security-analysis-of-useraccounts.md @@ -2,7 +2,7 @@ - **Team Name:** Zime -- **Payment Address:** Fiat Jan 23, 2024, 11:15 AM EST +- **Payment Address:** Fiat (Jan 23, 2024, 11:15 AM EST) - **[Level](https://github.com/w3f/Grants-Program/tree/master#level_slider-levels):** 2 @@ -98,8 +98,8 @@ By safeguarding the gateways to user assets, this project strengthens the very f ### Legal Structure -- **Registered Address:** No registered entity -- **Registered Legal Entity:** No registered entity +- **Registered Address:** (provided privately) +- **Registered Legal Entity:** (provided privately) ### Team's experience @@ -174,13 +174,6 @@ Not Commenced. Our long-term vision extends beyond securing individual wallets. We aim to evolve into a comprehensive security resource for the entire Polkadot ecosystem, where we will research about emerging threats in smart contracts, cross-chain interactions, and beyond. -## Referral Program (optional) :moneybag: - -You can find more information about the program [here](../README.md#moneybag-referral-program). - -- **Referrer:** N/A -- **Payment Address:** N/A - ## Additional Information :heavy_plus_sign: **How did you hear about the Grants Program?** Web3 Foundation Website From 3c481c0fd1be580b0997b1ff268b70ca0666210e Mon Sep 17 00:00:00 2001 From: Arsalaan Alam <69048139+Arsalaan-Alam@users.noreply.github.com> Date: Wed, 7 Feb 2024 03:52:31 +0530 Subject: [PATCH 4/5] Update security-analysis-of-useraccounts.md --- .../security-analysis-of-useraccounts.md | 115 +++++------------- 1 file changed, 33 insertions(+), 82 deletions(-) diff --git a/applications/security-analysis-of-useraccounts.md b/applications/security-analysis-of-useraccounts.md index 3068d48f080..a2ada607483 100644 --- a/applications/security-analysis-of-useraccounts.md +++ b/applications/security-analysis-of-useraccounts.md @@ -12,72 +12,43 @@ This application is in response to the RFP: [User Account Access Security Analys ### Overview -This proposal outlines a comprehensive security analysis of popular Polkadot wallets (Polkadot-JS Browser Extension, Parity Signer, Talisman, etc) aiming to fortify the gateway to user assets and foster a more safe and user-friendly ecosystem. +This proposal outlines a comprehensive security analysis of popular Polkadot wallets (Talisman, Subkey, Polkadot JS, Nova Wallet, Subwallet) aiming to fortify the gateway to user assets and foster a more robust and user-friendly ecosystem. Polkadot's advanced account access features, including multi-signatures, proxies, account-abstraction and social recovery mechanisms, offer unprecedented flexibility and control. However, the inherent complexity of these mechanisms can create unintended security pitfalls and introduce vulnerability. Inadequate UI/UX, intricate user interactions, and potential vulnerabilities or loopholes in underlying implementations can expose user accounts to unauthorized access, lock-out risks, and user experience challenges. -This project goes beyond simply identifying vulnerabilities. We aim to provide actionable solutions and technical enhancements for a more secure yet easy to use Polkadot wallet ecosystem. - - +This research project would also serve as the bachelor thesis of Arsalaan Alam who is studying computer science at [Plaksha University](https://plaksha.edu.in/), India. The output research paper would also be submitted to [ACM CCS 2024](https://www.sigsac.org/ccs/CCS2024/call-for/call-for-papers.html) in the second review cycle. ### Project Details #### Research Objectives -Currently, we have a rough idea of what our multi-layered analysis & research will encompass: - -#### 1. Objective 1: Formalize and Analyze Account Access: -- Employ User Account Access Graphs (UAGs) (as mentioned [here](https://people.inf.ethz.ch/rsasse/pub/AccountAccessGraphs-CCS19.pdf)) to formally model account generation, access, backup, and recovery mechanisms in popular wallets like Polkadot-JS Browser Extension, subkey, and Talisman. -- Analyze model outputs to identify potential vulnerabilities and understand user interaction patterns impacting security. - -#### 2. Objective 2: Evaluate Security of Implementations and Protocols: -- Utilize automated scanners and fuzzers to discover vulnerabilities in wallet software codebases and underlying blockchain protocols. -- Conduct manual code reviews to identify logic flaws and security weaknesses not detected by automated tools. - -#### 3. Objective 3: Assess Server-Side Infrastructure Security: -- Investigate potential security weaknesses in server infrastructure interacting with wallets, focusing on data security, access control, and communication protocols. -- Analyze server-side logs and event data to identify suspicious activity and potential attack vectors. +#### 1. Objective 1: Extending UAAGs to Formally Model Polkadot Wallet Access: -#### 4. Objective 4: Balance Security and Usability: -- Analyze user interactions and feedback to understand usability challenges that compromise security practices. -- Based on the security analysis findings, propose intuitive and user-friendly access control methods and security features that optimize user experience without compromising security. +This objective focuses on