Friday, October 20, 2017

Quantstamp - Security for the crypto revolution

Quantstamp is a new company that aims to provide a service to secure smart-contracts on the Ethereum network. As a security professional I thought that this is something I ought to actually look into. So I've decided to try and really understand the problem space, and their proposed solution for myself. Here's what I came up with:

The Crypto Revolution

If you're following the news, it's obviously that we're in the midst of the "Crypto Revolution".
It seems that everyday a new idea is put forth in the form of "A new and better {insert well-known concept}, on the block-chain!". Especially since the introduction and wide adoptions of Ethereum which allows turing-complete smart-contracts running transparently on the block chain, it seems like the sky is the limit.

While there is definitely a lot of hype, it's clear that many of these ideas can actually benefit from being decentralized, controlled by the "market" and have a public ledger. For example: currency exchanges, betting, prediction markets, voting, and even banking. All these domains have well-known solutions with equally well-known pain points. Moving these ideas to "the block-chain" can solve some of these pain points, increasing efficiency, and reducing cost and the risks of single point of failure/trust.

This spark of innovation and ideas remind me of the good ol' days of the 90s when the Internet started to bloom. Then, just like now, dot com ideas were thrown left and right. Most failed, some succeeded and a few even survived and evolved til this day.

So it's probably safe to assume that most of today's block-chain ideas will also fail, some will go the way of MySpace and AltaVista, and a select few will become the Facebooks and Googles.


Those good old days of the 90's internet were woefully insecure. It was really the wild west back then, mostly because people didn't understand and appreciate the need for security. Systems and networks were wide open. My favorite piece of security nostalgia is the so called "Ping of Death". Back then you could literally knock a computer off the the network (causing a BSOD on windows machines) by simply sending one malformed ICMP packet. Fun times...

Security followed slowly very much after the success and innovation of the web. It took many years and hacks for people to realize the importance of security in and of itself.

The IT security industry, which I am a part of, evolved to solve these problems. Beyond defensive measures such as firewalls and anti-virus software, proactive security audits are done. These come in two flavors:
  1. Automated testing. Essentially, a large set of automated tests are run on the audited system in search of known problems. The ever-growing collections of tests catch many of the commonly-made mistakes, and are increasing in ability and sophistication as time goes by. They are cheap to run, but they don't catch everything.
  2. Manual testing. After automated testing catches the majority of flaws, good security requires a professional human to look for application specific vulnerabilities in the system. It is often the case that the really severe holes are hard to find and are due to an unfortunate (mis-)alignment of several diffident components in the system. Much more expensive, but gives a much higher guarantee level.

Quantstamp Value Proposition
This is why, as a security professional, I've been very excited to follow the Quantstamp project. There's hope that we might not repeat the same mistake of disregarding security we did with the dot-com, in the crypto revolution that is upon us.

The project, rather than just being yet another customer facing service "but on the block-chain", is providing a service to other companies and projects. And that service is security.

Writing smart-contracts is not easy.  For one, it's a new ability. You can't hire someone with "5 years minimum experience" in it. They are written in a new programming language (Solidity), but more importantly they require a new frame of mind: Smart contracts, once deployed, are autonomous entities which even their creator cannot modify or stop. It's a very different game then classic, client-server, centralized applications.

Quantstamp wants to bridge this gap by providing a smart-contract security audit service. And yes, they too are on the block-chain, but for good reason. After some due-diligence (and actually reading their white-paper) here's what I came to understand as their basic value propositions, and the unique benefits of deploying their solution as a block-chain system.

  1.  Incentivizing the creation of an ever-growing collection of automated test suitesThe Quantstamp network will invite security professionals to add tests for new kinds of bugs with smart contracts. The writers are incentivized with a monetary compensation in the form QSP tokens.

    This is similar to classic-world auditing software like Acunetix, Nessus, and others. However, unlike  classic tools, all these test suites are by design open source. This means that the actual accumulated knowledge of the various security problems and their solutions is not controlled or monetized by anyone, but rather is openly available to everyone and is always increasing.

