Is Quantstamp gonna save the ICO world?

If you have been in the crypto community for a while already you will know that crypto it’s the new wild west and big “bank heists” are all too common. Probably the most interesting targets for malicious actors are ICOs. Most companies doing an ICO run on very limited seed funding and have small teams. Those teams lack the resources to protect themselves against attackers.

To illustrate this is a real issue, remember the loss that occurred when Enigma Catalyst got hacked. Even worse, when a whole crowdsale wallet gets hacked, which is what happened to CoinDASH. One tiny mistake can cost millions in this space. During the Parity hack not only millions were stolen, the news about it caused a small crash in the whole Ethereum market. Remember the DAO fiasco? That code was reviewed by Vitalik himself.

The point I want to illustrate here: Even senior developers like the Ethereum founders can make mistakes that are easily overlooked and have a big impact.

So how can we fix these issues?

If you believe in the power of Ethereum, smart contracts and crypto in general, just leaving this technology behind because it’s not safe enough, simply is not an option. We have to admit and be aware that all software is written by humans and humans make mistakes. What we need to do is try to find those mistakes as early as possible. This starts with writing automated tests and doing code reviews. But there are are few other steps one can take to make sure your smart contract is secure:

Automated auditing / formal verification

There are whole blockchains being built that sell formal verification — a kind of automated analysis of code — as a big feature, check out Tezos for that matter, it’s one of their main selling points.

Bounty campaigns

Many companies, ICOs or not, run bounty campaigns for hackers to get paid for their discoveries without hurting the companies. In a traditional setting a hacker who discovers a vulnerability can choose to do the morally right thing and report the issue without making it publicly available. However, in many instances that results in hackers not getting paid which incentivises future hackers to not report vulnerabilities and exploit them instead.

Manual code reviews

This is a great idea for any smart contract. There are a few well known names in this field, for example ConsenSys. Having such a review can give users a level of trust and works as a quality certificate.

Say hello to Quantstamp

If you think there are good aspects of all of the above mentioned strategies, Quantstamp has an impressive proposal to make.

Automated Testing

The Quantstamp auditing network enables a wide range of participants to run their automated code review. Traditionally one would have to negotiate multiple contracts with multiple parties creating a big overhead and unnecessary cost. Through the Quantstamp network one can basically crowdsource the analysis part to many parties without any overhead. Decentralisation improving efficiency? Sweet!

Bounty campaigns

With Quantstamp bounty campaigns can go trustless. The Quantstamp network can ensure that hackers and professional code reviewers actually get paid for their vulnerabilities. This is a huge aspect in my eyes and illustrates one of the beauties in crypto: Encouraging behaviour that benefits the masses instead of the traditional way where few profit and many get burned.

Manual code reviews

This goes hand in hand with what was already mentioned about bounty campaigns. Quantstamp wants to make it easy to broadcast your review needs to many parties, which do their analysis on their terms. The end result will be a more thorough, more efficient and almost certainly cheaper way of auditing your smart contracts.

Quantstamp targets all of the discussed aspects: Contributors can supply their software for automated verification and earn QSP in exchange, so in a way they can licence their software through the Quantstamp network. The manual reviews are done by so called Bug Finders (that’s the name given in the Quantstamp whitepaper). What’s left to have a functioning network are the Validators who actually validate contracts with the software supplied by the contributors. All those parties get paid by the Contract Creator to validate their contract.

Now thats for the conceptual aspect of smart contract auditing. In the second part I want to investigate whether Quantstamp will be able to pull off what they promised.

The Team

Doing a quick research on the current team I think it is quite small for such an impressive project. This might not be a negative point though considering each of them seems to have a highly specialised background in their domain.

It is a very good sign that this team has executed a high profile code review of Request Network. Request is running the probably best executed ICO as of now. That they chose Quantstamp as their partner is not a coincidence and if the ICO goes well it will be a great reference for future partners.

Advisors

I think the advisors of Quantstamp are a very valuable addition to the project. It has shown that the right advisors not only help to create a lot of hype but teams that are equipped with the right advisors have a better chance of executing. Evan Cheng, the Director of Engineering of Facebook is just one of them and you can find his name on other well executed projects like Cindicator.

The Roadmap

With their upcoming ICO they will be well funded to execute on their vision. I would categorise their roadmap as ambitious but doable. So far everything I’ve seen by them looks well thought out.

Conclusion

I have yet to stumble over negative aspects of this project but the most important milestone coming up will definitely be their ICO. Many teams struggled to execute well on one or the other aspect of an ICO but if they manage to pull it off as smooth as Kyber, Request Network or Cindicator I see a very positive future for this project.

Check out their whitepaper yourself.