[SEP #13] [OBRA] Module Publishing, Audit Attestation Platform and Marketplace - ZenGuard

This proposal was previously posted in Phase 0 discussion: [Discussion] [OBRA] Module Publishing, Audit Attestation Platform and Marketplace - ZenGuard

Aligned strategy:

Strategy 2: Foster Module Ecosystem

Funding request:

60,000 USDC, streamed over 15 weeks

Relation to budget:

20%

Abstract:

Safe Accounts have been modular long before any of the modular smart account standards were proposed. Safe has done tremendous work to promote modular smart accounts by enabling features such as Spend limits and Recovery on the Safe Wallet. We believe this is just the tip of the iceberg. To foster modular Safe Accounts and promote more developers to build secure and usable modules that can be trusted, we propose a platform built on the Safe{Core} Protocol that allows developers to build and publish modules, streamlining the development process and risk assessment via on-chain audit verification. Additionally, providing a Module marketplace for users to easily explore and enable these modules. This initiative’s overall vision is to bring developers to build diverse modules that can be audited and provide on-chain security verification so that all kinds of Safe Account users can enhance their account features securely.


Metrics and KPIs:

We can use the below KPIs to measure the outcome:


Initiative description:

ZenGuard proposes to foster the module ecosystem of Safe by standardizing developer publishing, module verification, and module enabling, upgrading experiences via a platform built on top of the Safe{Core} Protocol.

To foster and grow the module ecosystem of Safe, module developers, module auditors, and users are all important stakeholders. Without the right balance of these stakeholders, it would be hard to achieve the modular smart account utopia.

At ZenGuard, we are working on exactly this by providing a dashboard for developers to publish developed modules after their verification. The dashboard will also onboard auditors to audit the modules and provide on-chain security attestation to verify the module while being enabled by the Safe user.

ZenGuard will also provide a module explorer Safe App that lists and allows Safe users to securely enable, disable, or upgrade their modules onto their Safe accounts. As part of auditor onboarding, we will be partnering with a few well-known auditors. We are already in talks with a few to get initial feedback. As part of onboarding the developers, we target existing Safe module devs through hackathons, community, and grants. We are also well-connected with a few universities where we intend to spread awareness, training, and onboarding through workshops to get quality devs.

Our mission of the initiative is to onboard devs and auditors to collectively build a secure and diverse module ecosystem to build much-needed modules for the Safe users. The list we intend to cover but not limited to: https://notes.zenguard.xyz/module-research.

We also intend to work on an SDK that extends Safe{Core} SDKs and allows third-party auditors, developers to seamlessly integrate and automate the functionality pointed earlier and also allow other Safe-enabled wallet providers to extend the secure module functionality.


Current status:

We had developed the MPV of the platform as a part of Safe Grants Program Wave 1 with a small grant spanning 2 months. Here is a brief of the milestones and tasks achieved: https://notes.zenguard.xyz/sgp


We successfully built the developer and auditor dashboard to securely verify and onboard them and allow them to publish and attest the modules. We leverage technology/ standards such as Gitcoin Passport, EAS along with Safe {Core} Protocol registry and EIP-7512 specs to make the platform much more secure and sybil resistant.

A few links of the works:

We also onboarded Safe account users to enable the modules through Safe App explorer.

To ensure that we onboard the much needed modules during the initial phase we even conducted a survey (https://survey.zenguard.xyz) to verify the claims. Post that we internally developed a few modules including passkey recovery, whitelist hook and crypto sharing via link. The crypto sharing via links that was developed at ETHIndia leveraging Safe 4337 module ended up as the finalist. Post hackathon it received great traction in the 4337 and Safe community and we are working with Peanut Protocol, Plimlico for the partnership to enhance further.

Here are a few demos of modules listed:

We have also made good progress in the initial talks with the auditors to get feedback and onboard them to the first version with QuillAudits, Secureum and a few independent auditors supporting EIP-7512.


Risks:

Secure publishing and security of the module is of the utmost priority working with credible auditors on our platform. Still, there is always a risk involved with single audits and this is why we are exploring secure multiple attestations adhering to the proposed EIP-7512 standard.

Safe {Core} Protocol on which our registry is based is still at a nascent stage and hasn’t been audited but our solution will evolve with more onboarding, feedback, stress testing and audits.

