‘Orange Hats’: Clarity WG Funded with $1M to Onboard New Security Resources for Builders
Hassan Baig
//: June 4, 2024
Hey everyone. I’m excited to share something we’ve cooked up with the Clarity WG.
For those of you I haven’t had a chance to meet yet, I am the lead at BitcoinL2 Labs. For almost a year, Bitcoin L2 Labs has been a core contributor to the Stacks ecosystem, with our primary focus to date having been Nakamoto. Our commitment to core development will remain a staple of our operations going forward, but as the ecosystem grows, we’re excited to share that we have allocated $1m in funding to the Clarity WG to offer expanded security resources to builders.
Thanks to layers like Stacks, Bitcoin DeFi is growing. This also means the attack surface area is growing along with the things builders need to keep track of to keep themselves and their users safe. We want to support founders who are pioneering this space. After all, security is one of the fundamental value propositions of building on Bitcoin. We’re excited to build upon what others have started in the ecosystem to bring founders even more resources to leverage as they build unique experiences for Bitcoiners.
The initial $1m in funding is intended to allow the Clarity WG to bring new tools and services online that enhance security at the application layer. In addition, we will collaborate to identify and educate vendors, whitehat hackers, and other security-minded talent that builders can work with and benefit from. Led by Setzeus, the Clarity Working Group, along with members of the Stacks DeFi Working Group, have already been moving fast with initial Whitehats put under contract and a Stacks integration with Hypernative in the works.
Aligning security resources: The Clarity WG will liaise with the community to set resourcing and tooling priorities and to train and vet security experts on Stacks and Clarity. The Clarity WG is an established group in the ecosystem that has been playing a major role in core development. It consists of many of the top Clarity developers in the Stacks ecosystem. Members of the Stacks DeFi Working Group have also been extremely helpful in identifying high-impact places to invest and will remain a key voice in how these funds are deployed.
In addition to the immediate work with Whitehats and Hypernative, the Working Groups have put together an initial 90-day plan that includes:
Continued development of open-source smart contract testing tools such as a Clarity Fuzzer Vetting/testing/due diligence and budget for potential partnerships or integrations that would benefit builders in the ecosystem from a security perspective An open set of shared security resources for builders with commonly caught issues so that new founders can leverage the lessons of previous builders more readily.
Why whitehats? We’ve observed that the whitehat approach is working well on the core development side and want to ensure founders are applying this resource to their Clarity contracts and application designs as well. Secure base layers need to be complemented by secure code and protocols atop those layers!
We believe a multi-faceted approach that is not overly dependent on any one aspect of application security - such as audits, the developers themselves, bug bounty programs, or test coverage - is the best way to reduce risk as this sector continues to grow. We believe supplementing everything founders need to do on their own with an accessible whitehat resource like this is a clear way to bolster the ecosystem.
How it helps founders: If you’re a builder, this may already be obvious, but it’s worth outlining the ways we hope this effort directly helps the teams bringing us these amazing new experiences:
Even more eyes on code!
Benefit of whitehats who have experience in attacking not strictly code vulnerabilities, but spotting holes in the design of the system that can be exploited. With the Clarity smart contract language preventing many typical exploits, these contract/app design issues are what has primarily impacted Stacks teams.
Added hostile/real-world components to the layers of testing builders can readily access.
Reduction in cost of bug bounties paid out by founders.
Reduction in reliance on auditors to catch issues.
More shared information so hard lessons only need to be learned once!
Next steps and resources:
Setzeus from the Clarity Working Group is already onboarding Whitehats suggested and vetted by builders, they will go through a real-world training exercise by performing audits on notable apps in the ecosystem that will serve as a baseline for their learning.
Partnership conversations to integrate security-focused tools and services with Stacks/Clarity are underway.
Get in touch with Setzeus via the Clarity WG if you’d like to offer feedback, or be involved with these efforts.