decentralized-security-marketplace escrow protocol proposal

[aka-toxa]

Project Abstract

This is a response for a #1452 RFP

This project aims to build a universal escrow protocol on !ink to let other developer build their own marketplaces or manage their payments in transparent and fair way. This project derives an idea of decentralised security marketplace proposed by the grants team, so the use-case described below respect an idea about security audits. However this project may be used in many other ways.

Grant level

• Level 1: Up to $10,000, 2 approvals
• Level 2: Up to $30,000, 3 approvals
• Level 3: Unlimited, 5 approvals (for >$100k: Web3 Foundation Council approval)

Application Checklist

• The application template has been copied and aptly renamed (project_name.md).
• I have read the application guidelines.
• Payment details have been provided (bank details via email or BTC, Ethereum (USDC/DAI) or Polkadot/Kusama (USDT) address in the application).
• The software delivered for this grant will be released under an open-source license specified in the application.
• The initial PR contains only one commit (squash and force-push if needed).
• The grant will only be announced once the first milestone has been accepted (see the announcement guidelines).
• I prefer the discussion of this application to take place in a private Element/Matrix channel. My username is: @_______:matrix.org (change the homeserver if you use a different one)

[CLAassistant]

All committers have signed the CLA.

[0xCaso]

Thanks a lot @aka-toxa for the application. It looks really interesting, and definitely reasonable.
I start with the following questions:

• About the Governance smart contract, which has an important role in the whole project: in one of the images you wrote "Contract calculates rewards that has to be distributed to Engineer". Did you already think about how this can be made?

• About the Judges: are you thinking about their rotation (for example, a Judge cannot perform more than 3 validations), and how to treat their possible misbehaviour?

• About the Amazon infrastructure: do you think it's the only way to optimise the front-end interaction? For example, Epirus project (v1, v2) used "just" an indexer, but I don't know if this is applicable to your solution.

[0xCaso]

I also added some mini fixes

[Noc2]

Thanks for the application and your interest in our grant program. I also shared the application with the people who wrote the RFP, but apart from I have a few initial questions/comments:

• We usually don’t support the deployment of a smart contract. Only the technical development and the work that is useful for others. (e.g. Smart Contracts version 1.0) or milestone 4 deployment. One solution might be, if you don’t have any other business model, to initially apply for a grant to develop a PoC and after this to apply for treasury funding.
• Usually, we ask teams to initially provide some mock-ups or designs for front-end focused applications or at least parts of them.

[bhargavbh]

Thank you for your interest. The proposal seems interesting but i have a few high-level questions before getting into technical aspects:

1. The way the process is currently setup, Judges seem to be playing an extremely central role (more than necessary in my opinion). For most audit reports submitted by the engineers, the projects (who requested for audit) are in the best position to evaluate the audit report. If the engineer and project mutually agree with the findings of audit, then there should be a short-circuit to directly approve the fund-release without involving judges. It is only when there is a dispute between the engineer and project, the judge should be involved.
2. what is the mechanism you propose to keep the judges anonymous. This is to avoid collusion between the parties. For e.g., if the engineer can find out who the judge is, then he can bribe to get the audit passed. Anonymity is crucial for the whole system to work and some core concepts like VRF can help in achieving it, demonstrating a clear delta over Web2 solutions.
3. What substrate specific technologies do you plan to use. By 'Rust smart contracts' do you mean ink! ?
4. How modular can this solution be implemented so that the core template can be used for any marketplace supported by escrows?

[aka-toxa]

hey @0xCaso

• About the Governance smart contract, which has an important role in the whole project: in one of the images you wrote "Contract calculates rewards that has to be distributed to Engineer". Did you already think about how this can be made?

• Yes! Issues could be found in the projects are categorised by serenity usually, for example: low, medium, critical

each issue type can have it's own "price". For example, Project announce it will pay for each low serenity issue 50 USD, for medium 150 USD and for critical 500 USD

Every time when Engineer ready to submit report they estimate issues serenity by them selfs and put it into the proposal.
For example, if I found 2 low serenity issues and 1 critical issue, I put my report to the IPFS, and specify this in the proposal. The protocol can calculate 2 * 50 + 1 * 500 = 600 USD and put it as a value of the proposal. When everyone agree with that and everything is fine - proposal is approved and 600 USD goes to the proposal author

• About the Judges: are you thinking about their rotation (for example, a Judge cannot perform more than 3 validations), and how to treat their possible misbehaviour?

Yes we are thinking about this. Ideally we would like to see a lot of community members as Judges and Ideally they would have to manually apply to the project to be a Judge for this particular project. All voting and all activities should be transparent and clear for the whole community to ensure fairness and good reputation for all actors

• About the Amazon infrastructure: do you think it's the only way to optimise the front-end interaction? For example, Epirus project (v1, v2) used "just" an indexer, but I don't know if this is applicable to your solution.