  2.  Providing a platform for the execution of these tests on customer contractsA customer can pay for these tests to be run on their contracts. Additionally, the test results can either be view-able only by the customer, or publicly available.

    Why would someone pay someone to run the tests if they are freely available? The claim is that the running the tests are computationally intensive. A customer might decide that it is more cost effective to allow a dedicated validator to run the tests on their behalf. But the main reason, IMO, is  public proof of security. In a classic system, you have to take the companies word for taking all appropriate security measures to ensure their systems are safe. With Quantstamp, if the test results are made public, anyone can verify that the system was indeed tested, and has no known vulnerabilities. If they trust Quantstamp, they can trust the customer's system too.

    My guess is that a normal work flow would be to first run a private audit, either locally of by using the network. Then, after fixing all the discovered vulnerabilities, paying for a public audit (with known results) just to be able to prove to the world that the system is secure.

    The Quantstamp block chain incentivizes people that run validator nodes (that run the test code) using the QSP tokens.

  3. Provides a platform for manual audits via a global bug-bounty programAs I wrote above, IMO automatic testing is great, but isn't always enough. Quantstamp provides a bug-bounty service too. The idea is that a customer of their service can, on top of the automatic testing, pay a bounty for anyone finding bugs that were missed by the automatic process. The bounty reward (payed in QSP tokens) are held in escrow on the block chain for a predefined amount of time and are payed to researchers reporting the bugs, or returned to the customer after the allotted amount of time has elapsed.

    This solves some classic-world problems: Bugs that are reported cannot be withheld from the public. Bounty payment cannot be withheld or negotiated after the fact. etc.

    But "going block-chain" actually provides some interesting new properties that are hard to achieve in a classic system: The mere fact that a bug bounty was offered is a good indication of the security of the system. The bounty sum and length of time it was offered, together with the bugs found (or not found) is public knowledge. This can give a very strong sense of security provided if for example, a high bounty was offered for a reasonable amount of time, and no bugs found. This is valuable as, in a classic system, proving professionals looked for problems and didn't find them is not easy.

    The Quantstamp block chain incentivizes security professionals to actually look for, and report, security problems in exchange of the bounty. The prices of the bounty will be determined by market values.

  4. Provides a decentralized mechanism for the community to self-govern itself
    For this eco-system to function, many decisions will have to be made. Quantstamp provides a governance system in which QSP token holders can vote on such issues further reducing and decentralizing the influence of the founding team.


After diving deeper into the Quantstamp proposal I'm very excited about it's potential. As with many projects in the crypto world these days, at this stage there are more future plans than actions taken. But this is to be expected, as they are now in an ICO investment round.

However, after taking the time to read and think about it, I can say that I actually understand the idea ( which is not an obvious thing with many projects out there), and that I see
the need and the growth potential in it.

I wish the team a lot of luck and hope it comes the project comes to full fruition. I will be following it closely.


  1. I've been trying luck on a bitcoin market and.. well.. even though I've had some profit, due to inflation the resultant sum was equal to the one I'd have if just put money on account and never touched them. lol
    Do you have any articles for me? Or some essay on best sites maybe?

  2. عزيز العميل هناك العديد من المشاكل التى تواجه كل بيت سعودى وبالاخص فى مدينة ابها ومن اخطر هذه المشاكل كثرة الحشرات والقوراض بالمنزل مما يجعلها تشكل خطر كبير على الاسرة والصحة العمامة لما تنقله الحشرات من امراض وايضا تقوم بتخريب المنزل وقد تؤدى الى انهيارة مثل النمل الابيض لذالك توفر شركتن افضل فريق متخصص فى ابادة الحشرات والقوارض بافضل المبيدات الامنة تمام على الاطفال وبالضمان ، ايضا من اكثر المشالك انتشار وتشكل خطر بعد الحشرات هى عدم تنظيف المنزل بشكل دورى وبالاخص المفروشات مثل المجالس والكنب والموكيت والسجاد لما تتعرض له من اتربة متاركمة عليها وهنا ياتى دور شركتنا كافضل شركة تنظيف منازل وفلل وقصور ومجالس وموكيت بالبخار وبافضل السوائل المنظفة والمعطرة والتى تعطى منظر ورائحة منعشة للمنزل نحن الافضل بدون منافس كما ان اسعارنا تتناسب مع الجميع لطلب احدى خدمات شركتنا يرجى التوجه الى الموقع الرسمى من خلال الروابط الموضحة بالاسفل شركة مكافحة حشرات بابها
    شركة رش مبيدات بابها
    شركة تنظيف بابها
    شركة تنظيف فلل بابها
    شركة تنظيف شقق بابها
    شركة تنظيف مجالس بابها

