Proof of Scan

Proof of Scan solves the problem of “it scams on my machine”. Phishing and scam websites increasingly use cloaking techniques — serving different content based on geographic location, device type, browser configuration, or OS — to evade detection by security researchers who use cloud browsers to scan websites for evidence of malicious intent.

When a victim reports a malicious URL, security teams often can't reproduce what the victim saw, leaving them unable to verify the threat or execute a takedown. The scan comes back clean, the site appears benign or offline, but it's still actively targeting victims.

With Proof of Scan, a security researcher submits a URL with target parameters (location, device type, browser config). The job is advertised to nodes that match those specs. A matching node visits the URL in a sandboxed browser, captures the screenshot and HTML, and uploads the artifacts to decentralized storage. Using TLSNotary, the scan is signed and provably tied to a real machine visiting the real server at a specific time. This makes the output admissible as evidence for takedown requests to registrars and CDNs like Cloudflare, something a screenshot alone can't do today.

This project consists of four parts:

1. dApp Frontend built with React, Vite, and Mysten Labs SDK that security researchers use to submit jobs and preview results.
2. Escrow and Job Queue smart contract written in Move and deployed to the Sui testnet that advertises jobs to volunteer nodes and manages rewards distribution.
3. Artifact Storage on Walrus that stores the screenshot, HTML content, ENS metadata, and TLSNotary proof for retrieval by the job submitter.
4. TLSNotary notarizer that participates in the TLS handshake between the scan node and the server that hosts the target webpage, and generates a cryptographic proof of the TLS session.

When a security researcher visits the dApp, they can input either a valid URL or a valid ENS name. If they submit an ENS name, the scan node will resolve the contenthash associated with the ENS name and use an appropriate web gateway service to access the associated website content. The user can also choose a location, OS, browser configuration and then signs a transaction that escrows a bounty reward for the scan job and posts the scan job to the Sui testnet contract.

The contract organizes the jobs under a "marketplace" object that keeps track of all jobs and a verifier address that is the main oracle for validation of TLSNotary proofs off-chain. We make heavy use of Shared Objects to allow multiple scanner nodes to submit results to a job. Payouts are split per-scan and released atomically on verifier approval within the contract, no separate escrow contract was needed.

Screenshots, raw HTML, TLSNotary proofs, and ENS metadata are all uploaded to Walrus and referenced by blob ID on-chain. We are using a Walrus aggregator on the frontend to retrieve the blobs to preview the results.

When a scan node encounters a captcha, it requests the owner of the scan node to intervene. The owner can press ENTER in their terminal and a browser will launch. Once the captcha is solved, the cookies and state are used to request the site again to both reveal the true content of the webpage and generate a valid TLSNotary proof.

The last interesting piece of our project is the mock website that we deployed to test out our scanner: phishing.site. We built this using Cloudflare Workers and Cloudflare Manage Bot Challenge to simulate three types of cloaking used by phishing sites: geo-fencing, user-agent sniffing, and captchas. This helped us validate our hypothesis about this project and demo the product without getting users to interact with a live phishing website.