It’s been 3 months since we launched SolidStamp, an on-chain registry of smart contract audits. It’s time to share some of the learnings we have gathered thus far as well as to announce and explain a few modifications to the service we’re unveiling today.
From the very beginning, our goal was for SolidStamp to become a platform serving the entire Ethereum community. Over the last quarter, we have been in touch with many security experts and smart contract auditors and asked them for feedback regarding our first version. We attended the Decentralized Web summit in San Francisco, Security Unconf and EthBerlin hackathon in Berlin where we talked with Ethereum enthusiasts about the current state of the domain security. And last but not least, we engaged with many regular blockchain users to learn about their perspective and needs.
Our discussions allowed us to confirm the assumptions we made when starting SolidStamp: there is space for improvement when it comes to communication around smart contract security, auditors, audits and the relationship between the audits and the final code deployed to the mainnet. We identified the following three areas we would like to focus on:
1. Auditors and their clients — it’s complicated
The relationship between auditors and their clients can be challenging. Auditors need time to fully assess a client’s code. Clients, on the other hand, want audits completed quickly and without additional follow up work required from them. Within this exchange, there is also tension as to what constitutes a critical or noncritical issue. This difference can drastically change the additional work needed to render a contract as complete and error-free. What is more, auditors can not force their clients to fix critical issues; they can only flag these problems and propose potential solutions. This creates a small but fundamental difference between, “our contract has been audited” and “our contract has successfully passed an audit” which can then be exploited by unscrupulous clients.
Auditors can be unwittingly co-opted into the business plans of their clients. Like some whitepapers issued in our market, some clients only commission an audit for marketing purposes. These clients use false reasoning to say because their contract has passed an audit, it is safe and profitable to invest in their associated ICO. Moreover, some clients reference having an audit but change the smart contract source code after the audit and deploy a different version to the mainnet, rendering the entire audit useless. Auditors can include a hash of the source code they reviewed in the audit report but it is onerous to verify if this differs from the final contract that was released.
Because of these points, we are giving auditors the ability to indicate the relationship between their audit and the deployed contract. Starting today, auditors can stamp the audited contract and signal that the deployed code has fixed any critical issues uncovered during the auditing process. These stamps are stored on the blockchain, connecting the auditor, the contract and the audit report (through the IPFS hash) forever.
We feel the additional transparency created by these steps provides a much needed layer of accountability for both auditors and their clients.
We don’t expect these changes to fully resolve the challenges described above. There is and will continue to be the potential for tension between auditors and their clients. However, we feel the additional transparency created by these steps provides a much needed layer of accountability for both auditors and their clients.
2. Who audited the contract I use?
Some auditors argue that smart contract audits pose little value for regular Ethereum users. According to these auditors, their content is too technical and an audit alone does not mean the contract is secure to use. While we agree in part with these claims, we believe there is additional context that is important. It is generally more secure to use an audited contract than one that has not passed any third party verification. An audit completed and published by more reputable, independent company is better than one that is just put up on the mainnet. A validated and verified contract (in other words, a stamped contract) is more secure to use than a contract which is unstamped because of this independent audit. Based on this heuristic, we allow regular users to find all the contracts they interact with to see which are audited and stamped and who audited them. Finally, we are committed to regularly releasing the updated editions of our Smart Contract Auditor Report so everybody can learn about the state of the auditing industry.
3. Building common security practices in the Ethereum ecosystem
There is precedent for self-regulation and reporting. The Aviation Safety Reporting System (ASRS) is a nongovernmental third party that collects, analyzes, and responds to voluntarily submitted aviation safety incident reports in order to lessen the likelihood of aviation accidents. It publishes reports highlighting safety issues and issues alerts to relevant parties if it feels it is necessary to improve safety. It serves as a positive example for other industries seeking to make improvements in security without involving a government body.
We don’t think there is a need for a central authority in order to determine what is right or wrong when it comes to the security practices in smart contract development. However, we have encountered enough painful security incidents that the question must be asked, “are we learning from our past mistakes?” We believe a fundamental prerequisite for any future improvements is the complete availability of data related to the security measures, practices and processes undertaken while building a smart contract. We are happy to announce, that starting today, we allow auditors to upload their reports and their metadata to SolidStamp. The data is cryptographically signed and the reports are stored on IPFS. This structure allows anyone to confirm the authenticity of an audit and read the associated content even if it is not available at its original location. This also enables security specialist to learn from each other and analyze what went wrong if any of the audited smart contracts encounter a security incident.
Let’s make the Ethereum safer together. As always, we welcome your comments.