Quantcast
Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

What Is Quantstamp (QSP)? | A Guide to the Smart Contract Auditing Platform

0
0
What Is Quantstamp?

Quantstamp is a security-auditing protocol for smart contracts. As a dapps platform, Ethereum has proven its security time and again. However, dapps and smart contracts on top of Ethereum may still have bugs in which malicious players can cause havoc on the network. The two most notable examples of these being the $55 million DAO hack and the $30 million Parity wallet bug. These issues not only affect the people who’ve had their funds stolen, but they also diminish the credibility of the entire ecosystem.

Writing smart contracts is already a tough job. Like any other computer programming, writing them without any bugs is near impossible. To add fuel to the fire, the rate at which smart contracts are being written (estimated 10 million by the end of 2018) is outpacing the resources needed to audit them. Even with robust security auditing, a small bug could slip through the cracks causing catastrophe down the road.

Here’s where Quantstamp comes into play. The protocol includes a cost-effective, scalable system to easily audit your Ethereum-based smart contracts. In this Quantstamp protocol guide, we’ll talk about:

How Does Quantstamp Work? Quantstamp Team & Progress Trading Where to Buy QSP Where to Store QSP Conclusion Additional Quantstamp Resources How Does Quantstamp Work?

Although the team is focusing on Ethereum now, they’re building the Quantstamp protocol in a way that’s platform agnostic . This means that it can eventually be used on other smart contract platforms like Lisk and NEO . The Quantstamp protocol has a two-pronged approach to security auditing:

Automated software verification system Automated bounty payout system Software Verification

Quantstamp’s Validation Node applies audit techniques from formal methods submitted by Contributors . These techniques include security checks such as concolic tests, static analysis, and symbolic execution as well as automated reasoning tools like SAT and SMT. As a reward for submitting verification software, contributors (who are primarily security experts), receive Quantstamp Protocol (QSP) tokens.

To ensure no bad actors are submitting malicious validation software, Contributors must be voted in according to the governance mechanism (more on this later).

Running the Validation Node takes a significant amount of computing power. Because of this, Validators also receive QSP payment for providing computing power to the network. To ensure that Validators don’t act maliciously, they must stake their QSP tokens to earn their reward.

An Example

As a developer, you want to deploy a smart contract on Ethereum . Considering you don’t want to go down in history as the guy who lost millions of people’s money, you have your contract audited. To do so, you send your smart contract, with the source code in the data field, directly from your wallet to Quantstamp, including QSP tokens with the transaction. On the next Ethereum block, Validators perform security checks. After they reach consensus, they append the proof-of-audit and report data to the next block.

You can choose whether your security report is made public or private.

UPDATE:It appears as if, now, the Quanstamp team also offers manual audits in exchange for ETH or USD.


What Is Quantstamp (QSP)? | A Guide to the Smart Contract Auditing Platform

Quantstamp Audit System

Bounty Payouts

When you submit your smart contract for auditing, you also include a set of QSP tokens for bounty rewards and a deadline for when Bug Finders can submit issues. The bounty deadline reward size is up to you. If the deadline passes with no found bugs, the QSP bounty reward is returned to you.

Quantstamp doesn’t guarantee flawless code after this process, but they do assure users that the automated testing and crowdsourced bug-hunting greatly reduce issues.

Protocol Governance

QSP token holders control protocol, validation smart contracts, and Validation Node upgrades. The governance model uses a time-locked multisig in which any token holder can propose a change. The more votes a change has, the quicker it occurs. Changes approved by all members occur within an hour. This time doubles with each 5% of members that don’t vote and quadruples for each 5% that vote against it.

Proof-of-Caring

Earlier in 2018, Quantstamp implemented an in-house Proof-of-Caring system to reward community members and loyal QSP token holders. Once you submitted your proof, you’d receive an airdrop from an ICO that Quantstamp has audited. This proof consisted of holding your tokens in a wallet (not an exchange) for a certain amount of time, contributing to social media outreach, and/or any other community activities.

The Quantstamp team has since ended this program and no longer rewards community members with ICO airdrops. It’s been a point of contention in the community.

Quantstamp Team & Progress

The Quantstamp team consists of 30+ members and advisors with over 500 Google Scholar citations. Steven Stuart (CTO) and Richard Ma (CEO) founded the team in June 2017. Stuart worked 5 years in Canada’s cryptologic agency in the Department of National Defense and previously founded Many Trees, a start-up that uses GPUs for Big Data analytics and machine learning. Ma built production-grade integration and validation testing software at the Bitcoin HFT Fund. During his time there, his trading systems had no notable issues and handled millions of dollars in investment capital.


What Is Quantstamp (QSP)? | A Guide to the Smart Contract Auditing Platform

The Quantstamp Co-Founders

Since their beginning, the Quantstamp team has performed several audits one of them being on Request Network , a strategic partner. They’ve also audited numerous other projects including Wanchain and

Viewing all articles
Browse latest Browse all 12749