Thats a good point, we have dispute in our team right now about that as well I might update the proposal with something we come up with that would be better than AWS, thanks!

[aka-toxa]

Hey @Noc2

• We usually don’t support the deployment of a smart contract. Only the technical development and the work that is useful for others. (e.g. Smart Contracts version 1.0) or milestone 4 deployment. One solution might be, if you don’t have any other business model, to initially apply for a grant to develop a PoC and after this to apply for treasury funding.

well, the core of this project is a transparent escrow protocol it is essential and I don't see any ways to extract or remove it from the project. Since the whole thing will be open-sourced I see a huge benefit for the community for both frontend and protocol implementation.

I see your point splitting proposals into two: PoC (protocol, minimal frontend) and then Product itself, let me discuss it with my team

• Usually, we ask teams to initially provide some mock-ups or designs for front-end focused applications or at least parts of them.

I'm not sure it is a front-end focused application though. We are looking to implement the reputation-based escrow protocol where the community can rely on reputation and prev. work of others to be able to solve their security issues. I'd say the frontend here is secondary and at the same time important

[aka-toxa]

hey @bhargavbh

• The way the process is currently setup, Judges seem to be playing an extremely central role (more than necessary in my opinion). For most audit reports submitted by the engineers, the projects (who requested for audit) are in the best position to evaluate the audit report. If the engineer and project mutually agree with the findings of audit, then there should be a short-circuit to directly approve the fund-release without involving judges. It is only when there is a dispute between the engineer and project, the judge should be involved.

yeah some part of my team think the same way. I think we can provide flexibility: project with judges or without.
My personal experience working with my customers tells me that most of the projects cannot verify the work of security engineers by them selfs and they could ask for thrid-party judges just to help verify findings, so they could be involved even if there no dispute but expertise of the project team is not enough to accept the work.

But ultimately this system does not require thrid party judges, projects can approve report as well, I will add this note to the proposal...

• what is the mechanism you propose to keep the judges anonymous. This is to avoid collusion between the parties. For e.g., if the engineer can find out who the judge is, then he can bribe to get the audit passed. Anonymity is crucial for the whole system to work and some core concepts like VRF can help in achieving it, demonstrating a clear delta over Web2 solutions.

I don't think keeping judges anonymous is a good idea, because every time you have anonymous judges there is always corruption happens. Having fully transparent and visible mechanisms helps this system build trust and reputation for every party involved: Judges, Engineers, Projects. Every Judge, Engineer and Project will have a transparent report history, proposal history, judgements history, disputes history and it will be very easy define who is fair and who is not.

• What substrate specific technologies do you plan to use. By 'Rust smart contracts' do you mean ink! ?

Yes! I mean ink! but some part of my team thinking implementing the whole protocol on solidity and deploy to evm compatible parachain but I think it would be better to stick with something that any parachain can run so anyone can deploy the protocol anywhere, what do you think?

• How modular can this solution be implemented so that the core template can be used for any marketplace supported by escrows?

Yes, the idea is that the protocol can be used anywhere for any purposes where escrow can be applied. This is actually a good question that help me see that probably @Noc2 was right and it is better to start from the protocol first do not think about the security marketplace for now and then let everyone build any type of marketplace they want

[0xCaso]

Yes! Issues could be found in the projects are categorised by serenity usually, for example: low, medium, critical

each issue type can have it's own "price". For example, Project announce it will pay for each low serenity issue 50 USD, for medium 150 USD and for critical 500 USD

Every time when Engineer ready to submit report they estimate issues serenity by them selfs and put it into the proposal. For example, if I found 2 low serenity issues and 1 critical issue, I put my report to the IPFS, and specify this in the proposal. The protocol can calculate 2 * 50 + 1 * 500 = 600 USD and put it as a value of the proposal. When everyone agree with that and everything is fine - proposal is approved and 600 USD goes to the proposal author

Ok clear, thanks, that makes sense and should be feasible to implement.

Yes we are thinking about this. Ideally we would like to see a lot of community members as Judges and Ideally they would have to manually apply to the project to be a Judge for this particular project. All voting and all activities should be transparent and clear for the whole community to ensure fairness and good reputation for all actors

Yes, that's also a nice solution to make Judges apply for the single project. Maybe it would be nice to track Judge in a dashboard, so it's visible how many times they performed and misbehaved.
Btw, I also agree with the point 1. of @bhargavbh's comment.

Thats a good point, we have dispute in our team right now about that as well I might update the proposal with something we come up with that would be better than AWS, thanks!

Great!

