@9f80c705762d0d0e12c09bd3b95617a1c8e7be8e4856a4e9d06fa8521b277b98 [Posted on Developer DAO Board](https://near.social/#/devgovgigs.near/widget/Post?id=619) ## Solution: Automatic Analyzer for NEAR Summary Design and implementation of an assisted tool to detect common security issues, enhancements, and deviations from best practices in NEAR smart contracts. This tool will help developers write secure and more robust smart contracts in NEAR protocol. Background We are a research and development company specialized in Web3, with a strong background in cybersecurity. Founded in 2014, we have worked on over 180 blockchain-related projects, EVM based and also for Solana, Algorand, and Polkadot. Beyond development, we offer security audits through a dedicated in-house team of senior cybersecurity, currently working on code in Solidity, Clarity, Rust and TEAL. Previous Research on NEAR Last August 2022, CoinFabrik successfully completed research work to define the strategy and scope of work to build a static analysis tool for detecting security issues in NEAR smart contracts. This work was requested by the Pagoda Team (Jim Berry, John Smith, and Arthur Lender), and lasted 5 weeks. During that time, our team was able to assess the NEAR technology stack, identify how security issues are introduced in smart contracts, recreate some of them, and experimented on a number of tools as potential candidates to build upon. That research also identified possible lanes for further research and effective development of a tool. We are requesting this grant to be able to build such a tool, an open-source tool for the NEAR Protocol. The goal of this tool is to identify bugs that could lead to security vulnerabilities but to also provide advice to developers on how to avoid them in the future. Milestones We plan to develop this tool through a series of milestones which we specify below. We are already bringing to the process: - A curated list of vulnerability classes, best practices, and enhancements related to NEAR smart contracts. In each case, the issue is paired with smart contracts implementing the vulnerability/best-practice deviation. - A list of smart contracts including failed cross-contract calls, e.g., implementing the examples in our prior research - Implementation of a tool that detects the mentioned issues, particularly the cases included in the above examples and snippets. Milestone 1: Prototype Estimated duration: 6 weeks Costs: U$D45,000.- - Research: Curated list of code examples and snippets of vulnerabilities, best practices and enhancements related to NEAR smart contracts. - Research: List of smart contracts implementing failed cross-contract calls. - Development: Prototype detection-tool design and implementation. Command line interface for the prototype. VSCode integration for Dylint-based linters for the prototype. Testing: Integration testing. Specific tests for every linting detector based on code examples and snippets of smart contracts. - Evaluation: Prototype validation against a selection of projects deployed on testnet or mainnet in order to evaluate detector precision. Evaluation report and detector improvement. Documentation of the prototype, detectors and associated vulnerability list. Milestone 2: Beta release & Feedback Estimated duration: 6 weeks Costs: U$D45,000.- - Development: product-quality tool based on the prototype - Public release of Beta tool on GitHub, along with: Documentation. Public online event introducing the tool to the community. - Open communication channels to receive community feedback for a period of 3 months. - Deploy online automated service, available for a period of 3 months, that receives smart contract source code and delivers a report of the analysis performed by the tool.