A Protocol for Testing Blockchain Platform Coding for Vulnerabilities
The Quantstamp platform has developed an automated protocol to conduct security audits on smart contracts based on the Ethereum network. Their aim is to provide this service to Ethereum blockchain platform developers in order to ensure that any bugs or vulnerabilities that exist in the developer’s platform’s current smart contract protocols are identified and removed. In this way they will prevent hackers from siphoning funds from platform users.
The decentralized nature of software authentication and adoption into the Quantstamp protocol means that all changes to the protocol coding can only be implemented with the proof-of-audit consensus algorithm. This decreases the risk of external actors programming vulnerabilities and bugs into the existing protocol, as approval would be required across the majority of nodes on the Quantstamp blockchain. In this way, Quantstamp hopes to provide platforms with smart contract source codes that are far more secure than they would otherwise be.
Quantstamp Platform’s Structure
The Quantstamp platform’s developers designed it on the blockchain, due to its complex structure and the high levels of computing power required to process each smart contract, as well as the nature of shared distribution of information which limits the possibility of tampering by external parties. While the company plans to use human resources to resolve anomalies during its early phases, they hope that the system will eventually become fully automated and upgradeable, thereby minimizing the potential for human error and alterations in both the protocol and smart contracts. Quantstamp’s QSP Tokens will be used for transactions between the various actors on the platform:
- Voting rights are given to token holders. This enables them to participate in governance decisions such as upgrade forks and increased decentralization of the platform over time.
- Contributors whose solidity code contributions are voted for implementation into the Quantstamp protocol, will be remunerated with QSP tokens.
- Bug finders who report bugs in smart contracts will be awarded QSP tokens.
- Validators receive QSP tokens in exchange for contributing their computing resources to the Quantstamp Platform. Validators will use customized Ethereum nodes that are being specially developed for the purposes of handling the authentication algorithms.
- Contract creators will need to pay QSP tokens in exchange for submitting their smart contracts for auditing. The bounty offered by them will vary depending on the complexity of the required security coding.
- Verifiers – these are the miners on the Quantstamp network. They receive QSP in exchange for either authenticating contracts through the creation proof-of-audit hash codes, thereby producing the next block on the blockchain, or by submitting a counter example as proof of a compromised contract. Verifiers are required to install the necessary software in order to participate in this process. Dues to the incentives offered, even if one verifier fails to report a bug, another one is likely to do so, thereby preventing against attacks on the system.
- Users of audited contracts will have access to the audit results.
How the Quantstamp Platform Works
The stages of source code auditing and validation:
- The developer submits their code for auditing from his Ethereum wallet by means of Quantstamp’s Ethereum-based smart contract, as well as the QSP bounty tokens. The developer can specify whether they would prefer either a local or public audit and can also elect to have either public or private report to be issued. The final report will be encrypted accordingly.
- The code is sent to the smart contract, which transmits it to the available validation nodes on the blockchain.
- These nodes then authenticate the contract through a series of security checks. The complexity of the issues are then rated and a proof-of-audit consensus is reached. The information is then hashed onto the next block in the Ethereum chain and a bounty reward is issued to the miners.
- If the issues are minor, a lower bounty will be issued than would be for a more complex issue, with the remaining tokens being returned to the developer’s wallet.
- Once a report is issued to the developer, they can choose to submit the code or report to the community for review and feedback, in exchange for a fee.
- The codes can only be altered by community consensus.
- All findings and corrections are stored in the security library, which are then applied for comparison to all new smart contracts that are submitted for auditing.
- All approved updates are also added to the library and are made available for application to existing smart contracts.
- Quantstamp is also taking a number of measures to counteract their library from being used as guidelines by hackers, such as by encrypting security reports for each smart contract owner, frequently publishing security reports to motivate developers to update their smart contracts regularly and by sending encrypted files at sizes that are incongruous with their contents.
(as of May 3, 2018)
Nov. 17 – Dec. 16, 2017
1 QSP = ~$0.07 USD
~$31.3 Mill USD
1 QSP = ~$0.22 USD
Current Market Cap
~$133.1 Million USD