Quantstamp Innovation: From Y Combinator to Beyond

Not long ago, Quantstamp completed its participation in the W18 batch at Y Combinator. Like all our batchmates, our team worked tirelessly towards producing a minimum viable product (MVP) for Y Combinator Demo Day.

At the start, we laid out a plan for a 90-day technical sprint. We thought about what would make a great demo, being mindful that YC companies are guided to explore product-market fit. So, we brainstormed about what we could realistically accomplish by demo day.

I always prefer to work on products that represent progress towards our long-term goals. We landed on the idea of building a web product and backend infrastructure that would make it easy to request an automated audit and that would create human-readable reports. Simultaneously, our protocol team set a goal to build an early testnet, which uses its own blockchain and interacts with Ropsten via gateway nodes and smart contracts. We set a deadline and moved quickly to produce the MVP.

Back then, much of our team spent their days in the affectionately-named “Hacker House” in San Francisco.

This was one of those periods of time in a startup that you know you will never forget.

Clearing up confusion about the web product and protocol

At Quantstamp, we are committed to hearing the community’s voice and taking your opinions to heart. We understand there has been confusion over the difference between our web product and protocol — our long-term vision originally outlined in our white paper — and wanted to take a moment to clear that up.

Given that the protocol itself is a long-term endeavour, we wanted to demonstrate that a useful product could be delivered as an early proof-of-concept. Since then, I’ve noticed that there are misunderstandings in the community about the web product, which some people seem to be confusing with the protocol or analyzers. Our web product and protocol are quite different technologies.

Our Web Product

First, the web product is a proof-of-concept user-interface for requesting security audits of smart contracts and viewing descriptive reports. It is an MVP built for Y Combinator Demo Day that permits small payments of QSP. We believe the web product is an important long term step towards making it easier to use the future QSP network and wider adoption of smart contracts. We are aiming to connect the web product to the next iteration of the protocol. The report design and format is something we hope to standardize.

Under the hood, the web product is intended to include and build upon smart contract analyzers such as Oyente (an open-source tool). As we previously announced, we are proud to help fund related research carried out at the National University of Singapore (NUS) under the guidance of Dr. Prateek Saxena, where Oyente is one of the tools and techniques being developed. We noted that “By funding [Prateek’s] research, we are pushing forward the standards of smart contract security as well as developing a long-term partnership that will help us add new tools [such as Oyente] and techniques to our platform.” This crucial research furthers our mutual objectives.

The Quantstamp Protocol

Second, the Quantstamp protocol aims to leverage a network of computers for performing verification of smart contracts using computer-aided reasoning tools. A protocol encodes the set of rules and conditions that govern the behaviour of actors in the network, whereas an analyzer is a computer program that checks for certain properties or patterns in a smart contract. The design of our protocol intends for any analyzer, which must conform to the reporting API (possibly via an adapter), to be plugged in. Oyente is just one of many analyzers we intend to explore as options to plug in to our protocol.

In the whitepaper, Quantstamp proposes to apply this technology for performing security checks of smart contracts. By leveraging a distributed and decentralized network, a reliable consensus on the correctness or security of a smart contract can be attained or, at a minimum, the level of confidence in smart contracts can be reliably increased. Among numerous advantages, we believe that this could help to further the mainstream adoption of smart contracts.


Digital tokens and off-chain computations

Complex blockchain applications generally require a digital token to fuel activity. The Ethereum network operates on a digital fuel called Ether for ensuring, by incentive mechanisms, the integrity of transactions and state changes permanently recorded in the blockchain. But, the EVM is general-purpose, single-threaded and rudimentary. Thus, many complex applications are impractical and costly to run.

In contrast, the Quantstamp protocol is intended for specialized computations that are performed off-chain. Thus, in order to have an actual functioning network that implements the Quantstamp protocol, it is necessary to have an alternative fuel that drives the code analyzers. This is the proposed and distinct function of the QSP token. Ether is used for fueling token transfers and other state changes. We are committed to exclusively using QSP to fuel our protocol. Fiat will not be used for the protocol because fiat is impractical for decentralized protocols.

A proposal about how this token may be used to incentivize network participants was originally described in our whitepaper. Flaws, or security vulnerabilities, have demonstrably resulted in significant losses of digital assets — it’s critical to get the code right. Unlike digital wallets, the business logic expressed in smart contracts are not secured by cryptography, meaning that the correctness of the ledger is not synonymous with the correctness of the smart contract.

Staying agile

Since then, a lot has happened in the community of blockchain projects and researchers, who have been making strides towards scaling computations off-chain. New types of vulnerabilities have also been uncovered and tools are being built to detect them. Additionally, there are different ideas about how to solve the problem of securing smart contracts, some of which may differ from the approach that Quantstamp has been developing.

The Quantstamp team has grown both in numbers and in expertise. New people are contributing ideas that are reshaping and improving upon earlier designs. We aim to share some of our findings in the next iteration of our technical white paper (release date to be determined).

The next step of our testnet is a permissioned network of trusted participants. We study the behaviours and activities within this permissioned network, which is intended to better inform the design and implementation of the next version. The next iteration of the testnet is targeted to be finished by the end of August 2018.

We work in an agile manner. As our protocol is a complex thing to build, we follow an iterative approach. Complexity is handled by delivering small chunks of work. Start simple and add complexity as you move on.

Our final goal is to create a permissionless and decentralized network much like Ethereum and Bitcoin, where anyone can anonymously run a node and where the protocol is not controlled by our developer team.

How manual audits help us build a better decentralized protocol

As a company, Quantstamp also provides white glove professional services, which is different from either the web product or protocol/analyzer, for performing comprehensive security audits of blockchain applications. One of the most important benefits of meeting prospective clients and working with paying clients is that we increase our exposure to “smart contracts in the wild.” In the process, we learn how vulnerabilities proliferate due to existing approaches for implementing smart contracts, what clients need, and how the smart contract marketplace evolves.

In fact, we’ve been doing these white glove audits since the beginning, starting with Request Network. While we only strategically perform manual audits, when we are compensated for the services, we reinvest the proceeds to develop our business and maintain our runway. Thus, while we know that manual auditing does not scale, we use manual smart contracts audits to learn, understand customers, and build better technology.


Smart contract security is critical for mainstream adoption

I am convinced that securing smart contracts is critical for mainstream adoption. The advent of smart contracts, which may be used as decentralized custodians of digital assets, represents a revolutionary technology.

We are going through numerous cycles of learning, building, testing and iterating. I encourage you to spend some time following the hyperlinks in this post, learning about this technology, and developing an informed opinion of your own.

Thank you,

Steven Stewart

CTO, Quantstamp