Friday, October 20, 2017

Quantstamp - Security for the crypto revolution

Quantstamp is a new company that aims to provide a service to secure smart-contracts on the Ethereum network. As a security professional I thought that this is something I ought to actually look into. So I've decided to try and really understand the problem space, and their proposed solution for myself. Here's what I came up with:

The Crypto Revolution

If you're following the news, it's obviously that we're in the midst of the "Crypto Revolution".
It seems that everyday a new idea is put forth in the form of "A new and better {insert well-known concept}, on the block-chain!". Especially since the introduction and wide adoptions of Ethereum which allows turing-complete smart-contracts running transparently on the block chain, it seems like the sky is the limit.

While there is definitely a lot of hype, it's clear that many of these ideas can actually benefit from being decentralized, controlled by the "market" and have a public ledger. For example: currency exchanges, betting, prediction markets, voting, and even banking. All these domains have well-known solutions with equally well-known pain points. Moving these ideas to "the block-chain" can solve some of these pain points, increasing efficiency, and reducing cost and the risks of single point of failure/trust.

This spark of innovation and ideas remind me of the good ol' days of the 90s when the Internet started to bloom. Then, just like now, dot com ideas were thrown left and right. Most failed, some succeeded and a few even survived and evolved til this day.

So it's probably safe to assume that most of today's block-chain ideas will also fail, some will go the way of MySpace and AltaVista, and a select few will become the Facebooks and Googles.


Those good old days of the 90's internet were woefully insecure. It was really the wild west back then, mostly because people didn't understand and appreciate the need for security. Systems and networks were wide open. My favorite piece of security nostalgia is the so called "Ping of Death". Back then you could literally knock a computer off the the network (causing a BSOD on windows machines) by simply sending one malformed ICMP packet. Fun times...

Security followed slowly very much after the success and innovation of the web. It took many years and hacks for people to realize the importance of security in and of itself.

The IT security industry, which I am a part of, evolved to solve these problems. Beyond defensive measures such as firewalls and anti-virus software, proactive security audits are done. These come in two flavors:
  1. Automated testing. Essentially, a large set of automated tests are run on the audited system in search of known problems. The ever-growing collections of tests catch many of the commonly-made mistakes, and are increasing in ability and sophistication as time goes by. They are cheap to run, but they don't catch everything.
  2. Manual testing. After automated testing catches the majority of flaws, good security requires a professional human to look for application specific vulnerabilities in the system. It is often the case that the really severe holes are hard to find and are due to an unfortunate (mis-)alignment of several diffident components in the system. Much more expensive, but gives a much higher guarantee level.

Quantstamp Value Proposition
This is why, as a security professional, I've been very excited to follow the Quantstamp project. There's hope that we might not repeat the same mistake of disregarding security we did with the dot-com, in the crypto revolution that is upon us.

The project, rather than just being yet another customer facing service "but on the block-chain", is providing a service to other companies and projects. And that service is security.

Writing smart-contracts is not easy.  For one, it's a new ability. You can't hire someone with "5 years minimum experience" in it. They are written in a new programming language (Solidity), but more importantly they require a new frame of mind: Smart contracts, once deployed, are autonomous entities which even their creator cannot modify or stop. It's a very different game then classic, client-server, centralized applications.

Quantstamp wants to bridge this gap by providing a smart-contract security audit service. And yes, they too are on the block-chain, but for good reason. After some due-diligence (and actually reading their white-paper) here's what I came to understand as their basic value propositions, and the unique benefits of deploying their solution as a block-chain system.

  1.  Incentivizing the creation of an ever-growing collection of automated test suitesThe Quantstamp network will invite security professionals to add tests for new kinds of bugs with smart contracts. The writers are incentivized with a monetary compensation in the form QSP tokens.

    This is similar to classic-world auditing software like Acunetix, Nessus, and others. However, unlike  classic tools, all these test suites are by design open source. This means that the actual accumulated knowledge of the various security problems and their solutions is not controlled or monetized by anyone, but rather is openly available to everyone and is always increasing.

  2.  Providing a platform for the execution of these tests on customer contractsA customer can pay for these tests to be run on their contracts. Additionally, the test results can either be view-able only by the customer, or publicly available.

    Why would someone pay someone to run the tests if they are freely available? The claim is that the running the tests are computationally intensive. A customer might decide that it is more cost effective to allow a dedicated validator to run the tests on their behalf. But the main reason, IMO, is  public proof of security. In a classic system, you have to take the companies word for taking all appropriate security measures to ensure their systems are safe. With Quantstamp, if the test results are made public, anyone can verify that the system was indeed tested, and has no known vulnerabilities. If they trust Quantstamp, they can trust the customer's system too.

    My guess is that a normal work flow would be to first run a private audit, either locally of by using the network. Then, after fixing all the discovered vulnerabilities, paying for a public audit (with known results) just to be able to prove to the world that the system is secure.

    The Quantstamp block chain incentivizes people that run validator nodes (that run the test code) using the QSP tokens.

  3. Provides a platform for manual audits via a global bug-bounty programAs I wrote above, IMO automatic testing is great, but isn't always enough. Quantstamp provides a bug-bounty service too. The idea is that a customer of their service can, on top of the automatic testing, pay a bounty for anyone finding bugs that were missed by the automatic process. The bounty reward (payed in QSP tokens) are held in escrow on the block chain for a predefined amount of time and are payed to researchers reporting the bugs, or returned to the customer after the allotted amount of time has elapsed.

    This solves some classic-world problems: Bugs that are reported cannot be withheld from the public. Bounty payment cannot be withheld or negotiated after the fact. etc.

    But "going block-chain" actually provides some interesting new properties that are hard to achieve in a classic system: The mere fact that a bug bounty was offered is a good indication of the security of the system. The bounty sum and length of time it was offered, together with the bugs found (or not found) is public knowledge. This can give a very strong sense of security provided if for example, a high bounty was offered for a reasonable amount of time, and no bugs found. This is valuable as, in a classic system, proving professionals looked for problems and didn't find them is not easy.

    The Quantstamp block chain incentivizes security professionals to actually look for, and report, security problems in exchange of the bounty. The prices of the bounty will be determined by market values.

  4. Provides a decentralized mechanism for the community to self-govern itself
    For this eco-system to function, many decisions will have to be made. Quantstamp provides a governance system in which QSP token holders can vote on such issues further reducing and decentralizing the influence of the founding team.


After diving deeper into the Quantstamp proposal I'm very excited about it's potential. As with many projects in the crypto world these days, at this stage there are more future plans than actions taken. But this is to be expected, as they are now in an ICO investment round.

However, after taking the time to read and think about it, I can say that I actually understand the idea ( which is not an obvious thing with many projects out there), and that I see
the need and the growth potential in it.

I wish the team a lot of luck and hope it comes the project comes to full fruition. I will be following it closely.