Quantstamp (QSP) Analysis – Securing Smart Contracts
Quantstamp (QSP) is a security layer on top of the Ethereum blockchain that aims at ensuring that smart contracts do not contain programming flaws by providing proof of audit. To this purpose, the Quantstamp team has developed an AI algorithm supported by a global platform (referred to as a “global hackathon” by the QSP team), where coders and hackers alike can earn money by finding (and resolving) bugs in smart contract code. Once a smart contract has been reviewed, it receives an audit certificate (or stamp), and the results are published to the blockchain explorer (www.qsscan.io – website under construction), making them visible to everyone.
“A smart contract is the equivalent of a traditional contract, with the exception that there is no central authority who has to oversee it, as the rules are programmed into the contract itself. In other words, it is a set of rules which are permanent and cannot be changed. When certain conditions, as specified in the code, are met, the smart contract automatically executes. Using a smart contract, there is no need to trust the other party – which is especially useful on the internet.
Blockchains are secure, but smart contracts are not. The infamous DAO hack that occurred in 2016 raised concerns regarding the potential danger of smart contracts to investors 11. Ensuring that smart contracts are bug-free from inception is crucial, as unlike traditional applications, smart contracts cannot be patched. Once released on the network, the contract cannot be changed due to the immutability characteristic of the blockchain. Therefore, businesses need solutions to ensure that smart contracts are doing what they were built for. Without that certainty, mass adoption of smart contracts is jeopardised.
Currently, audits are performed by in-house programmers, and sometimes by companies specialised in this field. However, due to the increasing demand for such services (see chart below, showing the increasing usage of the Ethereum network), waiting lists are growing for auditing firms, and smart contracts are being released without the appropriate due diligence. Moreover, as they are conducted by humans, we cannot be sure that all bugs are found.
The team has already tested Request Network (REQ) and few others – more on that in the Team and Partnerships section – and is soon to release its prototype on the 19th of May.
By being on the blockchain, the protocol enables:
- Authenticity and verifiability: Anyone can identify if the smart contract has indeed been audited and verify the outcome.
- Security: As nodes will perform the proof of audits, no single entity will be able to jeopardize the system by stamping a flawed smart contract.
- Shared network: Enables “hackers” around the world to verify smart contracts.
- Scalability: Enables many smart contracts to be checked as an automatised system will be built from AI.
The analysis process will work on two pillars: AI and human checking – the second of which is set to disappear when the library used by the AI will be fleshed-out and self-sustainable. Currently, the team selects, on a per case basis, the project to be audited. They then manually build the library to ensure that no contract with flaws receives the audit certificate. However, in the future, thanks to the AI system, all projects will be able to ask for an audit, without being selected by the team.
A. Worldwide Hackathons System.
Described by the Quantstamp team as a global hackathon, “hackers” and developers will be able to earn bounties (in the form of QSP tokens) when they find bugs in a contract’s code.
The system incentives good behaviour using game theory, as all hackers are competing to discover the bugs; therefore, letting a bug slip through in order to benefit from it will have a high chance of being discovered by someone else. Therefore, a hacker is more inclined to fix the bug in order to receive the reward rather than risking the slight probability of benefiting from it.
B. The Algorithm.
This task is resource-intensive; thus, people running QSP nodes on their computers (or mining rigs) which are validating the smart contracts will earn QSP tokens. No knowledge of software security will be needed on the side of the validator, as the check simply uses their computer processing power with only basic interaction needed from them.
Team and Partnerships
The team is composed of Ph.D. holders, ex-big tech company employees, and the advisors of the projects are some of the best we’ve seen in the industry. Notably, Evan Cheng, the Director of Engineering at Facebook is part of the advisory team, alongside Nim Kim from the Draper foundation, and Chris Miess, the former CFO of TenX and current CEO of Iconic Partners, one of the leading blockchain consulting companies in Asia – hinting towards possible future collaboration between Quantstamp and them.
With a B.S. in Electrical Computer Engineering, Richard Ma, Quantstamp founder and CEO, has a great deal of experience in the finance industry from asset management to algorithmic trading. As an algorithmic trader, he dealt with millions of dollars, with no margin errors, which is what Quantstamp aims to achieve. Other members of the team have solid security and programming backgrounds, with an engineer that worked 5 years at the Canadian Department of National Defense as a computer system analyst and related software engineering work at Amazon, Google and Yahoo.
The team has already provided a few audits such as the one for the Request Network ICO, for Trusted Lending Circles (first WeTrust DApp), and for Insight, a DApp built on the EOS blockchain. In addition, QSP partnered with Quoine, the leading Japanese exchange, for its QRYPTOS platform – an automated self-serving exchange (casi-decentralized). Quantstamp will provide them with security recommendations on the projects which will be listed on the platform223344. Click here to see some of the audit reports already performed by the team, available on their GitHub.
Lastly, the project is part of the Y Combinator program – one of the most exclusive seed funding programs in the world, with an alumni network including Coinbase, Dropbox, Reddit, and Airbnb. Being part of this program gives Quantstamp access to some of the best networking events in the world, and provides them with great resources and a knowledge base to boost growth. Given the fact that the QSP team wants to build a security standard, having access to such a pool is definitely a competitive advantage.
QSP, the platform’s native token, will be used to cover audit fees, so all transactions on the platform need to use them. Moreover, the token is also used for governance and enables you to receive airdrops from projects audited by the Quantstamp team.