[Noc2]

Thanks for the update. A few follow-up comments:

• Regarding the front end, at the moment, we would basically only really see the scope of the second milestone (19k) after the delivery of the first milestone, “Frontend app figma design”. This is partly why for front-end applications, we require some initial designs/mock-ups upfront. But feel free to remove the front end entirely for now.
• In general, the deliveries of the milestones need to be better defined. The milestone tables are basically the requirements of our contracts, and for example, “Repo with the code of smart contracts” could mean anything at the moment. It would be nice to have here the functionality of the smart contract described as well as the programming language, etc. I assume you want to leverage ink! For this project. Also, for Souldbound NFT, I believe there are already some smart contracts available that you could potentially reuse.
• Feel free to remove the deployment from the deliveries.

[bhargavbh]

Thanks for the replies.

yeah some part of my team think the same way. I think we can provide flexibility: project with judges or without. My personal experience working with my customers tells me that most of the projects cannot verify the work of security engineers by them selfs and they could ask for thrid-party judges just to help verify findings, so they could be involved even if there no dispute but expertise of the project team is not enough to accept the work.
But ultimately this system does not require thrid party judges, projects can approve report as well, I will add this note to the proposal...

This is subjective, however it should not be hard to change the underlying platform based on user data and feedback at a later stage. I would suggest, both methods be implemented (i.e., always via judge and short-circuiting)

I don't think keeping judges anonymous is a good idea, because every time you have anonymous judges there is always corruption happens. Having fully transparent and visible mechanisms helps this system build trust and reputation for every party involved: Judges, Engineers, Projects. Every Judge, Engineer and Project will have a transparent report history, proposal history, judgements history, disputes history and it will be very easy define who is fair and who is not.

Not sure if reputation system is the best approach (specially for audit services), with all the possible sybil attack surfaces opening up. Since there is no verification of physical identity, banned actors can always rejoin with new accounts making the reputation system ineffective. I however do see you point that one-way anonymity is again ineffective. I think there is a huge design space to be explored here with several considerations that are only clear during the course of implementation. I guess the guiding principles that we can agree upon at this stage are sybil resistance and corruption resistance to a reasonable degree.

Yes! I mean ink! but some part of my team thinking implementing the whole protocol on solidity and deploy to evm compatible parachain but I think it would be better to stick with something that any parachain can run so anyone can deploy the protocol anywhere, what do you think?

ink! contracts are something that we are happy to support, and since there is no escrow-service based template already existing in ink, it could be the core contribution of this project.

Yes, the idea is that the protocol can be used anywhere for any purposes where escrow can be applied. This is actually a good question that help me see that probably @Noc2 was right and it is better to start from the protocol first do not think about the security marketplace for now and then let everyone build any type of marketplace they want.

Great, it would be ideal to have a modular escrow template and derive the specific auditing platform contract from it.

In general, as suggested by @Noc2 , please add more details in the deliverables section and structure each deliverable into subtasks if needed.

[aka-toxa]

Thank you guys for all your replies!
It is indeed better for the community to have opensource escrow protocol then just a single marketplace. Later when it will be done we will be able to implement our marketplace as both: security marketplace and protocol showcase

I'm now preparing contract-focused application with a bit more details about the protocol and contracts collected last week with my technical design team. what do you think would that be better to close this application and start new pull request with the link to this one or I can just edit this one?

[aka-toxa]

hey @Noc2 @semuelle

I did a reevaluation round with my team and community CTO and we did our best to estimate all of more optimistically. The cost of development isn't changed much but it gets a bit lower.

also I've addressed your comments about docker environment and tests in each milestone. I've tried to be more clear about intentions and steps of development

pleas take a look

[aka-toxa]

@Noc2 @semuelle hey folks

any further comments? :)

[randombishop]

Hi @aka-toxa and thank you for this grant application!

My personal independent opinion: given your Test Driven approach, I would recommend working on the first milestone and finishing the test suite before applying for a grant. That will make the deliverable specifications more concrete and easier to size and assess a grant eligibility.

[Noc2]

Thanks for the update. I have a few additional comments:

• “Stabilisation and production readiness” is something that we usually don’t support. Also, because we don’t know what you actually will do as part of the delivery. So I would remove this for now from the grant. If you don’t have a business model/token and you want to deploy this in the future, you could, for example, ask the treasury to fund audits and maintenance, etc.
• The milestone tables still don’t contain the technical details, like programming/smart contract language
• Milestone 3 also says: “Rewards Pool implementation.” But it's actually about the governance smart contract as far as I can see

[aka-toxa]

hey @Noc2

Thanks for the update. I have a few additional comments:

“Stabilisation and production readiness” is something that we usually don’t support. Also, because we don’t know what you actually will do as part of the delivery. So I would remove this for now from the grant. If you don’t have a business model/token and you want to deploy this in the future, you could, for example, ask the treasury to fund audits and maintenance, etc.

