We have taken the community feedback from our earlier proposal for a lightweight web wallet, and refocused to our new proposal: a Metamask-style Chromium browser extension for Zcash:
In addition to revisions to support our new goal, @fireice_uk and I are also happy to add forum regular @mistfpga to the team. As a reverse engineer and tester, he brings a strong background in fintech testing and security to the project, and will help to ensure we deliver a secure extension to the Zcash community.
We feel that our proposal can deliver a strong foundation - sending and receiving funds - which can be built on in the future to support upcoming expansions to the Zcash protocol to ensure ongoing value to the community.
I thought id drop a post outlining how excited I am to have been asked to be a part of this project and what I will bring to the table.
There is a word limit on submissions, so a lot was cut, here is some more detail on the testing/security stuff.
Before we start I want to make one correction. As far as I am concerned we will be paying for 3rd parties to review the code and application for security issues.
It is not an audit. It is a 3rd party security and test review performed by domain specialists. this is a clerical error in the application.
I imagine we will engage with two companies to complete this work. Dependant on pricing and skillset - More detail of selection criteria, timescales, etc to follow.
Please feel free to ask any questions in regard to my abilities or experience in these areas, or just in general. I come from a testing background. I am happy to provide real world evidence, refences and identification to the mgrc to back up any public claims I make. I would like to act under a pseudonym in general though.
I would take responsibility in these areas (along with the team, its just I can do this stuff and your time is better spent elsewhere. - i still have my perl web testing stuff so I would run that in tandem with selenium)
In no real order.
* Reviewing security design of current competitors.
* Advising and reviewing security design of current software.
* Runtime analysis reviews of the code, where applicable.`
* Testplans, basic outlines of feature integration.
* Setting up and installing web automation unit testcases (Selenium)
* Running automated perl based test scripts.
* Development of security checklist.
* Writing bug reports, unit tests, regression testing, etc.
* Manual testing and development of unit tests based of OWASP guidelines.
* Manual review of OWASP best practices.
* Development of a release procedure.
* Review and advise on security of hosting and hosting companies.
* Find and liaise with 3rd party companies for two security reviews.
- network and serverside
- network and clientside
* Internal Milestone reviews and admin
* We will want to set internal milestones, I can keep on top of this.
* Internal documentation, wiki stuff, etc.
Please ask questions or add suggestions. I am currently in the middle of mail server migration and its mostly working. It could be a day or two before it is back so please use the forums to contact me.
@ZOMG discussed this grant at our previous meeting and had some comments. First, we all like this proposal a lot. The following questions are not show stoppers and are for due diligence.
Your grant includes “100 hours of $100/hr consulting fees to compensate ECC and ZF members who assist the team with technical guidance during the project”. Do you have someone in mind who is volunteering to do that outside of their regular working hours at ZF/ECC?
@mistfpga thank you for your detailed answer on your role in the project. I’m excited that you are bringing your expertise to the table. We want to better understand why the team has chosen not to do an audit and what value that adds and subtracts from this proposal. Please edit the proposal on the https://grants.zfnd.org/ website to reflect that an audit will not be performed if that is what is finally decided.
Thank you for reviewing our proposal - we’re very happy that there is a positive view of the proposal in your initial meeting.
I’ve updated the language in our proposal to remove the language relating to an audit and replace it with the more accurate description “3rd party security and test review performed by domain specialists”
Let me review your points with the team so that we can fully address each of them.
In regards to point 1 - I’ve updated the language in the proposal from “ECC and ZF members” to “qualified domain knowledge experts” - which I think is more accurate.
To answer your question, the team does not currently have anyone specific in mind, but we wanted to make sure that we had some money set aside in the budget so that anyone we did reach out to for specific points of expertise could be fairly compensated.
In fintech audit has a very specific legal meaning. In fact in most areas it does.
If I have an official financial audit, there could be legal consequences for all involved, including myself and the auditors.
I do not believe we will be able to take this responsibility, nor find a company that will do the same.
Sure, I have submitted hardware/software for FIPS audits as well as doing PKI and FIPS audit work myself. This is more a semantic argument I think.
Audit also has an informal meaning “to scrutinise”. I am happy if people use it in the second way.
(An example in cryptography is “Broken” - if a crypto scheme is broken, then that is an actual thing)
The “audit” standard set in the crypto industry is not the same as the rest of the world. I am not knocking trail of bits here - They are strong cryptographers and engineers.
