Quantstamp Review: Smart Contract Auditing Protocol
Quantstamp (QSP) is a project that is developing a blockchain based smart contract auditing protocol. They launched with great fanfare in 2017 to a blockbuster ICO.
Since then, the project has been building out their protocol and have already completed a number of high profile blockchain based audits. However, the project was broiled in a bit of controversy last year when it came to use of their QSP token for audits.
In this Quantstamp review we will take an in-depth look into the project including the team members, development, roadmap and community support. We will also take a look at the QSP tokens and their potential for mass adoption.
What is Quantstamp?
Quantstamp is a platform designed to improve smart contract security by auditing Ethereum smart contracts to detect any potential vulnerabilities.
Before Quantstamp the only way for smart contract developers to detect many vulnerabilities was to offer bounties for others to dig through their code to find any problems. Quantstamp feels they can improve on this through the use of scalable proofs of audit.
Quantstamp has already completed numerous audits, and the QuantStamp betanet for the decentralized, blockchain based scanning tool is already live to scan smart contracts in real-time. Additionally they completed the following audits in 2018:
- OmiseGo’s Minimum Viable Plasma (MVP) implementation
- Binance’s 120+ ERC20 tokens for the Batch Overflow Vulnerability
- Quarkchain’s ERC20 and tokensale contracts
The QuantStamp Team
The QuantStamp team grew dramatically in 2018, adding seventeen members and more than doubling in size to the current 29 member team. There are several open positions looking to be filled as well, from research engineers to quality assurance positions.
As with any team the top names to look at are the leadership and in the case of QuantStamp this is co-founders Richard Ma and Steven Stewart.
Ma began his career as an engineer at Tower Research where he designed trading algorithms. He got his interest in blockchain security as an early investor in the DAO who lived through the aftermath of the 2016 hack that created Ethereum Classic and the new Ethereum chain.
Stewart has been a standout since early days, with his first job being a computer systems analyst for the Canadian Department of National Defense even before he finished with his Bachelor’s degree.
A recent hire who now sets the path for Quantstamp is Olga Mack, who holds the title of Vice President of Strategy. Mack received both a B.A. and J.D. from UC Berkeley and has held positions at Yahoo, Zoosk and Visa.
In addition to the leadership team the senior research team is comprised of several PhD’s in computer science and electrical computer engineering. With experts in computer modeling, blockchain and finance, and several serial entrepreneurs, the QuantStamp team is well positioned to deliver on their promises and continue growing dramatically.
QuantStamp uses its scalable and transparent proof-of-audit protocol to create a network that connects developers and investors. This network allows for automated checks to uncover vulnerabilities in smart contracts. This automation allows the network to automatically reward those who discover vulnerabilities or other bugs in the smart contract code.
To power the network the QuantStamp team created and introduced QSP tokens. These are used to purchase audits and as a means to compensate those who run the verifier nodes that scan the smart contract code for vulnerabilities.
Currently there are two parts to the QuantStamp protocol.
- The automated software platform that checks Solidity code to verify it is constructed properly, without any vulnerabilities. This platform does require a large amount of computing power, which is why verifier nodes are required. The platform is planned to grow to be able to discover increasingly sophisticated attacks over time.
- The automated bounty system that pays humans who manually scan and verify the Solidity code. These users are compensated when they discover bugs and vulnerabilities. This manual system is a bridge to fill the gap until full automation is possible.
Those who want to see a more detailed explanation of how the proof-of-audit system works may want to have a look at the QuantStamp whitepaper.
Quantstamp Contract Auditing UI
The automated smart contract audit system will have an impressive user interface where you can upload your solidity code and have it audited in real time. You will be given an overview of the potential issues as well as their potential severity.
The automated system remains on the betanet, and is expected to see a UI upgrade in the first quarter of 2019. There is no indication yet when the software platform will move to mainnet, but QuantStamp verifier nodes are expected to begin shipping around the world in February 2019.
In order to get a good sense of how much work has been done on the Quanstamp project it helps to take a look at their GitHub repository. This shows us how much code is being pushed as they develop their protocol and moved along their roadmap.
There are a number of different repositories in the Quanstamp project. Many have remained inactive in terms of commits over the past 12 months. Below are three of the most active repos on the Quantstamp project.
As you can see in the above charts, there has being sporadic activity in the repos over the past 12 months. This is perhaps one of the reasons that the Quantstamp project is only sitting at a commit rank of 142 on Coincodecap. This places the project at just below DeepOnion in terms of repo commits.
Of course, the GitHub repository is not the be and end all of the project. The team is working on other aspects such as partnerships and adoption. However, if they are to meet their ambitious roadmap milestones of Q1 in 2019 they will have to crank up the tempo.
The team has not updated their roadmap since Q3 of 2018 but according to those guidelines, there are quite a few things that the community should expect to see for the first two quarters of the year.