  3. Thanks a lot for sharing us about this update. Hope you will not get tired on making posts as informative as this شركة نقل عفش بالدمام
    شركة نقل اثاث بالدمام
    This is really the sort of data I have been attempting to discover. Much obliged to you for composing this data. ارخص شركة نقل اثاث بالدمام
    شركة نقل اثاث بالجبيل

  4. I have read a few of the articles on your website now, and I really like your style of blogging. I added it to my favorites blog site list and will be checking back soon. Please check out my site as well and let me know what you think شركة نقل اثاث بالقطيف
    شركة نقل عفش بالجبيل
    I really enjoyed reading this post, big fan. Keep up the good work andplease tell me when can you publish more articles or where can I read more on the subject? شركة نقل عفش بالقطيف
    شركة نقل عفش بالخبر

  5. All the contents you mentioned in post is too good and can be very useful. I will keep it in mind, thanks for sharing the information keep updating, looking forward for more posts.Thanks شركة تنظيف خزانات بالمدينة المنورة
    شركة غسيل خزانات بالمدينة المنورة
    Your blog provided us with valuable information to work with. Each & every tips of your post are awesome. Thanks a lot for sharing. Keep blogging. شركة غسيل خزانات بالمدينة
    شركة تنظيف خزانات بالمدينة

  6. You have done a great job. I will definitely dig it and personally recommend to my friends. I am confident they will be benefited from this site شركة تنظيف بالدمام
    شركة تنظيف بالخبر
    I would like to thank you for the efforts you have made in writing this article. I am hoping the same best work from you in the future as well. In fact your creative writing abilities has inspired me to start my own BlogEngine blog now. Really the blogging is spreading its wings rapidly. Your write up is a fine example of it شركة تنظيف بالجبيل
    شركة تنظيف بالقطيف

  7. Hey – great blog, just looking around some blogs, seems a really nice platform you are using. I’m currently using WordPress for a few of my blogs but looking to change one of them over to a platform similar to yours as a trial run. Anything in particular you would recommend about it? شركة تنظيف منازل بالدمام
    شركة تنظيف شقق بالدمام
    Pretty good post. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts. Any way I’ll be subscribing to your feed and I hope you post again soon. شركة تنظيف منازل بالخبر
    شركة تنظيف منازل بالقطيف

  8. hank you so much for this very usefull information. It's just a very effectively written article. It will likely be useful to anyone who makes use of it شركة تنظيف خزانات بالقطيف
    شركة تنظيف خزانات بالدمام
    I was very pleased to find this site.I wanted to thank you for this great read!! I definitely enjoying every little bit of it and I have you bookmarked to check out new stuff you post شركة تنظيف خزانات بالخبر
    شركة تنظيف خزانات بالجبيل

  9. Thanks a lot for sharing us about this update. Hope you will not get tired on making posts as informative as this شركة مكافحة الحشرات بالدمام
    شركة مكافحة الحشرات بالخبر
    This is really the sort of data I have been attempting to discover. Much obliged to you for composing this data. شركة مكافحة الحشرات بالقطيف
    شركة مكافحة النمل الابيض بالدمام
    شركة مكافحة الحشرات بالجبيل

  10. Its my great pleasure to visit your blog and to enjoy your great posts here. I like it a lot. I can feel that you paid much attention for those articles, as all of them make sense and are very useful شركة مكافحة الفئران بالقطيف
    شركة مكافحة النمل الابيض بالقطيف
    I really appreciate the kind of topics you post here. Thanks for sharing us a great information that is actually helpful شركة مكافحة البق بالقطيف
    شركة مكافحة البق بالدمام
    شركة مكافحة الفئران بالخبر

