Security of Smart Contracts


With over 500 different ERC20 tokens now in circulation, they have become a driving force on the Ethereum blockchain. But how secure are these tokens? Are they a safe way of storing value? Are they exploitable to would-be hackers? All of these are questions that one company is trying to answer. QSP is a company started by Richard Ma (a former developer at Tower Research) in the wake of the DAO hack, after experiencing first hand the aftermath of that breach. The company had one goal, to be able to offer assurance to companies and investors by auditing smart contracts for possible vulnerabilities and exploits. 

The core concept of the company was first developed in April 2017, starting with research on the feasibility and identifying issues with the blockchain environment. Within 3 months the original co-founders of Quantstamp had gone from an idea/concept to a prototype and had begun a token presale in order to raise capital to further fund their development. In the next 10 months, the team went from the original founders to a team of over 15 developers and were able to produce a working version of their product. This is one of the big upsides for Quantstamp to us, they have a working product. Where most companies have a well-written whitepaper, concept, or are currently working to develop their idea, this team has produced something that is already being used to help provide security auditing too many customers, and several large exchanges.

 While the working product aspect is huge, where Quantstamp really stands alone is how their security audits of ERC20 tokens work. They have developed an automated process that will evaluate a client's smart contract. A user sends their smart contract, source code, and the required 25 QSP in a transaction. QSP validators perform the security check on the next Ethereum block, and a "Proof of Audit" is appended to the following Ethereum block once the validators have reached consensus. While they do have some competition in the security auditing market, there is no direct competition that is currently offering a cheap, automated process for finding vulnerabilities in smart contracts.

 We are very bullish on QSP for several reasons. First, they have a fully developed a revenue-generating product, they have been generating funds since the completion of their prototype and the community interest in their product/service is only growing. Their latest audit was for Binance of their listed ERC20 tokens to make sure that they would not be affected by the batchOverflow or proxyOverflow vulnerabilities. Binance is currently the world’s leading cryptocurrency exchange and the QSP team was able to quickly and efficiently ensure that none of the listed ERC20 coins could be attacked. Along with doing ERC20 audits the team has also stated that their platform could be “tweaked” to begin including EOS smart contracts to help widen their user base, and decrease their dependence on the Ethereum Network.

 The future of this team does look to be headed up. Some have begun to speculate that the QSP token used to pay for security audits could be one of the next to be listed on Coinbase. Beyond that, a partnership with Coinbase would not surprise us either, as with some of their recent troubles they are most likely looking to increase user confidence in their brand, and prevent future mistakes from occurring. However, regardless of whether they become affiliated with Coinbase in any way, we are still expecting demand for their service to continue to grow. Security in the smart contract world is a very big topic as of late, and Quantstamp has placed itself in a prime position to become the industry standard for validating and securing smart contracts against vulnerabilities.