Stay up to date on all things crypto and blockchain

Token Daily is a place to discover trending news and products in crypto and blockchain.

Deep Dive with Quantstamp

The Quantstamp team will be answering your questions live on Thursday April 19th at 11am PST

posted 9 months ago

with or if you'd like to join the discussion.
Crypto Bobby
How comprehensive is the Quantstamp protocol in performing smart contract audits, in comparison to a "normal" smart contract audit that doesn't utilize an automated protocol?

Also, how does the pricing of Quantstamp's services compare to that of a standard smart contract auditing firm? Is it more expensive? Significantly less expensive?
9
Jonathan Haas
@crypto_bobby Comprehensiveness in this space is a bit tricky to define. In terms of smart contract auditing, most audits (from ourselves and competitors) consist of manual code review coupled with automated tooling (of which there are numerous open-source options).

One of our core strengths is our ability to mitigate the effect of bad actors -- with our distributed network of participants providing both the computing power and distributed governance we're looking for.

Pricing in this space is still largely undefined -- as there is no real standard of what pricing in this space looks like. There's no real one-size-fits-all answer to this question, given the differing smart contracts we look at. A smart contract utilizing tons of moving parts and establishing a protocol may be far more time (and resource) intensive than a token sale, for instance.
4
Crypto Bobby
@Jon_A_Haas I noticed on your website that you need to hold at least 200,000 QSP to request an audit. Is that QSP taken as payment upon on audit, or just required to hold during the audit and then can be transferred or sold later on?
4
Jonathan Haas
@crypto_bobby It’s an upfront payment for the audit. The full audit price is negotiated based on complexity and we work with the companies on that.
3
Crypto Bobby
@Jon_A_Haas thanks for the follow up, appreciate it!
1
Soona Amhaz
something you believe to be true about the crypto space that you find most people disagree with you on?
2
Jared Harrill
@soonaorlater I personally find the crypto space to be rather insular, once people come into the space it is very embracing, but I haven't seen much inroads for blockchain organizations reaching out to non blockchain spaces and events. I think there is sort of a "build it and they will come" mentality, (which I also believe to be true in the long term). I am constantly surprised by the amount of people with deep technical ability outright ignoring crypto. I feel this is mostly due to the lack of outreach on our part into other spaces. Perfect example, Quantstamp was only one of two crypto organizations at BsidesSF, an event packed full of deep expertise in InfoSec.
2
StoreOfValue Blog
What makes Quantstamp more objective than Qualstamp?
1
Jared Harrill
@SovCryptoBlog Qualstamp is more in the machine stamping and fabrication space. They have made little to no inroads into the blockchain space.
Quantstamp on the other hand has recently signed on as one of the organizations helping the Ethereum Community Fund.
In 90 days we shipped a test net and a web analyzer. I believe that makes us far more ambitious for sure.
2
StoreOfValue Blog
What's one of the team's biggest wins over the last year? What's the biggest risk going forward?
1
Jonathan Haas
@SovCryptoBlog While Richard can answer this in depth, I'd honestly say our biggest win over the last year has been securing an absolutely stellar team. We've managed to hire a number of incredibly skilled individuals from industry and academia to best allow us to grow as a company. By doing so, we've managed to release a product ahead of schedule, perform a number of audits, and truly make an impact upon the field.
4
Dennis Stücken
How does your automated smart contract audit work?
1
Jonathan Haas
@dstuecken While our whitepaper discusses this in much further detail (https://docsend.com/view/shcsmhe), we use quite a variety of methods.

We utilize static analysis, concolic testing and symbolic execution, along with automated reasoning tools such as SAT and SMT. We've got a number of domain specific experts in these spaces, and often give back -- for instance, members of our team have contributed to MapleSAT, which is an award-winning SAT solver.
1
Jared Harrill
Hey everyone! Really excited to be joining today.
1
Kartik Talwar
How do you compare and contrast other chains with smart contract platforms with better guarantees/verification and how do you see the trade-offs between a platform making it easy to get started vs making sure code is always correct (“worse is better” analogy).
1
Jonathan Haas
@Kartik-Talwar Not entirely sure I understand your question, but I'll take a swing at it.

Most of the chains you're seeing with similar smart contract platforms that have better guarantees / verification are typically quite a bit more restrictive in the actions they allow developers to perform. One of the great strengths of ethereum is the extensibility -- you're capable of really making it "what you want". This is largely why I think we've seen the rise of so many companies based upon ethereum and relevant constructs.

