ink! 5.0 Codebase Security Audit

Proposal Overview

The ink! smart contract programming language is becoming increasingly popular among developers within the Polkadot community for its simplified syntax and efficient deployment, utilizing the contracts pallet. Previous audits in 2022 and 2023 commissioned by Parity Technologies and executed by SRLabs have focused on auditing ink! 4.0 and the contracts pallet. Important to note that at the time of this previous audit, there was a limited number of real-life contracts with complex logic utilizing ink!

This proposal enables a comprehensive audit of the ink! 5.0 smart contract language and implementation to identify new vulnerabilities and point out potential areas of improvement in its codebase. On top of the codebase changes since the latest review, the auditors will conduct a deep dive on the ink! storage layer and XCM integration. By joining forces with the Parity Security team to ensure that relevant real-life contracts and all major stakeholder expectations are considered, we will enhance the security and reliability of ink! smart contracts and ultimately contribute to the growth and adoption of this innovative programming language within the Polkadot ecosystem.

Deliverables

Comprehensive audit report. The project report deliverable will be made available to the public, after the main findings have been fixed, to document the results of the ink! 5.0 audit. This enables the ink! developer community to benefit from the audit findings and recommendations.
Ecosystem blogpost. From the audit findings, a dedicated blogpost will be compiled and shared on the Polkadot forum help ink! developers to incorporate security considerations into their codebase, ultimately improving the overall security and reliability of smart contracts developed using the ink! programming language. By making this information accessible to the community, we aim to foster collaboration and contribute to the continued development and enhancement of the ink! ecosystem.
Responsible disclosures. Additionally, the open-source ink! contracts that were selected as examples to aid the audit process will further benefit from responsible vulnerability disclosures from the auditors in case any bugs are discovered in their codebase during the audit.

Engage with Us

Read the Full Proposal: For a detailed understanding of the context of this proposal, the audit workstreams and division of responsibilities, read our full proposal
Learn About Parity Security: Fostering security awareness, prioritisation of mitigation efforts and vulnerability disclosures, Parity Security is pivotal in keeping the polkadot-sdk codebase and the ecosystem as a whole secure. Discover more of their work on the Polkadot forum
Learn About SRLabs: Security Research Labs is a cybersecurity consultancy committed to making the world more secure. Discover more about them on their website

We Appreciate Your Feedback

How can we improve our proposal? Which ink! contracts do you believe are most used in the ink! ecosystem that could benefit from our audit? Your input will help us refine our approach to better serve the Polkadot community. Thank you.

Summary of Proposal

ink! Language: ink! is a smart contract programming language for Polkadot, known for its simple syntax and efficient deployment.
Previous Audits: Parity Technologies and SRLabs audited ink! 4.0 and the contracts pallet in 2022-2023, but with limited complex real-life contracts.
Current Proposal: This proposal aims to audit ink! 5.0, focusing on new vulnerabilities, storage layer, and XCM integration.
Deliverables:
- A public audit report after fixing main issues.
- A blogpost on security considerations for ink! developers.
- Responsible disclosures for any bugs found in open-source contracts.
Collaboration: The audit will work with Parity Security to consider real-life contracts and stakeholder expectations.
Feedback: The proposal seeks community feedback on which ink! contracts are most used and how to improve the audit approach.