Committee Grant #014 - Snapper - A Snaps Security Tool by Sayfer

Funding Request $150,000

Project Name Snapper - A Snaps Security Tool by Sayfer

Project Category Snaps Security

Champion(s) Christian Montoya

Project Description

This proposal outlines the development of our security tool, Snapper, designed to review Metamask Snap codebases. Snapper aims to improve the overall security and reliability of Metamask Snaps by identifying vulnerabilities, potential issues, and ensuring best coding practices.

We hope that by creating Snapper, developers will be able to integrate built-in security into their CI/CD and make the development and upgrade processes much more secure. We believe this is a crucial step towards the long-term vision of permissionless Snap distribution, ensuring security and responsibility from developers without the need for centralized intervention while reducing the cost of 3rd party audits.

Project Goals

Snapper makes Snaps more reliable by identifying vulnerabilities, helping to follow best practices, and making debugging easier. Snapper can be used during Snaps development but also and above all, during Snaps updates to be sure of keeping the same code quality and security.

We have three goals for Snapper:

• Creating an infrastructure for static testing for Snap codebases.
• Automate the process of security reviewing Snap codebases in a CI/CD environment.
• Facilitate a secure process of testing Snap before releasing or updating versions.

Target Milestones

• Stage 1

  • Research

    • Analyzing Metamask Snap vulnerability patterns: We will conduct an extensive analysis of prior attacks and vulnerabilities discovered in Snaps to identify common vulnerabilities.
    • Designing Detection Algorithms: Based on the vulnerability patterns, we will design fingerprints capable of detecting those vulnerable code sections.
    • Define technical and product OKRs
    • Understand how the end user is going to use it, to make sure we are building something that the user wants.

  • Core & MVP

    • Build all the infrastructure code to support a CLI interface
    • Development of 5 modules of the list [Snaps Common Vulnerabilities above]
    • Start using it in our internal audit - dogfooding
    • Basic documentation
    • Implement a chosen output format
    • Unit testing

• Stage 2

  • Alpha Release

    • Feature updates following feedback from dogfooding audits
    • Development of the missing additional modules of the list
    • Improve unit tests to have a high coverage rate
    • Improve documentation
    • User experience review
    • Alpha release and feedback collection

  • Beta Release

    • Clean up the last feature requests and bug fixes
    • QA testing
    • Beta release before starting marketing

• Stage 3

  • Final Release

    • Contribution guide
    • Issue policies
    • Pull requests bots to keep up the high test coverage
    • GitHub security bot
    • Marketing

  • One Year Support

    • Supporting new features of Metamask

Timeline / Path to Production

Stage 1 - Research & Core and MVP development -2 Months. After this stage there is an initial working MVP Stage 2 - Beta and Alpha Releases - 1.5 Month Stage 3 - Final Release and One Year Support -12 Months of support

About Team

The project will be handled by the Sayfer team. Sayfer is a leading cyber security company for Web3 projects founded 5 years ago. We help companies in Web3 to protect their most valuable assets from all angles. Either vulnerable smart contracts to web applications and help to mitigate exploits from the project's website. We mostly work with cryptocurrency-related projects with complex smart contracts and off-chain integration. We work with various technologies like tokens, exchanges, decentralized landing protocols, bridges, NFTs, and more.

We have already worked with big names like Binance, Metamask (Official Snap Auditor), 1inch, Polkadot, and Starkware and managed to use our unique perspective to make their products safer than before.

We have not raised any capital as a company or for this project yet.

Or D., CTO - With over ten years of experience in server development and IT and more than five years of experience in the cyber security industry, Or will lead the project and make sure every aspect of the platform is tested. One of his more interesting findings (which we can publicly disclose) was the famous Badreveal exploit, which affected 10% of all EVM NFT projects. The vulnerability enables attackers to know what is the rarest NFT before the reveal of the project. This allows an attacker an uneven advantage amongst investors to buy the rarest and most expensive piece.

Avigdor Sason Cohen, Web3 Senior Security Developer - Avigdor is a dedicated security researcher at Sayfer. With a fervent passion for cybersecurity and blockchain, his primary mission is to fortify web3 protocols, making them accessible and secure for broader adoption. Drawing upon his engineering background, Avigdor thrives when faced with intricate systems and challenges and multiple Snaps audits. In his 5 years of experience, Avigdor has already made a substantial mark, conducting dozen of audits as part of his esteemed work at Sayfer. Furthermore, he has delved deep into multiple distinct long-lasting research projects on DeFi security, a testament to his commitment and expertise in the field. Not just limited to the technical realm, Avigdor's academic accomplishments are commendable. He holds a BSC in Mathematical and Physical Engineering. Taking his passion a notch higher, he pursued a MSC in Cybersecurity from the renowned ESILV Paris engineering school.

Roman Böhringer, Lead Blockchain Researcher - Roman is a security researcher and developer with 6 years of blockchain experience. Since joining the blockchain space, he has done over 40 audits as part of his work here at Sayfer and his previous work at Oak Security. He works on Solidity (various chains/ecosystems), Rust (CosmWasm, NEAR, and desktop apps), JavaScript/TypeScript (Snaps), Dart (mobile apps), and Vyper (various chains)pr

Funding Request

$150,000

What specific software license does the grantee intend to publish under?

GPLv2