“Everyone makes mistakes” is a well-known mantra. This is why most software companies implement best-practice procedures such as “peer-review” to bring a second pair of eyes on developers’ code.
Despite an estimated average defect removal rate of 65%, code reviews are time consuming.
How about taking this concept further and leveraging a distributed peer-to-peer blockchain network to implement highly specialized security audit on Solidity contracts’ code?
This is what the folks at Quantstamp have been up to. And with their scalable security-audit protocol they may be onto something pretty smart indeed!
Growing Smart Can Be Costly
There was a time when websites were mostly static — their functions were limited to present a product or a desktop software. Rapidly, businesses started to feel the need for a more dynamic and smarter internet to bring more value to their visitors as retention and differentiation became more important.
Web services were born to answer these needs and started to power sophisticated web-based applications while providing e-commerce, dynamic content and more.
By analogy, this is the kind of revolution that smart contracts provide to blockchains. They allow elaborate programs to be embedded into the ledger and executed. In a way, Dapps and smart contracts are the web services of the blockchain.
But the story does not stop here. As web services started to spread over the internet, so did security breaches! Almost every major company fell victim of large security flaws which exposed millions of private records. To fight against such contingencies, these companies are spending a fortune in security audits.
With smart contracts, blockchains such as Ethereum are also vulnerable to this type of problems and millions of dollars have already been stolen due to vulnerabilities.
This new blockchain ecosystem is growing up fast and quickly appealing to everyone (thanks to Solidity an accessible language for Ethereum smart contracts) — however, not everyone can afford expensive human audits to assess the security of their system.
Toward a Cheaper Solution
QuantStamp proposes a hybrid protocol involving an automated audit to scan Solidity for vulnerabilities coupled with human audit incentivized with a bounty payout system using Quantstamp Token (QSP).
The protocol implements the audit using the same mechanism used to confirm transactions on the Ethereum blockchain (read the Quantstamp white paper for more details).
At its core, verifiers (miners) are rewarded by fees or bounty paid by an escrow smart-contract for producing proof-of-audits (proof-of-work). Contributors are feeding the system with open source code to verify Solidity programs and voters implement the decentralized governance needed in all distributed ledger systems.
Automated security audits are not new however, Quantstamp is able to fully leverage the nature of the blockchain to implement trusted and scalable automation.
Developers can request an audit on their code for an affordable fee. In case vulnerabilities are discovered by the Quantstamp verifiers, the developer would then be given the opportunity to address them prior to sending their contract code to production.
The Request Network ICO has successfully managed to validate their code through the Quantstamp protocol as a proof of concept.
All-in-all, Quantstamp is a simple-to-use, cheap and scalable process which has the potential to become a cornerstone for smart contract development on Ethereum.
We Need Openness and Care
DAO stands for Decentralized Autonomous Organization. The organization pioneered the concept of absence of human in key management roles — an ambitious but premature project.
It was premature because, before we can pretend to build systems devoid of human beings, we need to be able to trust the code of these systems.
Open source does not necessarily mean secure. Linux is not an unbreakable vault and vulnerabilities are found every day in open source software. But open source is about contributing and sharing.
Richard Ma, Quantstamp CEO, takes this concept of contribution and share even further with an opened “Proof of Care” operation to raise awareness about their ICO and the need for security audits.
Security is about trust and Quantstamp understands that we need dedicated solutions and protocols. The Quantstamp team steps in at this exact point to bring security to these open but sensitive smart contracts.
So, here comes Quantstamp! And if you care about Ethereum and the community, it is time to get involved, contribute and share too!
Join the Quantstamp discussion on Telegram!
