Quantstamp: Secure Smart Contracts

Quality Assurance in Software Development

Software development relies on quality assurance to ensure it delivers the automation of one or more intended business activities, but it also relies on quality assurance to not inadvertently malfunction. The latter, which if not identified early on, can have far reaching financial and reputational repercussions for a business.

The financial cost of buggy software code is inversely proportional to how early the bug is discovered, i.e. the earlier a bug is found the cheaper it is to fix.

The Systems Sciences Institute at IBM has reported that

“the cost to fix an error found after product release was four to five times as much as one uncovered during design, and up to 100 times more than one identified in the maintenance phase.”

Gaps in Automating Quality Assurance

To address this issue, companies ensure modern day coding standards reflect a far higher quality through cutting-edged TDD (Test Driven Development) frameworks. By and large these can be automated and mostly cover functional assurances for critical use cases, happy path use cases, boundary use cases and exception use cases.

However, the non-functional aspects that are equally pertinent (namely if the n-tier architecture is performant, if it is maintainable and scalable, if the memory is well managed, if a set of coding standards are followed etc.) are left for human validation and not automated to the scale at which the functional elements can be automated.

Quality Assurance on Smart Contracts

Smart Contracts within the Ethereum Blockchain, although secure, are not immune to the issues that follow from a lack of assurance in the quality. With a huge increase in the number of ICOs coming to market each month and an ever-increasing interest and appetite for investment from individuals and institutions alike, prioritising the quality of Smart Contracts is essential.

Over the last few years the blockchain space has developed talent to audit Smart Contract code, although most of it can be:

a. Manual: increasing risk of human error

b. Slow: humans are not computers!

c. Non-standard: each auditor applies their own standard

d. Expensive: Auditing a simple smart contract can cost upwards of $15k-$20k

e. Centralised: there is no consensus mechanism

f. Absence or lack of proof: most companies do not publish internal findings of the audit

g. Unscrupulous: A leaked audit or unreported vulnerabilities can be exploited if it fell into the wrong hands

h. Lack of incentive: earlier referenced issues of having proof and consensus work together to incentivize participants to report rather than exploit vulnerabilities

First Steps to Automated Auditing on Smart Contracts

Quantstamp present themselves as the first smart contract security-auditing protocol that addresses the short comings of the potential lack of quality in Smart Contracts by automating the auditing process and thus ensuring a secure Smart Contract with little or no vulnerabilities.

At the core of Quantstamp is the Quantstamp Protocol that provides a framework to audit Smart Contracts on the Ethereum network. The Protocol will deliver the following:

a. An algorithm based automated software verification system that will validate the Solidity programming language within the Smart Contract

b. An automated bounty mechanism that will reward human participants. This is a stop gap arrangement until full automation is achieved.

How it works

A Smart Contract can be submitted for audit from the comfort of your wallet with the source code in the data field and sending the QSP tokens as part of the wallet transfer. A custom bounty amount can be set based on the quality of assurance required. On the next Ethereum block confirmation the Quantstamp Smart Contract receives the request and sends it to the blockchain nodes for validation. Upon verification of the transaction, which implies the Smart Contract has undergone consensus and audit proof, a data report is added to the next Ethereum block.

The data report itself classifies data based on Quantstamp’s severity definition and if no serious vulnerabilities have been found the bounty remains intact and is returned to the developer at the end of an elapsed period. Reports can be public or private, the latter being encrypted and only able to be decrypted by the Smart Contract owner. A web portal, qsscan.io, is made available where the report can be viewed by both the owner and the public.

The Quantstamp security audit requires high computational power, hence the combined power of the participant nodes provide the required memory and processing power to validate a Smart Contract whilst also providing proof of audit and consensus.

Opinion

Quantstamp is a first mover in the space of automated verification and auditing of smart contracts. With this significant advantage and an A-Team working on the project they hope to become the go-to for all smart contracts being released on the Ethereum blockchain.

Quantstamp has a clear technical roadmap in place that shows progressive and incremental development on the platform over the next few quarters. They count Request Network as their client for whom they performed a semi-automated audit and by November 2017 they have a third planned semi-automated audit. Additionally, right through 2018 they have a busy calendar chipping away at bringing their product to the main-net in August 2018.

As with any software code, automated verification still relies on written code to verify the code under question. Quantstamp does not guarantee full-proof verification, and that is a sensible as a starting point as with any software and with multiple iterations and feedback from previous build and release cycles, the verification code and protocol can only get more robust with more automation coverage. However, it is worth asking who will audit the auditor?

In conclusion, all participants within the blockchain ecosystem that have any use for Smart Contracts can only benefit from Quantstamp as it helps bring governance, standards and automation whilst reducing the probability of vulnerabilities.

If Quantstamp becomes the gold standard that gets adopted on Ethereum for automated verification of Smart Contract, Quantstamp will assume the notional moral responsibility towards the participants of the Ethereum blockchain for the millions vested, but it will also help alleviate concerns about non-standard code and unscrupulous/incompetent personnel and improve confidence in the overall ecosystem.

Team

Richard Ma — Co-founder & CTO

Steven Stewart — Co-founder & CTO

Edward Zulkoski — Senior Security Engineer

Vajih Montaghami — Senior Security Engineer

Prit Sheth — Lead Backend Engineer

Anna Kao — Graphics and UX Designer

Krishna Sriram — Community Manager/PR

Documentation

Abstract | Whitepaper | Token Sale Policy | SEN Howey Test

Social Media

Twitter | LinkedIn | YouTube | Facebook | Telegram | Github

Press

https://themerkle.com/what-is-quantstamp/

https://cointelegraph.com/press-releases/blockchain-heavyweights-david-drake-and-min-kim-join-quantstamp-advisory-board

Token Details

Symbol: QSP

Platform: Ethereum

Token Type: Ethereum ERC20

Accepted Purchase Method: ETH

Contribution Cap: $30m

Total Supply: 1 billion QSP

Purchase Price: 0.0001 ETH

Registered participants + KYC/AML: Yes

100% contributions go towards developing the Quantstamp protocol. Any unsold tokens will be burnt and the team has a vesting period of 3 years.

Pre-Sale

QSP Tokens are intended to be sold at the following rates:

● Week 1: 10,000​ QSP tokens for 1 ETH

● Week 2: 9,000​ QSP tokens for 1 ETH

● Week 3: 8,000​ QSP tokens for 1 ETH

● Week 4: 7,000​ ​QSP tokens for 1 ETH

Starting on Friday Sep 29th @ 6:00PM PST and ending on Oct 29th or when sold out whichever comes first(Ending date is subject to change).

● The pre-sale contribution cap is: $3 million USD

● Unsold tokens in the pre-sale are rolled into the Public Sale

Public Sale

QSP Tokens are intended be sold at the following rate:

● 5,000​ QSP tokens for 1 ETH Individual​ ​purchasing​ ​limits​ will apply to the public sale.

Disclaimer:

(a) This article is not meant to be a technical or business evaluation of Quantstamp. The author only intends to identify and elaborate on the value proposition of the business within the blockchain ecosystem.

(b) This is not investment or trading advice, always do your own independent research

If you like the article then please help support the publication with ETH contributions to 0xD22fEDc0881D0a07Db84cEd6Ea0345BeE6f6627e