The name of milestone is misleading, it's purely about e2e tests and user guides and user manuals: how to build, test and deploy. it is not a stabilization, I've just renamed the milestone

The milestone tables still don’t contain the technical details, like programming/smart contract language

added programming language

Milestone 3 also says: “Rewards Pool implementation.” But it's actually about the governance smart contract as far as I can see

I don't see any mention of "rewards pool implementation" on milestone 3, can you please doublecheck?

[Noc2]

Thanks for the update. I will mark the application as ready for review. But I personally won't approve it, since I think it's too expensive. Also, the last milestone doesn't contain a lot of information about the e2e test, and the first milestone is usually something we ask teams to do before they apply. But the rest of the committee might have a different opinion.

[keeganquigley]

Thanks for the application @aka-toxa a few notes:

• Typically an article is required for the last milestone. Would you be willing to write one?
• Milestone 3 seems expensive for tests, and normally we ask that these be included as part of the development. Would you be willing to remove milestone 3 and go for a level 2 grant for a PoC of the tool?

[aka-toxa]

@keeganquigley hey

Typically an article is required for the last milestone. Would you be willing to write one?

Yes! of course! should I add this to the application?

Milestone 3 seems expensive for tests, and normally we ask that these be included as part of the development. Would you be willing to remove milestone 3 and go for a level 2 grant for a PoC of the tool?

yes let me move tests effort across the milestones and remove rest of it

[keeganquigley]

Thanks @aka-toxa yep, you can add this into the deliverables table under as "0e. Article"

[semuelle]

Sorry for the late response, @aka-toxa.
The application currently shows 9 person-months as a total, but the milestones only sum up to 3. 15,000 and 22,000 USD for a person-month would be indeed quite expensive. Can you clarify this?

[aka-toxa]

hey @keeganquigley an article has been added

hey @semuelle I'm not sure I get your comment. To be honest I good only in technical stuff (design, code, lead teams). Let me introduce Ravi. He is the best person to discuss the costs and be on the same page with you about estimations and costs. I could do a horrible mistake there actually

[Rpp63]

Hello
@aka-toxa thanks for the intro.
@semuelle, the 9 person months (PM) is a holdover from the original proposal. The current number of 3.5 PM (Milestone1 - 1 PM, Milestone2 - 1PM, Milestone3 - 1.5PM). We will make the changes.

As for the proposed budget, the current $15k/PM (~$95/hr) is the average between Smart contract engineer ($100/hr) and Full Stack dev ($85/hr). These rates are standard for MP, because

For the purpose of this project, we can forgo most of our margin and go with $80/hr which would bring the project budget to $45,000.

Let me know if this works and Ill update the proposal

[Rpp63]

@semuelle how would you like us to proceed?

[takahser]

@Rpp63 thanks for the update, I think that addresses @semuelle's concerns regarding the inconsistencies in the in-person months, though I'm not sure if writing an article would take 0.5 months for a fulltime employee. Anyway, it seems like the price you're planning to charge for 1 person-month is still USD 15k. Personally, I share the general sentiment already expressed by other W3F grant members here and I think that charging USD 52k for the given scope is too expensive. Hence, I'm not going to approve it neither in it's current state.

[Rpp63]

Hello @takahser
The 0.5 months added was a correction to the clerical error (Milestone 3 should have been 1.5 months, but the application said 1 month) we had made in the initial submission, not to account for the article. No additional time, or funding, was added for the article. We can do it inhouse without any change to the requested funding.
As for the price per engineer, I have offered updated pricing, considering the current market, which would bring the grant amount down $45,000 (~ $7k less that the last quote), if we remove all our margin we can further decrease price to $42,000. Beyond this we can reduce scope, but we're likely to reach a point of diminishing returns soon after.

[Rpp63]

@semuelle @takahser @Noc2
Just want to touch base to see if the updated budget ($42,000) is worth exploring for you guys, so we could make a decision on this application, one way or another.

Cheers

[keeganquigley]

Hi @Rpp63

• From what I am seeing, the budget still says $52,000 in the application.
• A CLI is mentioned in the documentation deliverables, but not as a deliverable. Is a CLI tool going to be built?
• It's not clear how many smart contracts you will be creating. Can you elaborate?
• I know that it will be mostly tech-savvy people that use the app but would still be nice to see a front-end in Future Plans.

[Noc2]

Just to add, reducing the price and maybe adding more technical details certainly helps with the application. Regarding the price, in general, it might make sense to bring it down to 30k for the initial grant. This way, you only need three instead of five approvals.

[Noc2]

Thanks for all the work you put into this application. However, I'm sorry to tell you that the grants committee decided to go ahead with #1726 in the meantime and not support your project. Therefore, I'm closing this application. Feel free to apply for another grant, and let me know in case you have any questions.