  11. After exploring a handful of the blog articles on your web site, I really like your technique of blogging. I added it to my bookmark webpage list and will be checking back in the near future شركه تنظيف بالدمام
    شركه تنظيف بالخبر
    شركة تنظيف كنب بالدمام

  12. This is very informatics, fresh and clear. I feel that everything has been portrayed in methodical way with the goal that peruser could get greatest data and realize numerous things شركة تنظيف كنب بالخبر
    شركه نظافه بالخبر
    شركه نظافه بالدمام

  13. I have perused your article, it is exceptionally instructive and accommodating for me.I respect the important data you offer in your articles شركة تنظيف منازل بالدمام
    شركة تنظيف شقق بالدمام
    I actually checked right up your website considering Concerning listened to a great deal of pertaining to a person's discussions. Grateful to talk about, a gossip very well; you will be okay around this شركة مكافحة الحشرات بالدمام
    شركة مكافحة الحشرات بالخبر

  14. I might want to thank you for the endeavors you have made in composing this article. I am trusting the same best work from you later on also غسيل خزانات بالدمام
    شركه غسيل خزانات بالخبر
    I admire what you have done here. I like the part where you say you are doing this to give back but I would assume by all the comments that this is working for you as well. تنظيف خزانات بالدمام
    تنظيف خزانات بالخبر
    غسيل خزانات بالخبر

  15. Its my great pleasure to visit your blog and to enjoy your great posts here. I like it a lot. I can feel that you paid much attention for those articles, as all of them make sense and are very useful شركة تنظيف مكيفات بالدمام
    تنظيف مكيفات بالدمام
    I really appreciate the kind of topics you post here. Thanks for sharing us a great information that is actually helpful شركة تنظيف مكيفات بالجبيل
    شركة تنظيف مكيفات بالقطيف
    شركة تنظيف مكيفات بالخبر

  16. This is the right blog for anyone who wants to find out about this topic. You realize so much its almost hard to argue with you (not that I actually would want…HaHa). You definitely put a new spin on a topic thats been written about for years. شركة كشف تسربات المياه بالخبر
    شركة كشف تسربات المياه بالدمام
    Thanks for this great post, i find it very interesting and very well thought out and put together. I look forward to reading your work in the future شركة كشف تسربات المياه بالقطيف
    شركة كشف تسربات المياه بالجبيل

  17. All the contents you mentioned in post is too good and can be very useful. I will keep it in mind, thanks for sharing the information keep updating, looking forward for more posts.Thanks شركة تنظيف كنب بالدمام
    شركة غسيل كنب بالدمام
    Your blog provided us with valuable information to work with. Each & every tips of your post are awesome. Thanks a lot for sharing. Keep blogging. شركة تنظيف كنب بالقطيف
    شركة تنظيف السجاد بالدمام
    شركة تنظيف السجاد بالقطيف

  18. Very uncommon to discover such a sublime blog, I feel fortunate perusing this.
    paypal hack

  19. They speak to another level of trade inside a media design that can possibly incite upset. Crypto currency

  20. I love visiting sites in my free time. I have visited many sites but did not find any site more efficient than yours. Thanks for the nudge! XMV coin forked from Monero


  21. نستخدم افضل ادوات تنظيف و غسيل الخزانات لاننا افضل شركة تنظيف خزانات بالمدينة المنورة و عمال مدروبون وحاصلون على شهادة صحية فقط اتصل بنا لتحصل على افضل خدمة تنظيف خزانات بالمدينة المنورة

  22. Credit or debit card transactions are instant, but you are charged a fee for using this privilege. In the Bitcoin transactions, the fees are usually low, and in some cases, it is free. crypto market

  23. There are many factors that can contribute to the problems that a property manager can have with his security guards including whom the security guard company is, laws and regulations regarding security guards, budgetary constraints, the security requirements at the property in question, security company sop manual

  24. The reason bitcoin works is that each exchange is communicated and recorded as a number over the whole framework (implying that each exchange is affirmed and made irreversible by the system itself). hottest new cryptocurrency