We like to think of security as a key ingredient, in the nature that it is essential to the dish. We don't want to sprinkle it on as if it were MSG. We saw this with the early web -- product building came first, with security coming second. As we've seen adoption already kick off, we can avoid repeating the same mistakes early web 2.0 found itself in. By baking in security into the DNA of the community, hopefully we can continue to have a place that is not only easy to get started, but designed with security in mind.
0
Abdel Berry
When will we get more info about audit and validator nodes? e.g. number of tokens needed, system requirements, etc?
1
Mike Nortski
With Quantstamp getting ahead on a few things is there any chance we will see an updated roadmap anytime soon?
1
Jonathan Haas
@Mike-Nortski We'd like to see something of the sort be released! We're definitely in a product sprint right now to help define what the next 90 and 180 days looks like. Once we've fully established what this looks like, we'll be sharing details where appropriate with our community. We're ensuring we truly gain an understanding of the ecosystem, which has consisted of quite a bit of research on our side. If you are a member of our various media channels, you may have seen a number of individuals on our team running surveys and asking questions -- both in our technical and non-technical chats.
0
Timothy ₿lack
What are the most common patterns you see in smart contract vulnerabilities?
I.E.
What mistakes happen routinely that you hope to see improve?
1
Jonathan Haas
@percussivetouch Fantastic question! Quite a common patterns have emerged over time -- largely those pertaining to reentrancy, integer over/under-flow, timestamp dependence, and transaction ordering dependence.

A number of these can best be seen in our platform (https://app.quantstamp.com), as well as within the "Making Smart Contracts Smarter" paper -- https://eprint.iacr.org/2016/633.pdf
1
Jonny Allen
What are you guys doing about marketing your product? How are you looking to get business into the door?
1
Soona Amhaz
What's the grand vision behind Quantstamp?
0
Jared Harrill
@soonaorlater We want to secure adoption for the first billion people. That starts with the public's inherent trust of smart contract.
0
Erik Torenberg
How has the idea evolved over time?
0
Erik Torenberg
What was the inspiration for Quantstamp?
0
Broruto
Can you say what other blockchains you are developing auditing solutions for?
0
Jared Harrill
@dberkiv For now we really are just focused on solidity smart contracts on Ethereum. That said, our analyzer and expertise mostly looks at the bytecode so going forward we are looking to be blockchain agnostic. Which protocols do we hit first? We haven't yet decided our path yet, first we are more focused on building out the protocol and tackling hard problems.
1
Jonathan Haas
@dberkiv While we're focusing right now on Ethereum, we're looking to be blockchain agnostic as we grow the company, our auditing solutions, and our presence in the community.
1
Abdel Berry
What's demand for the product looking like?
0
Jonathan Haas
@Abdel-Berry Demand for the product continues to grow -- individuals and enterprises alike see a large value in utilizing smart contracts, and our niche expertise in this area has proven invaluable to entities looking to gain their footing in this space. Our individual auditing tool is live as well -- and people definitely are excited about how our product continues to involve!
3
Alexander Plitt
First just want to say thank you to the amazing team, and especially to Jared, Jonathan and the Telegram admins who are the day-to-day community contacts. You guys rock - know that we're cheering you on all the way! Also, a big welcome to new team member and VP of Strategy, Olga Mack!
0
Jonathan Haas
@alex_plitt Thanks, Alexander! Really appreciate it :-)
1
Jared Harrill
@alex_plitt Hey! Happy to see you here!
1
Jared Harrill
@alex_plitt Thank you so much
1
Alexander Plitt
Is the pace of manual audits still at about 2 per month, and do you expect to see that pace increase as you're hiring additional team members? Also, are you able to give us an update with respect to the number of projects in the manual audit queue? Last we heard a few months ago, the number stood at around 50. Thanks!
0
Jonathan Haas
@alex_plitt We definitely see pace picking up as we hire additional individuals -- and we're certainly looking to hire. Between our careers page (https://quantstamp.com/careers) and various recruiting events we've attended (BSides SF, RSA, Blockchain @ Berkeley) -- we're looking to scale, and to do so in a manner that can best benefit the company and the space as a whole.

Our number of projects in the manual audit queue is continuing to grow -- that number is a bit higher, but it fluctuates over time (such as when we complete an audit :-) )
1
Jonathan Haas
@alex_plitt @Jon_A_Haas To grant some further clarity on that, this number typically grows anywhere between 5-10 a month, with our completion time depending upon the difficulty of the audit. Higher impact projects we tend to focus on, but as a result, these tend to be more time consuming (largely due to their immense technical complexity).
1
Doug
So the automated audit function is to basically tell the smart contract maker how urgently they should get their contract audited? Similar to a check engine light in a car. How necessary is this given your current backlog?
0
Jonathan Haas
@Dems79 Not exactly -- the automated audit function provides guidance as to potential areas of vulnerability in the code -- it itself is an audit!

More involved manual audits are for contracts where an extra level of sensitivity is required -- largely by enterprises and individuals planning to undergo a large throughput on their smart contract.
0
David Gray
Qsp seems to have done an excellent job in all respects except marketing, until very recently the majority of the buys and sells were on Huobi. Qsp i believe would benefit immensely from a decent marketing campaign, plus some more exchange listings , are there any future plans by the team to address any of the points I have mentioned ?
0
X