The problem 🐢 TurtleShell solves

$500M have been lost so far by audited DeFi Protocols - (Source: rekt.news)

Smart Contract Security is a highly relevant concern for the entire ecosystem. The lack of proper on-chain security is throwing back the entire ecosystem in terms of mass-adoption and trust.

Web3 today lacks programable and composable Smart Contract security data. The only source of Smart Contract security data are audits, that are stored off-chain as PDF documents. This means, that, web3 protocols are unable to identify if malicious smart contracts interact with them and therefore face the risks of being exploited at all times.

We are on a mission to change that, by building an ecosystem for bringing audits and general smart contract security information on-chain. This will enable Smart Contracts to query security parameters of other contracts directly on-chain at incoming interactions (transactions).

With TurtleShell, Smart Contracts can immediately block any kind of malicious hacking contracts from interacting with their protocol. This is especially useful for risk-sensitive applications, like DeFi protocols.

Challenges we ran into

The main challenge we faced was how to structure the system for verifiable on-chain security data. We came up with a solution, which utilizes SBT's for minting NFT's for Audits / Security data directly on-top of Smart Contracts. That way, the security data is easily accessible and queryable from other smart contracts on-chain.

The other main issue we faced was how to structure a permissionless, decentralized security data publishing protocol. It is crucial to keep centralization at a minimum. On the other hand, allowing anyone to publish data creates the problem of consensus, when it comes to the "right" security data of a given smart contract. We solved this issue by leveraging an on-chain reputation score, which gets automatically updated on mints. The audit / security data with the highest score will be the source of "truth" for a given contract when being queryied. The "right" audit data can change dynamically, if somebody discovers security vulnerabilites at a smart contract in the future, that was unknown beforehand.

ALL DEPLOYMENT ADDRESSES FOR BOUNTIES:
https://explorer.testnet.mantle.xyz/address/0x98cEc326D379850E61Cb2bCeb3Df470c874dd13d
https://blockscout.scroll.io/address/0x98cEc326D379850E61Cb2bCeb3Df470c874dd13d
https://sepolia.etherscan.io/address/0x98cec326d379850e61cb2bceb3df470c874dd13d
https://explorer.test.taiko.xyz/address/0x98cEc326D379850E61Cb2bCeb3Df470c874dd13d
https://blockscout.com/gnosis/chiado/address/0x98cEc326D379850E61Cb2bCeb3Df470c874dd13d
https://goerli-optimism.etherscan.io/address/0x98cEc326D379850E61Cb2bCeb3Df470c874dd13d