pQuantstamp The protocol for nbsp;securing smart contracts Quantstampisthefirst smartcontractsecurity-auditing nbsp; nbsp; nbsp; protocol. We are extending Ethereum with technology that nbsp; nbsp; nbsp; nbsp;ensuresthesecurityofsmartcontracts.Ourteamismadeofupof nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; software testing experts who collectivelyhaveover500Google nbsp; nbsp; nbsp; nbsp; Scholar citations. Founders Founding Team Members Richard Ma, Cornell ECE Algorithmic Portfolio Manager Dr. Vajih Montaghami, PhD al s Steven Stewart, MCS, BA PhD, U. Waterloo Software verification, Database implementation Ed Zulkoski, B.S. PhD-candidate, U. Waterloo SAT/SMT solvers nbsp;Leonardo Passos, PhD Compilers and Programming Languages Advisors nbsp;Dr. Vijay Ganesh, Assistant Professor, U. Waterloo Ex-Stanford, MIT Evan Cheng, Director of Engineering at Facebook ACM Software System Award for LLVM Dr. Derek Rayside, P. Eng., Associate Professor, U. Waterloo Ex-MIT nbsp;2017-October-7 nbsp; nbsp; nbsp; nbsp; Version 3.0 nbsp;The Problem 4 Quantstamp Protocol 4 Technology Roadmap 6 Motivation 7 Smart Contract Improvements 7 How we improve smart contract infrastructure 7 How we improve the developer’s process 8 Quantstamp, by example 9 Technology 10 Validation Protocol 11 Design 11 Security Audit Engine 13 Architectural View 14 Quantstamp Validation Smart Contract for Ethereum 14 Quantstamp Network for Ethereum 15 Quantstamp Reports 15 Tradecraft 15 Computer-aided reasoning tools 16 SAT solvers 16 SMT solvers 16 Model-checking 16 Static program analysis 17 Symbolic cution and Concolic Testing 17 Incremental releases and the subscription model 17 Bug Finders 18 Security Disclosure Strategy 18 Distributed and Parallel SAT 19 The Satisfiability Problem SAT 19 Parallel SAT Solvers 21 Parallel SAT and consensus 22 Common vulnerabilities for Ethereum/Solidity 22 Financial Planning 26 Research contributions by our team 27 Demo Locating The Parity Multisig Vulnerability 28 Frequently Asked Questions 30 2 nbsp;Detailed Bios 32 Addendum A 35 Why we should be concerned about smart contracts 35 The DAO and others 35 Recent studies 36 Addendum B 38 Off-chain Tools for Developers 38 Smart Debugging using discriminating examples 38 Important Legal Disclaimer 42 3 nbsp;The Problem Blockchainnetworksaresecurebutsmartcontractsarenot.InJune2016,ahackerstole55M nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp;inEthereumcoinsfromtheDAOduetoabuginitssmartcontract.InJuly2017,another nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp;1hackerstoleover30MinEtherfromcryptocompaniesduetoaonewordbuginthesmart nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp;contractcodeintheParitymulti-sigwallet.Securityissuesliketheseareaseriousimpediment nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; 2to wider adoption of the Ethereum network because they erode trust in smart contracts. nbsp;Current efforts to validate smart contracts are inadequate. Engaging security consulting nbsp; nbsp; nbsp; nbsp; nbsp; companies require humanexperts to audit smart contracts. This process is expensive and nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; error-prone.Also,relyingonasinglecompanyrequirestrustingthatnobadactorsexistinthe nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp;company.Adistributedsystemrelyingonconsensusamongmanydifferentactorsisfarmore nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp;secure. Securityauditprocessesthatrelyonhumanexpertscannotkeepupwiththeexplodinggrowth nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; rateof smart contractadoption.BetweenJune2017andOctober2017,thenumberofsmart nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; contractsgrewfrom500K to2M.Withinayear,weexpecttheretobe10Msmartcontracts. nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; 3 4Thiswillcreateanexponentialincreaseinthedemandforauditing.Therearen’tenoughsecurity nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; expertsintheworldtoauditallsmartcontractstoday,andthisshortagewillbeevenmoreacute nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp;in the future. Thepotentialcostsofsmartcontractfailureswillalsogrow.AsofOctober2017,about3.2B nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp;11METHwaslockedinsmartcontracts.Thenumberofdollarslockedinsmartcontractswill nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp;growexponentiallyasEthereumnetworkandsmartcontractadoptiongrows.Thepotentialcost nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; of smart contract vulnerabilities will grow commensurately. Quantstamp Protocol TheQuantstampprotocolsolvesthesmartcontractsecurityproblembycreatingascalableand nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp;cost-effectivesystemtoauditallsmartcontractsontheEthereumnetwork.Overtime,weexpect nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; everyEthereumsmart contract tousetheQuantstampprotocol toperasecurityaudit nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp;because security is essential. The protocol consists of two parts ● An automated and upgradeable software verification system that checks Solidity nbsp; nbsp; nbsp; nbsp; nbsp;programs. The conflict-driven distributed SAT solver requires a large amount of nbsp; nbsp; nbsp; nbsp; nbsp; 1 https// 2 https// 3 https//web.archive.org/web/20170602184510/https//etherscan.io/accounts/c 4 https//etherscan.io/accounts/c 4 nbsp;computing power, but will be able to catch increasingly sophisticated attacks over time. ● Anautomatedbountypayoutsystemthatrewardshumanparticipantsforfindingerrors nbsp; nbsp; nbsp; nbsp; nbsp; nbsp;insmartcontracts.Thepurposeofthissystemistobridgethegapwhilemovingtowards nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp;the goal of full automation. TheQuantstampprotocolreliesonadistributednetworkofparticipantstomitigatetheeffects nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp;ofbadactors,providetherequiredcomputingpowerandprovidegovernance.Eachparticipant nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; uses Quantstamp Protocol QSP tokens to pay for, receive, or improve uponverification nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; services. Below are the different types of