Quantstamp is tackling the problem of scalable smart contract security both pre and post-deployment. As part of this goal, we’re working on the Quantstamp Assurance Protocol. The Assurance Protocol complements the existing Quantstamp Protocol by providing a marketplace that will allow participants to stake a collateral in QSP tokens to assure that a contract will behave “well”(as expected).
While the Quantstamp Protocol performs automated security scans, there may be issues such as false positives or game-theoretic vulnerabilities that it may not catch. Manual audits may find these issues, but manual audits don’t scale. The Assurance Protocol aims to address these issues in a scalable manner and complement the Quantstamp Protocol.
With some similarities to insurance, the Assurance Protocol allows users and other stakeholders to pay for the assurance that the smart contract they depend on is safe to use and will behave as expected. If the contract does misbehave, stakeholders are compensated.
The Assurance Protocol is currently under development. A more detailed announcement on the architecture and workings of the protocol is forthcoming.
We are making good progress on integrating another analyzer, Securify, into the upcoming version of the Quantstamp Protocol. Securify is an automated smart contract security scanner made by ChainSecurity based on research developed at ETH Zurich. It has been used to scan over 22,000 smart contracts.
Along with our existing integrations of the Mythril and Oyente analyzers, Securify expands the analysis capabilities accessible through the Quantstamp protocol by offering a more comprehensive look at the security of a smart contract. Besides covering a wider variety of vulnerabilities, it also helps reduce the occurrence of false positives, improving the accuracy of the protocol.
As an open-source analyzer, Securify is open to development not only by ChainSecurity but also community members. This allows it to easily be updated to address new vulnerabilities as they arise.
Decentralizing our Protocol
As explained in the October Community Update, we’re working to further decentralize our protocol. This includes storing scan reports directly on the Ethereum blockchain(rather than on AWS), as well as developing decentralized ways to detect and deter malicious actors on the protocol rather than relying on whitelisted nodes.
We are making progress on this initiative on all fronts and are on track with our goals for the current code sprint.
Quantstamp is expanding its offerings for enterprise customers with the Quantstamp Enterprise Monitoring Dashboard.
At Quantstamp, we understand that smart contract security doesn’t stop when the contract gets deployed. That’s part of the motivation for the Assurance Protocol and also why we’ve developed a monitoring service to track irregularities after a contract is published on the blockchain. We call this the “post-deployment stage” in the lifespan of a contract.
During the post-deployment stage, new vulnerabilities and exploits that were previously undetectable may endanger the contract. The result could be missing funds, frozen tokens, or counterfeiting. Our monitoring service checks for these kinds of security incidents as they happen, and to alert the smart contract owner, allowing them to take action immediately.
Our monitoring service extends our enterprise security services beyond white-glove audits to cover the continuing life cycle of a smart contract from pre- to post-deployment. For customers, it can help to provide peace of mind. If you’re an exchange or token issuer interested in this service, please reach out to us.
New Team Members
Prior to Quantstamp, she worked at Parity Technologies, where she worked directly with Gavin Wood, Co-founder of Ethereum. She is also a co-organiser of ETHBerlin and helps out on the communications strategies for ETHGlobal events too. An experienced PR professional, she is skilled in both crisis and reactive PR as well as proactive PR efforts, media relations, social media, public affairs, and event organization.
Fundamentals of Smart Contract Security Book
The Quantstamp team has finished drafting Fundamentals of Smart Contract Security, expected to release this winter. This book will provide an in-depth look at both the issues involved in smart contract security, and practical examples of vulnerabilities in the wild.
With Fundamentals of Smart Contract Security, we aim to help spread knowledge and awareness of smart contract security.
Chamber of Digital Commerce
Our CEO Richard Ma recently joined the Chamber of Digital Commerce as co-chair of the Smart Contracts Alliance. The Chamber of Digital Commerce is the world’s first and largest trade association representing the digital asset and blockchain industry. It meets with legislators and industry leaders in order to promote the real-world application of smart contracts and blockchain technology.
As CEO of Quantstamp, Richard has helped lead initiatives to improve the secure mainstream adoption of blockchain technology, and he aims to further that cause as co-chair of the Smart Contracts Alliance.
We continue to be active in blockchain events and conferences both regionally and internationally. Here are some of the more notable events we attended in November:
We had a strong presence at Devcon 4, with leadership and many core team members in attendance. Devcon 4 is one of the largest Ethereum conferences in the world. Attended by Vitalik Buterin and core members of the Ethereum Foundation, it has a strong focus on designing, developing and building out decentralized applications.
At Devcon4, our Senior Research Engineer, Martin Derka, presented a workshop on preparing for a security review/audit. In addition, our CEO Richard Ma also demonstrated Plasma Dog, a game which runs on the OMG Plasma MVP which we audited earlier this month.
Blockchain Advocacy Coalition
We sponsored and spoke at Node Tokyo. This large-scale event featured speakers from the Ethereum Foundation, Origin Protocol, Metamask, and more, connecting the world’s top blockchain projects with Japan.
Something’s always happening at Quantstamp. Stay tuned by subscribing to our newsletter, following us on Twitter, or joining our Telegram. And of course, don’t forget our AMA/Q&A every Friday at noon PST on our Telegram channel.
Note: This update includes information and forward-looking statements about upcoming events and concepts under continuing development. Schedules, features, and functionality are subject to change or cancellation at any time and you are not to place undue reliance on this information or any forward-looking statements.