creating a detailed and accurate representation of popular Polkadot wallets, incorporating both technical aspects and human interaction elements: -#### Methodology +- **Account Generation:** We will employ User Account Access Graphs (UAAGs) (as mentioned [here](https://people.inf.ethz.ch/rsasse/pub/AccountAccessGraphs-CCS19.pdf))to formally model the account creation process across chosen wallets (Talisman, Subkey, Polkadot JS, Nova Wallet, Subwallet), emphasizing key generation, storage, and protection strategies. -1. For formal modeling we’ll use the User Account Access Graphs (UAGs) as described in this [Paper](https://people.inf.ethz.ch/rsasse/pub/AccountAccessGraphs-CCS19.pdf) to analyze the security and recoverability of a user's account setup. -2. We’ll conduct comprehensive threat modeling exercises to identify potential attack vectors and assess their feasibility and impact. We’ll also be using automated scanners & fuzzers to detect anomalous behavior of wallets. -3. We will also conduct interviews with avid polkadot users who have used or faced issues with using proxies or social recovery mechanisms. From this we’ll identify usability issues, and gather feedback on security features. -4. We will actively collaborate with the Web3 Foundation for ongoing guidance, validation of findings, and alignment with Polkadot security best practices. +- **Access Management:** We will scrutinize user authentication and authorization procedures, identifying potential vulnerabilities involving multi-signatures and anonymous proxies. -#### Expected Results +- **Backup & Recovery Mechanisms:** We will evaluate the effectiveness and security of backup and recovery systems employed by each wallet. -We would provide 3 different documents (2 analysis reports) & open-source code we use to perform analysis. - -#### 1. Threat Model and Analysis Scope Document: -Within the first few weeks, we’ll provide a foundational document outlining the identified threat models, the scope of our analysis encompassing wallets like Polkadot-JS Browser Extension, subkey, Polkadot-JS UI, Parity Signer, Talisman, etc., and the chosen methodologies for each research objective. This document represents the first phase of risk assessment. + +#### 2. Objective 2: Analyze Security Vulnerabilities and User-Centric Issues: -#### 2. Security Analysis Report: -Within the first month, we will also deliver a report that'll deeply elaborate on the detected vulnerabilities across all layers (UI, implementations, protocols, server-side) related to account generation, access, back-up, and restoring mechanism. The rough breakdown of the report would be: -1. Sound and complete detection of unauthorized access vulnerabilities: A detailed inventory of potential security breaches we find, allowing for immediate prioritization and mitigation. -2. Minimal counterexamples for potential exploits: Concise demonstrations of exploitable weaknesses, acting as blueprints for patching critical security gaps. -3. User lockout risk assessment and mitigation strategies: Identifying potential scenarios for user lockouts and providing strategies to minimize such risks. +Building upon the previous established models, this objective focuses on identifying and mitigating security vulnerabilities on the user side. We will conduct a multi-pronged security analysis encompassing: -#### 3. Usability & Security Improvement Report: -In the following month, we will provide a dedicated report that will translate security findings into practical suggestions for optimizing user experience without compromising security. It will focus on: -1. Recommendations for specific security enhancements and implementations: A concrete roadmap outlining steps to strengthen wallet's defenses against identified vulnerabilities. -2. User-friendly security enhancements: Proposing intuitive ways to implement robust security features seamlessly integrated with the user experience & interface. +- **Unauthorized Access Prevention:** Employ both automated and manual techniques to detect weaknesses that could enable unauthorized access, particularly those exploiting multi-signature features or anonymous proxies. +- **User Lockout Mitigation:** Identify and assess potential scenarios where legitimate users might get locked out due to security measures or technical errors, proposing preventive solutions. +- **Streamlined Authentication:** Analyze authentication processes for redundancies that hinder user experience while maintaining robust security. -#### 4. Open Source Models & Code: -We want to foster collaboration and benefit the broader community, hence at the end of our project we'll share: -1. Developed Models: Models for formalizing and analyzing different wallets, empowering others to build upon our work. -2. Automated Analysis Code: Any code created during the project, fostering continuous improvement and innovation. ### What your project is *not* or will *not* provide or implement **This project will not:** + 1. Implement security fixes: Our role is to identify and prioritize vulnerabilities; the responsibility for implementing recommended mitigations rests with individual wallet developers or other teams. -2. Go beyond wallet vulnerabilities: