Codeguard AI Grant Application #66
Conversation
|
Hi @mitmelon thank you for your application. My understanding is that you will need to train a GPT that will help users detect vulnerabilities or write optimized runtime code. How do you plan to keep your GPT up-to-date with the most relevant and up-to-date data on best practices and common implementation bugs? Also, can you clarify what you hear by "Tested on the Rococo testnet" ? |
Hi @sacha-l , thank you for your questions and for considering my application! To clarify, CodeGuard-AI uses GPT-4o, a pre-trained model by OpenAI, accessed via API calls, so I’m not training a custom GPT. My plan to keep its outputs aligned with the latest best practices and implementation bugs involves integrating current Polkadot-specific data into the prompts. This will include runtime metadata from the Polkadot-JS API, vulnerability data from the RustSec Advisory Database, and best practices from Substrate and ink! documentation, all of which are regularly updated. I’ll also monitor OWASP blockchain security guidelines and Polkadot’s GitHub repositories, such as substrate and ink!, for community-reported bugs, ensuring the analysis remains relevant without retraining. Regarding "Tested on the Rococo testnet," I apologize for the confusion in my application. Milestone 1 is a basic GUI for login, registration, and project uploads, but no testing on Rococo or deeper functionality (CLI and GPT-4o integration) has occurred yet. My plan is to implement and test these in future milestones, starting with Milestone 2, where I’ll analyze a voting pallet and an ERC20-like ink! contract deployed on Rococo using cargo-audit and GPT-4o to ensure compatibility with the parachain environment. I hope this clarifies my approach! I’m happy to provide more details about the GUI or testing plan if needed. Thank you again! |
|
What Polkadot-specific data will you be using exactly? I believe the most effective design would be one where you have a sort of content bank with all of the latest vulnerabilities and fixes since the genesis block which can be used as an initialization prompt. Polkadot currently spans a wide spectrum of potential vulnerabilities: runtime development including upgrades, ink! and solidity development. And there have been numerous vulnerability fixes found from deployments B2B6 over the years. What exactly will you be using from Polkadot Github repositories? Ecosystem related ones too? Do you plan to use any past audit reports? It's not at all clear where you will get all this hard data which really is the backbone of Codeguard AI's value proposition.
Can you outline what you would expect from this analysis? Rococo is deprecated too as of a month or so ago. I'm assuming you mean Paseo? And what do you mean by "ensure compatibility with the parachain environment." ? |
|
What Polkadot-specific data will you be using exactly? I believe the most effective design would be one where you have a sort of content bank with all of the latest vulnerabilities and fixes since the genesis block which can be used as an initialization prompt. Polkadot currently spans a wide spectrum of potential vulnerabilities: runtime development including upgrades, ink! and solidity development. And there have been numerous vulnerability fixes found from deployments over the years. What exactly will you be using from Polkadot Github repositories? Ecosystem related ones too? Do you plan to use any past audit reports? It's not at all clear where you will get all this hard data which really is the backbone of Codeguard AI's value proposition.
Thank you @sacha-l for your detailed feedback For Polkadot-specific data, I agree that a content bank of vulnerabilities and fixes since Polkadot’s genesis block is a strong design. In Milestone 2, I’ll compile this dataset as a structured JSON file to initialize GPT-4o prompts. The data will include: Runtime vulnerabilities and fixes from the paritytech/polkadot-sdk repository, such as runtime upgrades and state trie versioning updates. ink! contract vulnerabilities from the paritytech/ink repository, focusing on issues like reentrancy or overflow. Ecosystem-specific data from the AstarNetwork/Astar repository to capture DeFi-related vulnerabilities in ink! contracts. General security insights from the RustSec Advisory Database and OWASP blockchain guidelines. Polkadot release notes and changelogs for protocol changes. This content bank will initially focus on runtime and ink! vulnerabilities, with potential future expansion to Solidity. By integrating this data into GPT-4o prompts, CodeGuard-AI will provide relevant vulnerability detection and fixes, forming its core value proposition. I apologize for mentioning Rococo - it’s been deprecated, and I meant Paseo, the current testnet for parachain teams. In Milestone 2, I’ll deploy a voting pallet and an ERC20-like ink! contract on Paseo to validate CodeGuard-AI. The analysis will involve: For the voting pallet: Checking for runtime issues like storage leaks or weight miscalculations using cargo-audit for dependencies and GPT-4o for logic analysis. For the ERC20-like ink! contract: Identifying DeFi exploits like reentrancy or overflow issues with the same tools. Expected outcomes: A report listing specific vulnerabilities (e.g., “storage leak detected in voting pallet”), proposed fixes (e.g., “CodeGuard-AI implement lazy loading code as an example fix for developer to use”), and confirmation that the code executes without errors in a parachain slot. By ensure compatibility with the parachain environment, I mean verifying that the pallet and contract operate correctly in a Paseo parachain slot, interacting with the relay chain via XCM and Polkadot-JS API. This includes successful block production, cross-chain message passing, and no runtime crashes. I’ll reserve a parachain ID on Paseo and run a collator node (e.g., using polkadot-omni-node --collator --chain raw_chain_spec.json) to test this. |
💪 Project Abstract
CodeGuard-AI is an AI-powered tool designed to secure and optimize Substrate and ink! projects within the Polkadot ecosystem. It addresses critical vulnerabilities like XCM flaws and DeFi exploits by automating code audits, detecting issues, rewriting code for efficiency, and implementing features such as optimized storage pallets. Built with Rust, PHP, and JavaScript, it features a secure web interface—already developed in Milestone 1—with login/register forms, a dashboard for statistics, settings (2FA, OpenAI key), and a project report page for managing uploads. Tested on the Rococo testnet, CodeGuard-AI integrates with Substrate, ink!, and Polkadot-JS API, targeting Plaza and DeFi developers to ensure secure, efficient code.
This 8-week project, led by a Nigerian engineer with 6+ years in Rust, PHP, JavaScript, and cybersecurity, requests $9,000 to deliver six milestones. CodeGuard-AI aims to empower millions of Polkadot developers by enhancing security and scalability, contributing to the ecosystem’s decentralized vision under an Apache 2.0 license.
✅ Application Checklist
codeguard-ai.md).