There is only two places the word audit appear and none are under trail of bits control. Their language uses the terms “assess and review”
Notice they dont ever call it an audit.
What specific audits are you thinking of? FIPS? PKI? MITRE have a good list of stuff here - Audit - attackics
As a rule we will be using CHECK and CREST approved companies (however some domain experts may not have these qualifications but do have the required specialist knowledge)
Where things get slightly fuzzy would be with a “code audit” - That is possible. so is a “Network audit”. But what we will actually get will not be an audit but a review, and it will make the coders time unmanageable. Is using 5 white spaces to indent rather than tab really a security failure and means a rewrite?
If you or anyone else thinks im missing the mark/point here, I am happy to change my mind.
To make sure this is as secure as we can make it, we want to engage with the right people with the right skillsets.
I agree, Audit can be a spectrum of meanings from a simple code review to a full test bed. We are not really experts in this area so it’s not realistic for us to dictate what methods are precisely used. Similar to the cold wallet, we are actually still working on getting that audit completed and are consulting people from ECC and ZF to define scope.
The important thing is that a respectable firm does work to ensure that the code doesn’t have gaping holes that will compromise a users funds or privacy. ZOMG can only do due diligence for projects we fund but can’t be expected to hold any guarantees that there won’t be bugs.
As for the second point, I did speak with @fireice_uk and since @adityapk00 is familiar with making a Zcash web-wallet and WASM he would probably be a logical person to consult if you run into technical questions. Have you asked if he would be interested in paid consulting?
Something to keep in mind is that ZIP-1014 prevents ZOMG from granting any funds to ECC, Bootstrap, or ZF. Having said that I don’t see anything in ZIP-1014 preventing Grantees from spending thier funds as they need to help understand Zcashs unique complexity. So I personally don’t think it would be an issue if a Dev from either organization did consulting work on their own time. Keeping in mind that many are very nice and willing to answer questions for free
I agree, this is the goal. It is not going to be random companies off fiverr, but respected industry experts, companies like, NCC or IT Security Company | Portcullis or similar. rather than MITRE or Thales, although I will speak with them.
if you look at the bottom of the portcullis homepage you will see how heavily accredited they are, this is the standard of company we will be using. the zomg vet them too, or at least vet my due diligence on the company/candidate selection pool. I am sensitive to the amount of time you have for the zomg so detailed reasoning will be provided.
I would also like to engage with specialists who have performed cryptocurrency security before.
A detailed plan of what will be reviewed and tested will be detailed and will be part of the milestones (as I see it). maybe @zebambam and @earthrise could chip in with their opinion of this v audit strategy. I am not sure how often they check the forums though, so maybe it might be best to send them a message out of band.
I am very interested in hearing what the results of this are. I can work with audits, its just timescales and costs may change if we deviate too far from what has been proposed (zebambam has posted elsewhere that actual ncc audits the ECC have paid for have cost upwards of $100k) - But I know code audits can be in the range of 35k.
any info on who is going to do the audit and what standards are they auditing against would be greatly appreciated.
We just wanted to quickly follow up - please let me know if there are any outstanding questions we can address about our proposal. Looking ahead, if there is any visibility I could share with the team around remaining steps needed to be taken for a decision on the proposal, that would be very helpful.
I just joined here and I’d like to offer UX design support for your work.
I’ve been following for a while the Zcash related work in the community and I find this specific work that you’re planning on to be of critical importance. This is why I finally decided to raise a hand and offer help.
I’ve been working in enterprise level UX fintech with major US banks in the recent years (Everbank, TIAA Bank, TD Bank, Moody’s Analytics, Citizens) providing UX support for many projects, helping product and dev teams bridge the gap with UX design (strategy, research, visualization, design, prototyping, testing and dev support)
I believe you’ll need some of that, so I’m open to jump on a call and share my portfolio.
Thanks, @Shawn I’ve been following the crypto scene in Boston area, also attended the Boston Zcash meetup where I’ve met Madars, Holmes (Zbay) and other neighbors and I’ve been exploring the usability of Zcash for online payments. So I scanned the forum and this project grant caught my attention because I believe there should be urgent development in this direction and I don’t want to see Zcash falling much behind on that front.
As with help with UX, I’m open to help at any level, as there’s so much that could get done or done better supporting development. Please let me know which other teams may need UX air cover and we may connect and move things forward sooner.
Congrats on the funding! I’m really looking forward to seeing this extension in action. I’ve been wanting this for a while now. We can definitely help promote the project on Zeme Team once it is ready.