We won't be digging deep into all server intricacies or attempting full-fledged pentesting beyond the critical server aspects directly interacting with wallets. Identifying and prioritizing wallet vulnerabilities remains our core focus. +2. Go beyond wallet analysis:. We would not be attempting full-fledged pentesting. Our core focus remains on extending UAAGs to understand polkadot wallet access-control functionalities ### Ecosystem Fit @@ -89,7 +60,7 @@ By safeguarding the gateways to user assets, this project strengthens the very f ### Team members - Name of team leader: Arsalaan Alam -- Names of team members: Arsalaan Alam & Krishanu Dhar & some security consultants. +- Names of team members: Arsalaan Alam & Krishanu Dhar (+ [advisors](https://plaksha.edu.in/faculty-details/dr-tapas-pandit) from Plaksha University). ### Contact @@ -105,9 +76,11 @@ By safeguarding the gateways to user assets, this project strengthens the very f We are a team of two talented full-stack web3 developers and have been in the web3 ecosystem for the past 3 years. Our main domain is privacy & security and we have been developing solutions for enhancing privacy for decentralized solutions since a while. -Arsalaan is a sophomore at university studying computer science and is a full-stack web3 developer. Krish is a full-time storage & data security engineer by profession. We both have a lot of full-time experience of development and programming. +Arsalaan is a sophomore at university studying computer science & math and is a fullstack web3 developer, programmer, cybersec enthusiast & also aspires to get into academia. Arsalaan has been building & contributing to projects in web3 for the last 3 years. He has participated in over 30 hackathons and won 20 of them. +.Krish is a full-time storage & data security engineer by profession. We both have a lot of full-time experience of development and programming. + +The paper would serve as the bachelor thesis of Arsalaan Alam and would be advised by Krish and [math & cryptography professors at Plaksha University](https://plaksha.edu.in/faculty-details/dr-tapas-pandit). -Fun-fact: The combined number of hackathon victories for both of us is over 20. ### Team Code Repos @@ -128,51 +101,29 @@ Not Commenced. ### Overview -- **Total Estimated Duration:** 10 weeks -- **Full-Time Equivalent (FTE):** 2 -- **Total Costs:** 29,000 USD - -### Milestone 1 Example — Literature Review and Data Collection +- **Total Estimated Duration:** ~3 Months (paper to be submitted to CCS by April 28th) +- **Full-Time Equivalent (FTE):** 0.75 +- **Total Costs:** 22,000 USD -- **Estimated duration:** 4-6 weeks -- **FTE:** 2 -- **Costs:** 15,000 USD +### Milestone 1 +- **Estimated duration:** ~3 Months +- **FTE:** 0.75 +- **Costs:** 22,000 USD | Number | Deliverable | Specification | | -----: | ----------- | ------------- | | **0a.** | License | Apache 2.0 | -| **0b.** | Documentation | We will document our whole research and provide articles at the end which will explain all the steps towards a safer wallet access mechanism for Polkadot Users. | -| **1.** | Threat Model and Analysis Scope Document| Within the first month, we’ll provide a foundational document outlining the identified threat model, the scope of our analysis encompassing wallets like Polkadot-JS Browser Extension, subkey, Polkadot-JS UI, Parity Signer, Talisman, etc., and the chosen methodologies for each research objective. This document represents the first phase of risk assessment. | -| **2.** | Security Analysis Report | In the second month, we will deliver a comprehensive report delving deep into detected vulnerabilities across all layers (UI, implementations, protocols, server-side) related to account generation, access, back-up, and restoring mechanisms. | -| **2a.** | Sound and complete detection of unauthorized access vulnerabilities | We'll provide a detailed inventory of potential security breaches we find, allowing for immediate prioritization and mitigation. | -| **2b.** | Minimal counterexamples for potential exploits | We'll provide concise demonstrations of exploitable weaknesses in the form of examples, acting as blueprints for patching critical security gaps. | -| **2c.** | User lockout risk assessment | We'll identify potential scenarios for temporary user lockouts and provide strategies to minimize such risks. | - - - -### Milestone 2 Example — Data Analysis - -- **Estimated Duration:** 4-6 Weeks -- **FTE:** 2 -- **Costs:** 14,000 USD - -| Number | Deliverable | Specification | -| -----: | ----------- | ------------- | -| **0a.** | License | Apache 2.0 | -| **0b.** | Documentation | We will document our whole research and provide articles at the end which will explain all the steps towards a safer wallet access mechanism for Polkadot Users. | -| **1.** | Usability & Security Improvement Report | We will provide a dedicated report that will translate security findings into practical suggestions for optimizing user experience without compromising security. | -| **1a.** | Security Recommendations for Infrastructure| We'll provide recommendations for specific security enhancements and implementations through a concrete roadmap that will outline steps to strengthen wallet's infra against identified vulnerabilities.