Below are some of the most important targets that the Quanstamp team has for the first quarter:
- Invitation sent out to the community for Ropsten testing of the Assurance Protocol
- Deploy the Bounty TCR on the mainnet
- Lay out the Quanstamp Protocol node policing method that could prevent malicious actors from exploitation
- Start shipping out the pre-installed Quantstamp nodes
- Release the custom UI for the assurance protocol and eventually release it on mainnet
- Deploy the Betanet of the UI redesign
- Release the "Fundamentals of Smart Contract Security" publication
Of course, we are already a third of the way through the first quarter and these were laid out in the beginning of the fourth quarter of 2018. The community has yet to hear an update from the team on these milestones. We will keep a keen eye on Quantstamp's official blog to monitor progress on this roadmap.
The Quantstamp Community
QuantStamp once had an active, growing, vibrant community, but that’s no longer the case. The QuantStamp subreddit sees few posts and just as few responses these days, even though there are still over 8,000 members. On Twitter there are 57,000 followers, but again there is little activity.
All of this is a result of a controversy stretching back to June 2018, when token owners learned that QuantStamp had accepted Ether and U.S. dollars for its audit services. The token holders are understandably upset as they feel this practice undermines the utility of the QSP token.
One Reddit user who goes by the handle “Carine” had this to say:
As a token holder, we only benefit from those willing to hold and find value in the token. If the use case is unclear, this will not translate to increased ROI.
An even more direct comment came from user “angryblastoma”:
When they decided to take ETH for payment and leave their investors in the dust, well, that pretty much decided it for any investor with any brains. Was a great project but these hipster scammers were the wrong team to bet on, unfortunately.
What’s even worse is that nearly eight months later investors have no idea how many times the QuantStamp team accepted payment other than QSP for audits, or if this practice is ongoing.
The company itself has declined to comment on the situation, and the lack of communication has really been a hard blow to the community.
The QuantStamp Token (QSP)
QSP is an ERC-20 compliant token and there is a total supply of just shy of 1 billion tokens, with a circulating supply of 617,314,171 QSP. The tokens were distributed with 65% going to the initial token sale, 20% going to the team and advisors, 10% going to a reserve fund and 5% put aside for community development.
QuantStamp held their ICO in November 2017, with a one week pre-sale followed by a public ICO that was scheduled for a month, but lasted just two days as the ICO hit its hard cap. All told, QuantStamp raised $31.3 million in that ICO, with each QSP token priced at 0.0002 ETH or $0.072.
Adoption of the token was rapid and it hit an all-time high of nearly $0.77 on January 8, 2018. The high wouldn’t last long however as the 2018 bear market in crypto took hold and the price of QSP plummeted. By the time the controversy over alternate payment types being accepted emerged in June the token had already dropped to $0.16, but over the next month it was more than cut in half as it fell to $0.07.
Interest never revived and the coin continued lower. As of late January 2019 one QSP is worth just $0.017 or less than 25% of the ICO price. The only good news is that price was as low as $0.012 in mid-December 2018, so the current price is off recent lows.
If you want to purchase some QSP at these incredibly low prices most of the trading volume in the coin is on Binance. You will also see a small amount of volume on Huobi Global and almost negligible volume on Gate.io, KuCoin and a few smaller exchanges.
Storing the QSP tokens is easy enough since it is an ERC-20 compliant token that can be stored in any of the ERC-20 compliant wallets, such as MetaMask and MyEtherWallet.
While blockchain technology is very secure the smart contracts used to add functionality to the blockchain is not guaranteed to be secure. In fact, it is no more secure than any other piece of software that’s been written by individual human developers or teams of developers.
Humans are inevitably fallible, and we already know there have been well documented smart contract vulnerabilities, including the infamous DAO hack that occurred in 2016, causing a hard fork in Ethereum’s blockchain. And just a year later a one word bug in the smart contract code of Parity’s multisig wallet allowed a hacker to steal roughly $30 million worth of cryptocurrency.
It’s obvious that something needs to be done to limit and eventually eliminate these smart contract vulnerabilities and QuantStamp is attempting to do just that. Their platform promises to automate the validation of smart contract code, rewarding the node operators who provide the computational power to do so, and ridding blockchain projects of dangerous vulnerabilities in their smart contracts.
QuantStamp has proven the technology works too, with their betanet functioning for months and the team adding new features on an almost monthly basis. If that technology had been available in 2016 the attack of the DAO would never have been successful.
With smart contract usage increasing dramatically an auditing platform that uncovers vulnerabilities in smart contract code isn’t a luxury, it’s a necessity. And QuantStamp is delivering the necessary technology to make bug free smart contracts a reality.
Disclaimer: These are the writer’s opinions and should not be considered investment advice. Readers should do their own research.