Token demand will be driven by the demand for audits; thus, will increase with the increase in smart contract adoption. As of mid-February, 200,000 QSP are required to request an55 audit, with the team choosing the projects they audit in order not to hurt their brand and so they can ensure the quality of the audit and associated library. However, as stated earlier, all projects will be accepted when the library is consistent and the full AI platform is functional.
Apart from those requesting audits, other “players” on the network are:
- Contributors – professional security-focused coders who will look at the solidity code on the ETH platform and of the Quantstamp protocol itself – earning QSP.
- Validators – provide computing power to the network by running the validation nodes (software) – earning QSP.
- Bug finders – who search for flaws in coding lines – receive QSP in the form of bounties set by those whose smart contract(s) are being audited.
- Voters – spend QSP to choose the direction the platform will take, via a voting system.
An interesting feature that QSP offers is their airdrop reward system. As of now, the team manually audits projects, and QSP holders will be airdropped tokens from them. For instance, EOS’ Insights Network (INSTAR), with 1.5% of the total circulating supply to be airdropped.
The number of tokens received will be based on a “proof of care” mechanism. There is a scoring system algorithm which takes into account your involvement in the community. The higher the involvement, the more you receive via an airdrop. The aim of this proof of care system is to build a strong community around the technology, build the fundamental infrastructure, and have a global marketing team – leading to to a network effect of node validators.
Firstly, Quantstamp offers a scalable solution, able to cope with the increasing demand for smart contracts. Moreover, there are very few smart contract experts due to the relative youth of the industry. Currently, the competition offers the same type of audit as the QSP team, with approximately the same pricing, ranging from $10,000 to $20,000. However, due to the fact that Quantstamp is the most well-known player in the security niche, the network effect should enable them to quickly build the AI library and to roll the final product out faster than the competition, leading to a decrease in audit costs – providing them with a second competitive advantage, the pricing.
Secondly, regulatory “threats” and “talks” have increased over the last few months, as has the number of ICOs. It wouldn’t be too far stretched to assume that governments will in the future ask for audits when an ICO is conducted, the same way audits are performed when traditional stocks go for IPOs or when financial statements are released. If this is the case, Quantstamp is among the first solutions available to enterprises. Also, as explained in the Team and Partnerships section, the team will provide security recommendations to the QRYPTOS platform. We see Quantstamp providing similar audits to Binance’s Launchpad, as well as Huobi’s Autonomous Exchange being a possibility.
Thirdly, once the platform is well-implemented on the Ethereum blockchain, the protocol will cross to other blockchains. The team has stated that they want to focus on a few main blockchains (2 to 3 platforms). As a project, Insights Network, running on the EOS blockchain, has already been audited by the team, and we expect the team to concentrate further on EOS – increasing the number of smart contracts audited by Quantstamp but also diversifying the QSP concept across protocols, if the Ethereum blockchain is ever caught up with or surpassed by a different platform.
Lastly, on the 19th of March, the Quantstamp team plans to deliver its first prototype during Y Combinator’s Demo Day. Given the renown of the program, we can be close to certain that the prototype will work, and hopefully be usable few days later. Later on the roadmap, in August, the team promises to deliver the mainnet; however, the team has hinted that an early release is possible by stating that they prefer to underpromise and overdeliver.
If the blockchain industry is here to stay, so is Quantstamp. We see projects like Quantstamp, dealing with security, being part of the complete blockchain infrastructure – alongside solutions to speed and transaction volume (see our High Performance Blockchain analysis here to understand why we also see them as crucial components).
Not only does QSP have a first-mover advantage – crucial to building the AI tool, as many data points will be needed – but they also have the right team to transform the concept into reality. They also have a good business model to boost community involvement, with the proof of care and airdrop systems. When operating in the blockchain space, creating a network effect is crucial as it enables network security (for example, protecting against a 51% attack) as well as ensuring that enough computing power is available to adequately conduct audits.
Unlike other projects, where great effort will be needed to drive the token demand, we do not see that as a problem for Quantstamp. The benefits of being audited by a trusted organization heavily outweigh the audit costs (especially for ICOs raising millions of dollars), or the costs associated with loss of funds, and legal issues. We see Quantstamp’s proof of audit becoming mandatory for coins to be listed on exchanges, to be considered for fund inclusion, or to be used by businesses.
Disclaimer: we are invested in QSP.
As always, this is not financial advice. This Quantstamp analysis is based on personal opinion, and we invite everyone to read Quantstamp’s white paper, available on their official webpage before investing. Do your own research, contact the team on their Telegram channel, and consult a financial advisor if needed.
(1a) Bloomberg, The Ether thief. Retrieved from: https://www.bloomberg.com/features/2017-the-ether-thief/
(1b) Bloomberg, Hackers have walked of with about 14% of Big Digital Currencies. Retrieved from: https://www.bloomberg.com/news/articles/2018-01-18/hackers-have-walked-off-with-about-14-of-big-digital-currencies
(2): Quanstamp Official Medium, Quanstamp completes audit of Wetrust ‘s Trusted Lending Circles. Retrieved from: https://medium.com/quantstamp/quantstamp-completes-audit-of-wetrusts-trusted-lending-circles-9235d2c83ce0
(3): PRN News Wire, Quoine to incorporate Quanstamp’s smart contract contract securirty recommendations for selected tokens. https://www.prnewswire.com/news-releases/quoine-to-incorporate-quantstamps-smart-contract-security-recommendations-for-select-tokens-on-their-ico-listing-platform-qryptos-300594709.html
(4) Quanstamp official website, Audit request. Retrieved from: https://quantstamp.com/auditrequest/