ostdotcom
Published in

ostdotcom

Simple Token Security Audits — building trust block by block.

We just deployed the Simple Token contracts to Ethereum. The Token Sale contract will automatically start the token sale at 13:00 UTC on Tuesday 14th November. To mark this milestone we wrote a more technical overview of our smart contracts and the road we have traveled.

Key highlights:

  • Three independent security audits of Simple Token smart contracts by Zeppelin Solutions, Cure+53 and Bok Consulting.
    no critical or high severity issues found in smart contracts
  • 304 unit tests, 8 successful complete dry-runs executed (4 against Ropsten testnet; 4 against Ethereum mainnet).

The Simple Token Smart Contracts

Writing the token contract that fuels the OpenST platform is no light matter. Our first principle is to keep it simple. Smart contracts function as small independent machines. It is paramount to test, review, and audit each piece, every step again by different experts as we combine these machines to build the OpenST platform.

At the foundation of the OpenST platform sits the Simple Token contract (see all code on github.com/openstfoundation/SimpleTokenSale). This contract follows the EIP20 standard and is the registry of all Simple Token [“ST”] balances.

Simple Token is the white-label token for developers, companies and end-users to tokenize mainstream applications with. Simple Token also pays for the gas consumption on the OpenST platform that extends the scalability and usability of Ethereum mainnet.

To make Simple Token available to our fast growing community of member companies and their user base — 7 companies we announced so far and another 50 in the pipeline — we are organising a token sale. The TokenSale contract holds 240M Simple Token of the total finite supply of 800M and will start selling them at 0.0833 USD / ST on first come first serve basis as of 14th November 13:00:00 UTC. It will burn any unsold tokens after the sale ends on 1 December 12:59:59 UTC. You can read about the community bonus and all final sale details on our blog here.

A third contract builds a long term token incentive to support the Simple Token ecosystem. The Trustee contract will monthly vest the tokens bought by pre-sale purchasers over 12 months. It also holds revocable grants for our advisors (min. 2 year vesting) and the founding team members (min. 3 year vesting).

When designing and coding smart contracts we never failed to go back to the drawing board to make sure that the access control list (ACL) for any function is always only one single path.

As a rule of thumb any given function is either open to all, or restricted to a single sender address and restricted to a narrow window in the state-flow and visibility. Allow for a grey zone and you’re lost when combining these little machines into a bigger platform.

Three Security Auditors

Strong design principles on their own are not enough. From development day one we had an auditor plan in place. Our first external auditor has been Bok Consultancy. Bok ran repeated external audits of the smart contract code at key development milestones from the beginning till the end. He gave great feedback that helped us catch subtleties in the code early on.

In parallel with writing the Simple Token smart contracts we built the production systems to interact with our machines on Ethereum. When we completed both the smart contracts and the secured production backends, we had a full security review of our website, the backend and then a second external independent audit of our smart contracts by Cure+53. We are pleased to be able to count on the world-leading expertise of the Cure+53 team.

“Within the scope of our audit, the smart contract appeared to have been written in a defensive style, with ACL checks, permission checks, state checks, input validation and safe arithmetic. It avoids common pitfalls and is written in a clear manner following the best-practice approaches for Ethereum smart contracts.”

- Nadim Kobeissi — Symbolic Software/Cure53

Finally we invited Zeppelin Solutions to provide a third, external, independent audit of the smart contracts. We congratulate Zeppelin Solutions for their professional approach in their critical reporting and their willingness to engage in in-depth discussions on what is the right solution for each issue raised. We also recommend and used their Open Zeppelin libraries.

We worked closely over many weeks with all three of the external auditors to make sure that no issues went unaddressed. We are proud to say that none of the auditors found critical or high severity issues during their audits of the smart contracts. We want to use this occasion once again to thank them for their hard effort to make the Simple Token contracts solid.

Key Management is key

Our test suite has 304 unit tests. These tests also cover the operational contracts that form a circuit-breaker between the Ethereum smart contracts and our backend systems. The deployment and sale process has been integrated into our staging and production systems. We ran four successful dry-run tests on Ropsten testnet, followed by four successful dry-run sequences on Ethereum mainnet. After each run we exhaustively verified the sequence against our 42 page long process document outlining all possible steps in detail. Like with a fire drill all team members know in-depth how the sale process will unfold.

Abbreviated Access Control List address table lifted from Simple Token key management document

The smart contracts have three permission levels. Each contract must always at construction be initialised with an owner address. The ownership of Simple Token, Token Sale, and Trustee contracts has no functional ability but is the “break-glass-in-case-of-emergency” address that can override the admin address. Each contract owner address holds no tokens and is a Gnosis 2-out-3 multi-sig wallet with three separate hardware keys, held by three OpenST Foundation board members in three different physical vaults across the world.

While many processes like the sale process runs automatically, at key places in the state-flow we want a human to sign off on the process or input new information. This role is reserved for the admin address and a prime example is the ability to set the token sale price before the sale has started. We will set the price of Simple Token in ETH 48 hours before the sale starts at the announced price of USD 0.0833 / ST at the USD/Ether price at that moment.

An operation address is a secured, isolated machine that can input information into the contracts at volume and is controlled by our secured backend databases. These backend systems also follow up on the block confirmations and output of each transaction to assert a valid outcome with Ethereum. The operation address never directly controls any tokens.

When the information an operation address inputs does affect token movements then they can only write into circuit-breaker contracts (one such contract is the contract that on a monthly basis vests a new allotment of the grants, Processable Allocations). Such circuit-breakers get deployed, filled out, verified and locked automatically for each batch. Once they are locked, a human administrator has to intervene to again verify the input is correct and then sign off on the execution. This process leaves an unremovable audit trace on Ethereum of every value operation that happened, and of who is accountable for signing off on it. This is for example crucial as the Foundation vests the grants.

By leaving no effort spared the OpenST Foundation pushes the technology to build trust and act in a transparent manner towards the public and the wider Simple Token community. We will work to earn and retain your respect every step along the way.

LEGAL DISCLAIMERS

This Medium post is not a prospectus nor a solicitation for investment and it does not pertain in any way to an offering of securities in any jurisdiction.

You must read the entirety of our Terms & Conditions document carefully before making any decision to purchase ST Tokens. You must also monitor the https://simpletoken.org website and our Medium publications for any announcements from the Foundation as they may add to, or change, these Terms and Conditions at any time.

Purchasing, holding or using cryptographic tokens carries significant potential financial, regulatory and other risks, including potential loss of the entire value of Payment.

Tokens are only for sophisticated purchasers who are knowledgeable and experienced in the features and risks of digital platforms, digital assets, blockchain technology and smart contracts. Potential purchasers should determine for themselves the relevance of the information contained in this document and related materials, in each case as supplemented from time to time, and the necessity for additional enquiry, research and professional advice. Any decision to participate in a token sale should be based upon such independent investigation and advice as you deem necessary. This document should not be considered as a recommendation by any person to participate in any token sale or digital platform.

In particular, you should not purchase any Tokens unless you have read and understood the terms and all other relevant materials and fully understand the Token Sale, including at least the following:

  • the nature and purpose of the Token Sale and its cryptographic context
  • the procedures required to purchase Tokens;
  • the nature and the extent of the risks to which you may be exposed by participating in the Token Sale or purchasing, holding, transferring or exchanging Tokens, including those set out in the Risk Disclosure; and
  • the regulatory, tax and accounting treatment of participating in the Token Sale and purchasing, holding, transferring or exchanging Tokens, as well as any other relevant implications.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store