Published on Feb 21, 2020
Quantstamp is the first scalable security-audit protocol designed to find vulnerabilities in Ethereum smart contracts. Quantstamp is a security verification protocol for smart contracts that improves the security of Ethereum. The advantages of the security protocol include automation, trust, governance, and ability to compute hard problems over a distributed network.
Currently, smart contract auditing cost starts from $5,000 and takes at least a week to complete. Quantstamp’s goal is to lower the cost to as low as $10 per audit, delivered within minutes after submitting the smart contract for audit.
The protocol consists of two parts:
An automated and upgradeable software verification system that checks Solidity programs.
An automated bounty payout system that rewards human participants for finding errors in smart contracts.
The Quantstamp team will be developing the following:
Quantstamp validation node (a heavily modified Ethereum client).
The security library, containing code that performs automated checks.
Validation smart contracts that handle bounty payment, voting mechanism and governance.
A security library may also be developed to support languages other than Solidity.
Here is an example of how Quantstamp works:
After finishing the contract, the developer submits the code for a security audit via the Quantstamp Ethereum smart contract with the source code in the data field. Depending on the security needs of the program, the developer can decide how much bounty to send.
Then, the smart contract receives the request, and on the next Ethereum block validation nodes perform a set of security checks to validate the smart contract. Upon consensus, the proof-of-audit and the report data are added to the next Ethereum block along with the appropriate token payout.
The report classifies issues based on a severity system from 1–10; a 1 is a minor warning, a 10 is a major vulnerability. By aggregating the power of developers with a bounty, the project can surpass the coverage of a standard code review.