A report shared by digital asset firm Coinbase (NASDAQ: COIN) had provided the latest updates on what WEFUZZ, the Coinbase Crypto Community Fund grant recipient, has been working on during the first part of their year-long Crypto development grant.
This update covers their ongoing work on “a decentralized, crowdsourced security audit and bug bounty solution.”
WEFUZZ, the Coinbase Crypto Community Fund grant recipient, explains that they are focused on implementing “a fully decentralized, crowdsourced security audit and bug bounty solution: a set of smart contracts that allow developers and companies to get their smart contracts, blockchains, websites, etc., audited by the auditors and hackers community.”
With these efforts, WEFUZZ intends to become the *Hacker DAO.”
As noted in the update posted by Coinbase, crowdsourcing is “a sourcing model in which individuals or organizations obtain goods or services — including ideas, voting, micro-tasks etc., from a large, relatively open, and rapidly evolving group of participants.” Firms such as Uber, Gitcoin and GoJek use this particular model.
As noted in the update, crowdsourcing model provides enhanced costs, speed, quality, flexibility, scalability, and diversity.
As mentioned in a blog post, the traditional crowdsourcing system “consists mainly of three roles: requesters, workers (auditors in our case), and a centralized system.” Requesters submit tasks to be completed via the crowdsourcing system. A set of auditors “complete this task and submit solutions to the crowdsourcing system.”
The update also mentioned that requesters will then “select a proper solution (usually the first or the best one that solves the task) and reward the corresponding worker.”
As explained in the blog post, this makes centralized systems “vulnerable.” User’s sensitive information (e.g. name, email address etc.,) and vulnerability reports are “saved in the database of these centralized systems, which has the inherent risk of privacy disclosure and data loss.”
The report also noted that centralized choke points are “not only attack vectors for leaks and hacks, but also for outages.” Crowdsourcing firms are quite eager to maximize their benefits and require requesters “paying for services, which in turn increase user’s costs. Most crowdsourcing systems demand a 10–25% service fee.”
As noted in the update:
“All these issues add up to the already existing concerns of smart contract and multi-chains owners and developers (the audit requesters), freelance auditors’ and ethical hackers’ concerns.”
As explained in the blog post, this approach is for “ensuring their assets are safe from cyber theft, data hacks or any other risk that can result in a loss of funds and compromised data.”
Being able to get audits done in a cost-effective way — “be it private or public security audits” is an important task. Also making sure the smart contracts are audited by “multiple auditors” is a good strategy, the update explained.
To be clear, hackers “do not want to share sensitive personal data” and both hackers and auditors and developers “need complete transparency.”
As mentioned in the update, WEFUZZ is “a fully decentralized, crowdsourced audit and bug bounty platform aiming to be the Hacker DAO.” WEFUZZ aims “to provide reliability, fairness, security and low service fees by design.”
As explained in in the update:
“The decentralized platform has many advantages such as higher user security, service availability, and lower costs. Smart contracts running on a chosen blockchain are used to perform the whole process of crowdsourcing tasks which contains posting audit and bounty campaigns, submitting audit and bug reports, bounty assignment, etc.”
Some other features/benefits have been shared below:
- Data Security: Reports are all “encrypted with auditors’ and target developers’ public key, so that the bug reports only gets read by who it is intended for.” Files are “encrypted and stored on the decentralized network storage.” No more data breaches, hacks, password leaks or any other risk “affecting existing cloud based audit and bug bounty platforms.”
- Cost Effectiveness: Allowing smart contract developers, multi-chain developers, and companies “to get audits performed in a cost-effective way directly by the auditors and hacker crowd on the WEFUZZ platform.” This helps the developers and companies “avoid huge fees and congestion issues affecting the traditional bug bounty platforms.”
- Flexible anonymity: Auditors and hackers can “choose to remain anonymous while submitting reports, protecting their privacy, and still getting paid.”
- Communication Security: No centralized data storage, complete anonymity, no data transfers, no moderators and complete end-to-end encryption. All the data “resides encrypted on the Solana blockchain and all the files reside on the IPFS blockchain.”
Persona
- Audit Requestors: Developers, companies or any individual “can request audits or start a private/public bug bounty campaign.”
- Auditors: Auditors can be anyone from ethical hackers “to audit firms who can perform the requested audits or participate in bug bounty campaigns.”
- Judges: Judges are community members who are either “elected by the community or have been raised to the Judge category through reputation.”
At present, they are focused on the conceptualization, technical architecture, and system design of WEFUZZ, in addition to building out their MVP on Solana and Polygon blockchains, and “testing the optimal chain for our project.”
As confirmed by the company, Coinbase is “seeking applications for their 2022 developer grants focused on blockchain developers who contribute directly to a blockchain codebase, or researchers producing white papers.”