Draft - Fig's lair

## ArboShell ##### "Security rooted in decentralization" - **What is the project?** ArboShell is a cybersecurity-focused experience to bridge Web2 and Web3. - **Problem it solves?** Demystify Web3 for Web2 users. - **Target users?** Everyone who is interested in security and Web3. - **Core features?** A story guided path to solve Web2/Web3 security challenges and standalone challenges. - **Scope for Initial Release (By May)?** - Focus on Phase 1 + partial Phase 2 for the MVP. Include 5-10 challenges: mostly Web2 (e.g., SQLi, XSS) with at least one Web3 element (e.g., an IPFS-hosted flag or Ethereum transaction analysis). Implement a blockchain-secured leaderboard (Node.js + smart contracts) and Web3Auth login. Defer complex NFT minting to post-MVP, using mock Web3 data initially. ##### Technology Stack - - **Frontend**: - React/Vite for a fast, interactive UI showcasing Web3 interactions (e.g., wallet connections, blockchain data). - Optional Additions: Integrate **Three.js** or **p5.js** for immersive Web3 visuals (e.g., a 3D blockchain explorer interface), or **Framer Motion** for animations highlighting decentralized clues. - Enhancement: Consider **React Native** alongside React/Vite to bring Web3 hacking challenges to mobile users, with wallet integration via Web3Auth. - **Backend**: - Node.js with **Express.js** for API management, interfacing with blockchain networks. - Enhancement: Use **NestJS** for a structured, scalable backend with TypeScript as Web3 features expand. - Web3 Integration: **ethers.js** or **web3.js** for seamless interaction with Ethereum smart contracts (e.g., leaderboard updates, reward minting). - **Authentication**: - Web3Auth for wallet-based logins, configured for multi-chain support (e.g., Ethereum, Polygon) to future-proof Web3 expansion. No Web2 fallback, users onboard directly into a Web3 identity. - **Web3 Infrastructure**: - **IPFS** for hosting challenge flags and assets, managed via **Pinata** or **Fleek**, emphasizing decentralized storage. - **Smart Contracts**: Written in **Solidity**, developed/tested with **Hardhat** or **Truffle**, deployed on a testnet (e.g., Sepolia) for MVP, with plans for Ethereum mainnet or Polygon for cost-efficient scaling. - **Chainlink** as a blockchain oracle for Web3 challenges requiring real-world data (e.g., OSINT tied to on-chain events). - **Database**: - **PostgreSQL** for Web2 challenge metadata (e.g., user progress), paired with on-chain storage for critical data (e.g., scores, submissions). - **The Graph** or a custom indexer for querying blockchain events (e.g., challenge completions), ensuring a fully Web3-native experience. - **Deployment & Scalability**: - Initial deployment on **Vercel** (frontend) and **AWS/Heroku** (backend), with **Alchemy** or **Infura** for blockchain node access to support Web3 features. - **Security**: - **Helmet.js** for securing Node.js APIs. - Smart contract audits with **Slither** or **MythX** to ensure Web3 components are exploit-proof. - Rate-limiting and input validation for APIs, with all critical actions (e.g., challenge submissions) verified on-chain. --- # **Non-technical Part** --- ##### Experience-Driven - Users follow a **progressive narrative** , uncovering Web3 organically. - Feels like an **interactive, evolving mystery** (e.g., hacking a system that turns out to be decentralized). - A main progression path (guided onboarding) + Optional standalone challenges (traditional competitive CTF) ##### Phase 1: Familiar Web2 Challenges - Users solve **normal hacking/security puzzles** (SQLi, XSS, OSINT, forensics). - No mention of "blockchain" or "Web3" yet. - Hidden clues start appearing, some data is **stored differently** than expected. ##### Phase 2: Subtle Web3 Onboarding - A flag is **hosted on IPFS** instead of a normal server, requiring them to retrieve it. - A cryptographic puzzle hints at **Merkle trees or zk-proofs** , without calling it Web3. - A forensics challenge requires analyzing **Ethereum smart contract transactions** instead of log files. - Challenge submissions write results to an **immutable, tamper-proof blockchain ledger (but it doesn’t feel like crypto)**. ##### Phase 3: "Wait… Is This Built on Web3?" - The moment of realization: **Users discover that ArboShell itself is on-chain**. - Points, leaderboards, and rewards are **secured by smart contracts**, preventing exploits. - Optional **Soulbound NFTs** for major milestones. - Some advanced challenges involve **hacking a vulnerable smart contract** to extract the final flag. ##### **Narrative Depth Expansion** Incorporate a persistent, Web3-centric world or lore that evolves with user progress (e.g., uncovering a decentralized network conspiracy hosted on IPFS or Ethereum). Optional standalone challenges tie into this narrative, reinforcing Web3 concepts through context. ##### **Gamified Learning Curve** Introduce a “mentor” character or hints system to explain Web3 concepts immersively (e.g., “This flag’s on IPFS, a tamper-proof, distributed system” or “Check the Ethereum blockchain for transaction clues”), guiding Web2 users into Web3 without breaking the story. ##### Reward System Enhancements Leverage Web3-native rewards tied to challenge difficulty: ERC-20 tokens for smaller tasks, Soulbound NFTs for major milestones. Rewards could be redeemable on-chain for hints, exclusive challenges, or real-world perks (e.g., conference tickets via partnerships). Emphasize Web3 ownership to deepen user engagement with decentralization. --- ## State-of-the-art --- #### Web2 Platforms (Hack The Box, TryHackMe, picoCTF, etc.) - Focus on **traditional cybersecurity challenges** (Web2, pentesting, networks, OSINT). - Mostly **linear or challenge-based** , not immersive storytelling. - No Web3/blockchain integrations. > ArboShell introduces **progressive Web3 onboarding layer + story-based immersion** . #### Web3 Security CTFs (Ethernaut, Damn Vulnerable DeFi, Paradigm CTF, Capture The Ether) - Focus **entirely** on blockchain security. - Expect players to already know what "solidity", "reentrancy", and "flash loans" are. - No **Web2 challenges** or **progressive Web3 adoption journey**, they just throw you into smart contract hacking. > ArboShell **bridges Web2 & Web3 security** with a stealth introduction rather than forcing blockchain from day one. #### Story-Driven "Hacker" Games (Uplink, Hacknet, NITE Team 4, Cyber Apocalypse CTF) - Uplink & Hacknet: **Hacker simulation games** with missions but **not real security challenges** . - NITE Team 4: **Cyber-intelligence RPG-style game** , more narrative-based but also **not real-world cybersecurity** . - Cyber Apocalypse (HTB’s annual CTF): Has a **story, but not ongoing interactive lore** . > ArboShell has **real-world hacking fun + narrative immersion** at the same time, with real challenges Key Differentiators: - **Web3 is introduced progressively and subtly** (no upfront blockchain complexity). - **A fully story-driven hacker experience** , unlike traditional **list-based CTFs** . - **Both Web2 & Web3 challenges** , rather than just focusing on one. - Fully Web3-native platform from day one, leaderboards, rewards, and challenge submissions are secured on-chain, distinguishing it from Web2-centric CTFs. - Potential open-source components (e.g., Solidity smart contracts or challenge templates) to foster a Web3 developer community, accelerating growth and credibility. # **