Timeline and milestones:

We have created a milestones based on timeline but in no specific order as we will be working on few things at the same time.

Milestone Objective Description and Outcome Duration Budget (USDC)
Module developers onboarding - Onboarding module developers to develop, build the module using the standard template and publish (~ 100 devs).

- Developing secure module templates, docs for SDK/ App to help with the entire lifecycle from development till publishing.

- Conducting workshops and hackathons at universities, dev meetups.

- Implementing initial developer incentivization feature.
4 Weeks 10,000
Module auditors onboarding/ feedbacks/ partnerships - Onboarding auditors to the dashboard to enable onchain audit attestations. These are aligned with the EIP-7512.

- Developing docs for SDK/ App to help with the entire lifecycle of auditor

- Partnering with auditors (~10) to audit the first 20 modules

Upgrading the attestation, verification features based on the feedbacks
4 Weeks 20,000
Safe {Wallet} user adoption - Onboarding Safe Wallet users (~1000) through the Safe App to enable modules.

- Launching the App on the requested mainnets (We have done a survey) and updates based on feedback.
3 Weeks 10,000
Third party Safe account integrations/ partnerships - SDK development leveraging the Safe {Core} SDK to add all the APIs for developers. auditors and Safe users for publishing, attesting, enabling etc.

- Developing docs for the SDK for any use case integration. Focussing majorly on the wallets.

- Wallet provider partnerships to leverage module API integrations directly on the wallets.
4 Weeks 20,000

Initiative lead:

Koshik Raj, Tech Lead at ZenGuard who has been in the security and crypto space since 2016. Has been contributing the wallet space since 2020, full time into the AA and Safe ecosystem since 2022. Also, the point of contact for ZenGuard at Safe Grants Program Wave 1.


Team:

ZenGuard has a lean team of 4 with fulltime and partime contributors. Team members expertized in infrastructure, core contract development, architecture, design, frontend, partnership and community. The team has working experience at QuillAudits, Questbook, Graph Protocol, RSA Security etc. We will be adding more expertised folks to the initiative based on the commitment for each phase.


Additional support/resources:

Although we are exploring the partnerships, onboarding devs and auditors through the Safe community, it’s always helpful to have leads and initial intros. We benefited from marketing support earlier from the Safe Grants, so we would love that support.

2 Likes

It was great to pitch our proposal in the governance call :smiling_face:

We have added a bit more info about the fund allocation for the requested funding in this round here: https://notes.zenguard.xyz/safe-obra

Also, leaving our presentation link from the governance call:

Initiative proposal slides

Cheers!

1 Like

Thanks for this proposal @koshik!

Your presentation in the recent call was deeply insightful. Look forward to seeing how this bolsters Safe’s module ecosystem if ratified by the community.

As a delegate with sufficient voting power , I consider this proposal ready to move to a vote.

1 Like

Thank you @koshik for this initiatives, looking forward its impact on the Safe’s module ecosystem.

As a delegate with sufficient voting power and I believe this proposal is ready to move to a vote.

1 Like

Thanks for the proposal, @koshik. As a delegate with sufficient voting power , I believe this is ready for a vote!

1 Like

As a delegate with sufficient voting power , I can confirm that this is ready to move to a vote!

1 Like

As a delegate with sufficient voting power, I believe this is ready to go to vote :slight_smile:

1 Like

To find the most recent reporting updates from this initiative, please see the following June reporting sheet which details all progress, achievements, challenges, and updates for the past reporting month. You can find the June reporting sheet here.

For the full picture of OBRA progress and to see updates from other OBRA initiatives, feel free to review our monthly OBRA report for June here.

1 Like

To find the most recent reporting updates from this initiative, please see the following July reporting sheet which details all progress, achievements, challenges, and updates for the past reporting month. You can find the July reporting sheet here.

For the full picture of OBRA progress and to see updates from other OBRA initiatives, feel free to review our monthly OBRA report for July here.

1 Like

To find the most recent reporting updates from this initiative, please see the following August reporting sheet which details all progress, achievements, challenges, and updates for the past reporting month. You can find the August reporting sheet here.

For the full picture of OBRA progress and to see updates from other OBRA initiatives, feel free to review our monthly OBRA report for August here.

1 Like