Research has shown that despite all the hype surrounding Ethereum smart contracts and their potential to transform how business is done, they are vulnerable to hacks due to fatal flaws in their code. A typical example will be the DAO hack in 2016 where $55 million worth of Ether was stolen, and an even more recent parity wallet hacks. Issues such as these can raise serious trust issues against Ethereum smart contracts, and lead to slower adoption.
Quantstamp is trying to solve this security challenge behind Ethereum contracts. According to the team behind the project, “[Quantstamp is] a security verification protocol for smart contracts that improves the security of Ethereum. The advantages of the security protocol include automation, trust, governance and ability to compute hard problems over a distributed network.”
In general, Quantstapm is an auditing network that links investors, users, and developers in a transparent and scalable proof-of-audit. Smart contracts are automatically checked for vulnerabilities, and rewards are given to individuals who are able to identify and report contract bugs to the network. This incentivized system will help keep the network in top condition.
Features of Quantstamp
For a start, the team behind the project believes that validation of smart contracts should be automated and void of inputs from human experts and security consulting companies. Their reasons are that human input increases the risk of errors, increases cost, and leads to a reliance on these experts/companies. Additionally, considering how fast smart contracts are growing and their possible applications, the supply of expert human auditors may not be able to meet the demand, leading to rising costs.
Quantstamp aims at building a cost-effective and scalable network that can audit smart contracts and void of significant human interference. The protocol behind the project relies on two primary parts; a software verification system and an automated bounty payout.
The software verification system is both automated and upgradeable. It is designed to monitor Solidity (Ethereum’s programming language) programs and pinpoint attacks of increasing sophistication. The automated bounty payout as the name implies, is there to give out rewards to human participants who find errors in the smart contracts. So in essence, Quantstamp uses a combination of both automatic and manual checks to validate smart contracts. It is also important to note that the project’s proof-of-audit protocol makes it impossible for individuals with malicious intent to manipulate the results of an audit, since they are not centralized.
The Audit Process
Quantstamp prides itself in the unique mix they bring to the validation of smart contract. Let’s take a quick look at how it works.
A developer who wants to deploy a smart contract can have it submitted on the Quantstamp project. Depending on what the developer needs, he decides how much bounty to give for auditing. The higher the reward, the more likely it is for developers to manually scrutinize the code. At the end of the audit, a report is produced which grades the smart contract based on vulnerabilities; 1 for minor issues, up to 10 for major vulnerabilities.