ink! 5.0 Codebase Security Audit

Proposal Overview

The ink! smart contract programming language is becoming increasingly popular among developers within the Polkadot community for its simplified syntax and efficient deployment, utilizing the contracts pallet. Previous audits in 2022 and 2023 commissioned by Parity Technologies and executed by SRLabs have focused on auditing ink! 4.0 and the contracts pallet. Important to note that at the time of this previous audit, there was a limited number of real-life contracts with complex logic utilizing ink!

This proposal enables a comprehensive audit of the ink! 5.0 smart contract language and implementation to identify new vulnerabilities and point out potential areas of improvement in its codebase. On top of the codebase changes since the latest review, the auditors will conduct a deep dive on the ink! storage layer and XCM integration. By joining forces with the Parity Security team to ensure that relevant real-life contracts and all major stakeholder expectations are considered, we will enhance the security and reliability of ink! smart contracts and ultimately contribute to the growth and adoption of this innovative programming language within the Polkadot ecosystem.

Deliverables

Comprehensive audit report. The project report deliverable will be made available to the public, after the main findings have been fixed, to document the results of the ink! 5.0 audit. This enables the ink! developer community to benefit from the audit findings and recommendations.
Ecosystem blogpost. From the audit findings, a dedicated blogpost will be compiled and shared on the Polkadot forum help ink! developers to incorporate security considerations into their codebase, ultimately improving the overall security and reliability of smart contracts developed using the ink! programming language. By making this information accessible to the community, we aim to foster collaboration and contribute to the continued development and enhancement of the ink! ecosystem.
Responsible disclosures. Additionally, the open-source ink! contracts that were selected as examples to aid the audit process will further benefit from responsible vulnerability disclosures from the auditors in case any bugs are discovered in their codebase during the audit.

Engage with Us

Read the Full Proposal: For a detailed understanding of the context of this proposal, the audit workstreams and division of responsibilities, read our full proposal
Learn About Parity Security: Fostering security awareness, prioritisation of mitigation efforts and vulnerability disclosures, Parity Security is pivotal in keeping the polkadot-sdk codebase and the ecosystem as a whole secure. Discover more of their work on the Polkadot forum
Learn About SRLabs: Security Research Labs is a cybersecurity consultancy committed to making the world more secure. Discover more about them on their website

We Appreciate Your Feedback

How can we improve our proposal? Which ink! contracts do you believe are most used in the ink! ecosystem that could benefit from our audit? Your input will help us refine our approach to better serve the Polkadot community. Thank you.

The ink! smart contract programming language is popular for its easy use and effective deployment in the Polkadot community.
Audits for ink! were done in 2022 and 2023 to check for issues, but fewer complex contracts were tested back then.
This proposal aims to audit ink! 5.0 to find new problems and improve the code.
Auditors will look closely at the storage layer and how ink! works with XCM.
A comprehensive report will be shared with the public after fixing major findings to help other developers.
A blogpost will summarize the audit results and suggest ways to improve security in the ink! programming language.
If any bugs are found in sample contracts, the auditors will let the community know responsibly.