Auditing the Unchained Capital smart contract
What standing out from the crowd looks like.
Authored By: Gabe Shepherd
As Blockchain technology continues to impose its will in disrupting industries, Hosho Group headed to Consensus last week in New York, particularly interested in seeing how projects and the technologists behind them had changed since 2017. While the previous year demonstrated promise, as a security company within the Blockchain space we have audited a great deal of smart contracts since then and had yet to see one come through our company without a vulnerability. In fact, 95% of audits we conduct have one or more vulnerabilities, and 32% of them have one or more vulnerabilities of a critical nature.
As a cybersecurity company with a CEO that previously co-founded Coinsetter (Acquired by Kraken), and LaunchKey, a multi factor authentication platform acquired by Iovation, our team is well positioned to help an exchange or company executing a token generation event avoid minor and catastrophic incidents. We stress preventive security measures so much that I imagine companies and partners we work with could perceive it as paranoia. It is our responsibility to educate and protect our customers, and until we see the space mature with more emphasis on security — have an obligation to continue doing so, and even then we won’t stop.
Our ethos as a company is to contribute to the sophistication of the space by educating, highlighting, and discussing the flaws we find during a smart contract audit or how exchanges could have prevented hacks with routine penetration testing. By the same measure we are obligated to talk about projects and the technologists developing them when done well. The purpose of this post is to highlight the tremendous work done by Unchained Capital, who offers crypto-secured loans. Their team engaged Hosho for the purpose of conducting a third party audit of their open-source Ethereum smart contract which implemented a two-of-three multi-signature wallet designed to directly interface with Trezor hardware wallets.
For the first time since Hosho was founded, Unchained Capital provided us with a codebase that was given a clean audit report with 0 vulnerabilities found. As you can imagine, we have seen some pretty scary things in our technical audits and general security work, but Unchained Capital’s work was so thorough it earned high praise from Alexander Blair, our VP of Engineering
“They put together a very well designed multi-signature wallet with sensible protections, combined with an easy to use dapp that should serve them and their clients well into the future. This was the best contract that the Hosho auditing team has come across, and the Unchained Capital team received a well deserved passing grade from the Hosho auditing team.”
You can read more about Unchained Capital’s wallet and the audit we conducted on their blog post. During our initial talks with the cofounders, Joe Kelly and Dhruv Bansal who are CEO and CSO respectively, it was refreshing to hear Dhruv proactively offer up this thought…
“I am confident in our team’s ability and what we have built, but it’s still valuable to us and comforting to our customers to have a trustworthy, independent third party validate our work.”
There is an abundance of technical talent within the Blockchain community, people who are accomplished and skilled in their craft. But putting aside for one minute the rapid growth of blockchain technologies, platforms, and languages these are being built with; All of us who want to contribute to the maturation of the space should be as committed as Dhruv and his team are to security minded development, and third party auditing of that work. Additionally, that independent review should be conducted prior to exposing customers, investors, and the industry to potential risk. Hosho would be honored to do that work, but ultimately what we care about is being a small part of a larger story that we are all writing together. Nobody in the industry benefits when a hack or capital loss occurs, not even Hosho, which sees a lot of work from companies after those things occur. The media loves to jump on these moments to instill doubt about the future of the space because it gets page views, and companies who are threatened by a decentralized world use them as tools to further entrench their power within their industry. Most of us in the industry believe that we are just scratching the surface of what this technology is capable of, but until independent security review is considered a prerequisite to any technology being released, we are only hurting ourselves by stifling innovation, capital infusion, and adoption by the general public.
It is easy for Hosho to republish blog posts about hacks and vulnerabilities, and use them as tools to educate our customers about the importance of our work. It was powerful to be able to say every audit we have conducted contained vulnerabilities of varying degree. But if we want to live up to our mission of education, prevention, and protection for our customers; Then Unchained Capital’s work should be praised, and we are honored to be the first ones to do it.
In closing, as part of our customer success process we had a wrap up call with Joe and Dhruv to make sure there were no further questions and audit our own processes and customer service. We asked Dhruv if he felt the investment they made for our services was still valuable, despite knowing that we sent them a report back finding no vulnerabilities. Dhruv’s response further validated what we now know about their team. They care about their products, they care about their customers, and they care about the industry.
“It was absolutely still valuable. We felt pretty good about what we had developed, but we are responsible for people’s capital and having third party experts look at the work and validate our efforts, well it helps me sleep at night.”