31st December 2020

Quantstamp: Code, sleep, audit, repeat!

In this episode of the DeFi Download, Piers Ridyard interviews Krishna Sriram. Krishna is the Managing Director of Quantstamp, whose mission is to secure the decentralised internet. Quantstamp has protected 2 billion dollars in digital asset risk from hackers and has audited the smart contracts and code of several leading projects in the DeFi and crypto space.

Quantstamp: Code, sleep, audit, repeat!

An overview of Quantstamp

Quantstamp launched in mid-2017, with its founders already active in the blockchain space, either as investors or helping with community building and hosting Ethereum meetups. Quantstamp was born to redefine security in this new paradigm created by the exponential growth of the blockchain. With the creation of new kinds of applications and the subsequent increase in hacks’ frequency, the need for security has increased. The technology is extremely vulnerable to hacks and exploits since several of these applications are also custodians of assets, and Web 3.0 security is fundamentally different from Web 2.0 security.

The evolution of smart contract complexity

In 2017, several projects had a maximalist approach to their architecture and philosophy and tried to build a fully decentralised product, which, sadly, was also a massive Rube Goldberg machine. Meanwhile, other ventures launched simple products, such as ERC-20s and asset-backed tokens. Over the last two years, the philosophy of maximalism in terms of design approach has retreated, but other risks have emerged, such as ownership of the admin keys. Today, it is common for projects to hold the admin keys themselves, but a progressive decentralisation philosophy permeates the blockchain space. The emphasis of new projects is also on being able to provide a pleasant user experience.

Tips on security and audits for upcoming DeFi projects

There is a need to be extra careful about security when creating Web 3.0 applications or smart contracts that are custodians of assets. Security builders would benefit from having conversations with auditors in advance and getting a consultation on their codebase. Considering and implementing security from the first steps of the development process will ensure the code is ready when sending it for an audit. Developers can also make use of early-stage reviews that auditing companies, such as Quantstamp, are offering. Furthermore, it is advisable to use a framework, such as the OpenZeppelin library.

The three parts of the lifecycle of a smart contract

The lifecycle of smart contracts consists of three parts. The first one is the pre-deployment stage during which, usually, an audit takes place. In the beginning, the market concentrated around ERC-20 tokens and the composability of DeFi applications, which became the focus of Quantstamp’s early audits.

The second stage of the lifecycle is the post-deployment stage. As the DeFi space evolved, the Quantstamp team realised that the need for security is continuous. Therefore, they decided to expand beyond audits and risk assessment by adopting a continuous-security framework and offering real-time monitoring solutions for smart contracts. 

Quantstamp built an analogue to enterprise software in the financial world that supervises assets or credit card transactions for fraud and theft that can monitor hundreds of smart contracts or assets and analyse millions of daily transactions to detect anomalies and threats. This solution helps smart contracts mitigate threats on an ongoing basis and display a commitment to continuous security rather than viewing security as a one-time process.

Some of the best protocols in the DeFi space, like Compound, have committed to continuous security, reflecting in the number of audits they have had. That is probably one of the most extensive changes that Krishna and his team have seen since they started working on Quantstamp.

The third and last stage of the lifecycle concerns risk mitigation and insurance against risk.

The importance of risk mitigation and insurance

To increase user trust and drive growth and investment into DeFi platforms, having insurance and insurance coverage needs to become an integral part of any application’s features. And since deposit protection is a critical component that can inspire user trust, many insurance and coverage providers will emerge. 

Krishna observes that there needs to be a Web 3.0 native equivalent of FDIC and that smart contracts offer numerous, diverse, and innovative approaches to coverage; for example, Nexus Mutual provides mutuals, and Opyn options.

Cyber risk in the Web 3.0 paradigm is very different and requires a deep understanding of the product, code, and business logic. It is impossible to create an accurate quantitative model to assess the risk with the currently available small amount of historical data. Quantstamp is building a data advantage by combining their rigorous security assessments with real-time monitoring of on-chain threats to produce an accurate model of cyber risk.

Discussing the future

According to Krishna, it is going to be very hard to remove humans entirely from the process of auditing. Even though automated scanners and standardised libraries such as OpenZeppelin can automate specific auditing processes, such as grammatical errors, the need for having humans comprehending the various components and reviewing written code is higher than ever. As the systems have become and are gradually getting more complex, the functionalities are also getting more intricate. There are no standards that aid software in understanding the nuances of business logic and author intention. 

Krishna also believes that the future of DeFi will include multiple chains and programming languages. Already, there are a lot of novel approaches like the approach of Radix, Avalanche, Polkadot, and Cosmos. And although Ethereum has a critical mass of developers and standards, more people are increasingly choosing to work with another platform, like Cosmos, Polkadot, or NEAR. Polkadot offers robust interoperability features, a shared security model, and special-purpose blockchains connected to the main Polkadot chain. Dapper Labs’ Flow is a blockchain that focuses on gaming and NFTs. Quantstamp is platform-agnostic, and Krishna foresees several DeFi projects will be so as well and will select the tools that better serve their aims. As it was impossible to predict the current existence of so many DeFi applications and their composability, it is impossible to know which way the DeFi ecosystem will go.

Further resources