BitCANN - Bitcoin Cash for Assigned Names and Numbers

BitCANN - Bitcoin Cash for Assigned Names and Numbers – is a decentralized domain name and identity system built on the Bitcoin Cash Blockchain.

• Decentralized Domain Names like .sat and .bch and more.
• Add Records, RPA Pay Codes, Add Currency Addresses, Text Records, Custom Records, Social, Email, and more.
• No Renewals or Expiry*
• NFT Domain ownership, enabling secondary market trading.
• Easy lookups
• Sign-In using your Identity
• Plugin for other contract systems
• Earn by protecting the system by:
  • Burning illegal registration attempts
  • Identifying and burning registration conflicts
  • Proving domain violations

Looking forward to feedback and discussions

Additionally, I’d like to open a discussion on how we can audit contract systems like BitCANN and establish a process and how would that process look like? We did some discussion about the same at General Bull 43 “BitCANN and Smart Contract Audits” https://x.com/GeneralProtocol/status/1893361808355795254

On getting a contract system audited, this is my approach:

Unit Testing

Using the “mocknet” feature of CashScript is great to unit test isolated functionality.

In theory, it would probably be best practice to have unit test assertions hitting every condition of each contract; in practice, it would probably be excessive to retest similar conditions.

Currently the “mocknet” provides great debugging BitauthIDE links. But meep is also back online if you get the transaction hex.

Integration Testing

If all the contracts appear to work as intended, regression testing them on against a real node is next.

There can be automated tests against regtest, chipnet or mainnet. The advantage of regtest network is that features dependent on time can be simulated by mining new blocks.

Audit

Once the system is tested and somewhat “fixed”, they can be sent to audit.

An auditor is likely to suggest optimizations, enhancements and improvements, those changes could be easily made and retested with regression tests.

The simplest way to engage a good auditor is with money.

Just downloaded your GP talk, will circle back later.

This was the audit for Future Bticoin Cash, completed by the Bitcoin Cash Autist in July 2024.

BCA and Jason have a better understanding of what is possible in the VM beyond conventional application layer stuff.

BCA also has a broader understanding of cryptographic and on-the-wire attacks.

A markdown audit makes it easy to convey in many formats and machine readable.

Thanks! This is solid advice.

Along with this, I am preparing a checklist that I’ll keep on updating here:

• Find and list the entry points
• Find future upgrade vulnerabilities (for example relying on 40 bytes of commitment length, an attacker can update the nftCommitment in a way that creates a Denial of Service).
• Find who can inject the input in the transaction, p2pkh or p2sh
  • For example: In cases where someone wants to store the pkh from an input, they’ll probably split the lockingbytecode but if the input is from a p2sh then the stored value in the commitment will be incorrect leading to a DoS. require(tx.inputs[x].lockingBytecode.length == 25);
• Find potential utxo injections
• Find unintentional burns
• Find unintentional minting
• Find category leaks (token going somewhere where it was not supposed to)
• Find deadlocks due to state updates (nftCommitment getting updated in such a way that it can’t be used anymore)
• Check Genesis configuration (Mis-configurations can lead to failed states later on)
• Mathematical errors
• Find input and output restrictions (If any)
• Find version checks (timelocks, etc.)
• Split errors without checking the length

Just created a Telegram group for discussions

Auditing and security is the level “below”, but also we need the level “above” which is a nice UI interface, wallet integrations, a marketplace to easily trade the domains etc.

I’m thinking about that as I look into this, I’ll let you know if I have any ideas.

Good space with a lot of discussion about this idea: https://x.com/i/spaces/1mnxegbdNMNGX

(Might be worth /someone preserving it and uploading to Youtube)