| -| **1b.** | Security recommendations on the UX | We'll propose intuitive ways to implement robust security features based on the user-feedback that can directly be integrated with the user experience & interface. | -| **2.** | Open Source Models & Code| We want to encourage collaboration and benefit the broader community, hence at the end of our project we'll share: | -| **2a.** | Developed Models | We'll share the models for formalizing and analyzing different wallets, empowering others to build upon our work. | -| **2b.** | Automated Analysis Code | We'll share any code created during the project for automated analysis of Polkadot systems , fostering continuous improvement and innovation | - +| **0b.** | Documentation | Document describing the threat model, scope of the analysis, and description of the approach/methodology used. | +| **1.** | Research Paper| This would be an academic paper and the main deliverable. In this paper we wil extend UAAGs to formally model account generation (scrutinizing key management and potential privacy risks), access control (evaluating multi-sig and anonymous proxy vulnerabilities), and backup/recovery mechanisms (identifying weaknesses that hinder restoration or expose data). | +| **2.** | Analysis Report | This analysis report leverages insights from adapted UAAG models to uncover sound and complete detection methods for unauthorized access. It provides minimal reproducible exploit examples when applicable, further assessing user experience by analyzing both temporal and definitive lockout risks and proposing mitigation strategies. Stepping beyond mere vulnerability identification, the report leverages security analysis findings to recommend specific usability improvements that streamline authentication processes without compromising security.| +| **3.** | Code | All the code we write for automated analysis will be made public to foster Open-Source collaboration. If we come up with different or abstracted versions of formalizing, we'll make those methods public too :) | +| **4.** | Engagements | We will actively collaborate with the Web3 Foundation for ongoing guidance, validation of findings, and alignment with Polkadot security best practices & specifics. | ## Future Plans -Our long-term vision extends beyond securing individual wallets. We aim to evolve into a comprehensive security resource for the entire Polkadot ecosystem, where we will research about emerging threats in smart contracts, cross-chain interactions, and beyond. +We plan to become a big contributor to the whole Polkadot ecosystem. We'll do our best to improve the ecosystem as well as the community through our both technical and non-technical endeavours! ## Additional Information :heavy_plus_sign: From ca8baf7abda284c82c044305be08b2fd4b610b08 Mon Sep 17 00:00:00 2001 From: Arsalaan Alam <69048139+Arsalaan-Alam@users.noreply.github.com> Date: Wed, 7 Feb 2024 15:44:24 +0530 Subject: [PATCH 5/5] Update Price security-analysis-of-useraccounts.md --- applications/security-analysis-of-useraccounts.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/applications/security-analysis-of-useraccounts.md b/applications/security-analysis-of-useraccounts.md index a2ada607483..16ecdd166c0 100644 --- a/applications/security-analysis-of-useraccounts.md +++ b/applications/security-analysis-of-useraccounts.md @@ -76,7 +76,7 @@ By safeguarding the gateways to user assets, this project strengthens the very f We are a team of two talented full-stack web3 developers and have been in the web3 ecosystem for the past 3 years. Our main domain is privacy & security and we have been developing solutions for enhancing privacy for decentralized solutions since a while. -Arsalaan is a sophomore at university studying computer science & math and is a fullstack web3 developer, programmer, cybersec enthusiast & also aspires to get into academia. Arsalaan has been building & contributing to projects in web3 for the last 3 years. He has participated in over 30 hackathons and won 20 of them. +[Arsalaan](https://www.arsalaan.bio/) is a freshman at university studying computer science & math and is a fullstack web3 developer, programmer, cybersec enthusiast & also aspires to get into academia. Arsalaan has been building & contributing to projects in web3 for the last 3 years. He has participated in over 30 hackathons and won 20 of them. .Krish is a full-time storage & data security engineer by profession. We both have a lot of full-time experience of development and programming. The paper would serve as the bachelor thesis of Arsalaan Alam and would be advised by Krish and [math & cryptography professors at Plaksha University](https://plaksha.edu.in/faculty-details/dr-tapas-pandit). @@ -102,14 +102,14 @@ Not Commenced. ### Overview - **Total Estimated Duration:** ~3 Months (paper to be submitted to CCS by April 28th) -- **Full-Time Equivalent (FTE):** 0.75 -- **Total Costs:** 22,000 USD +- **Full-Time Equivalent (FTE):** 1.25 +- **Total Costs:** 20,000 USD ### Milestone 1 - **Estimated duration:** ~3 Months -- **FTE:** 0.75 -- **Costs:** 22,000 USD +- **FTE:** 1.25 +- **Costs:** 20,000 USD | Number | Deliverable | Specification |