participants. ● ContributorsreceiveQSPtokensasaninvoiceforcontributingsoftwareforverifying nbsp; nbsp; nbsp; nbsp; nbsp; nbsp;Solidityprograms.Allcontributedcodewillbeopensourcesothatthecommunitycan nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp;haveconfidenceinitsefficacy.MostContributorswillbesecurityexperts.Contributions nbsp; nbsp; nbsp; nbsp; nbsp; nbsp;are voted in via the governance mechanism. ● Validators receive QSP tokens for running the Quantstamp validation node, a nbsp; nbsp; nbsp; nbsp; nbsp; specializednodeintheEthereumnetwork.Verifiersonlyneedtocontributecomputing nbsp; nbsp; nbsp; nbsp; nbsp; nbsp;resources and do not need security expertise. ● BugFinders receiveQSPtokensasabountyfortingbugswhichbreaksmart nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp;contracts. ● ContractCreatorspayQSPtokenstogettheirsmartcontractverified.Asthenumber nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp;of smart contractsgrowsexponentially, weexpectdemandfromContractCreatorsto nbsp; nbsp; nbsp; nbsp; nbsp; nbsp;grow commensurately. ● Contract Users will have access to results of the smart contract security audits. ● VotersThegovernancesystemisacorefeatureoftheprotocol.Thidationsmart nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp;contract is designed to be modular and upgradeable based ontokenholder voting nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; time-locked multi-sig. This governance mechanismreduces the chance of upgrade nbsp; nbsp; nbsp; nbsp; nbsp;forks and decentralizes influence of the founding team over time. 5 nbsp;Technology Roadmap 2017 nbsp;June ● Quantstamp founded by Richard and Steven July ● Solidity Static Analyzer prototype built days after Parity Wallet hack August ● Released first version of whitepaper September ● Hired Ed, Krishna, Vajih, Leo October ● Completed Request Network semi-automated audit ● Built automated truffle test generator ● Complete 2nd semi-automated audit with another company November ● Complete 3rd semi-automated audit with another company ● QSP token launch ● Begin university partnerships with the University of Waterloo December ● Build the Quantstamp validation/payment smart contract on Ethereum ● Complete the 4th semi-automated audit 2018 nbsp;January ● Build the Quantstamp validation node an augmented Ethereum node February ● Add analysis software v1 to the validation node that returns the proof-of-audit hash and raw output ● Complete the 5th semi-automated audit using analysis software v1 March ● Begin testing phase and improvement of crypto-economic incentives ● Implement token holder governance system for the upgradeable protocol April ● Deploy to test network after testing and validating system ● Begin academic review of the system May ● Hold first Quantstamp hackathon June ● Begin work on smart contract insurance with partners July ● Hold token holder vote for mainnet after months of testing/incentive adjustment August ● Release mainnet v1 September ● Begin work on distributed SAT consensus with BFT for Mainnet v2 October ● Add smart contract insurance alpha product on Mainnet smart contracts 6 nbsp;Motivation Our team has devoted their careers to helping developers produce more reliable code, nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; representing years of combined research and experience in the discipline of software nbsp; nbsp; nbsp; nbsp; nbsp; nbsp;verification.Theopportunitytoapplytheseexpertisetowardsthenextgenerationofthedigital nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp;revolutionisextremelyexcitingforeveryoneinvolved.Thereisaclearandurgentneedore nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp;secure code. nbsp;Vulnerabilities in smart contracts threaten the adoption of blockchain technology and nbsp; nbsp; nbsp; nbsp; nbsp; cryptocurrencies. CurrentlyalotofworkisbeingdonetoscaleEthereum,howeverwethink nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; securityisequallyimportant.Withoutsecurityofsmartcontracts,it’shardforpeopletotrust nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; themwithanythingotherthanriskcapital.Ourvisionforthefutureisthatsmartcontractswill nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; bemainstreamapplicationsusedbypeopletomaketheireverydayliveseasier.Wewillhelp nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; bringaboutthisvisionforsmartcontractsbyextendingEthereumwithtechnologythatensures nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp;the security of smart contracts. nbsp;Webelievethatautomatedsecurityauditswillhelpdeveloperstodeploycodethatthepubliccan nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp;trust without havingtowriteal specificationsthat containmorelinesof codethanthe nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; programitself. Ouraimistoautomatechecksandpropertyverificationasmuchaspossible. nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; Eachof theseobjectivesshouldcontributetoahealthierblockchainecosystem.Thissolution nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; addresses a infrastructural-level problem. Ourstrategyistocreateafoundationalprotocolthatcouldbeeventuallyincorporateddirectly nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp;intotheEthereumplatandtocreateasafeenvironmentneededforthefirstEthereum nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; killer app. nbsp;Theremainderof thisdocument detailswhyasecurityprotocolisanecessarytechnological nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp;advancement, and provides a high-level architecture of the plat. Smart Contract Improvements How we improve smart contract infrastructure Theprotocol allowsautomatedsecuritychecksonthesmartcontractcode,anddoessoina nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp;trustless manner. Our approach offers the following two core advantages. 55 We use the word “trustless” to indicate that the process is transparent and it is not necessary to trust a third-party, and deters bad actors from compromising the audit. 7 nbsp;1. The protocol allows end-users to directly programs for verification, nbsp; nbsp; nbsp; nbsp; nbsp; without the possibility of a bad actor manipulating the results of an audit Imagineabadactoratasecurityauditingcompanythatallowsamulti-milliondollarbugtoslip nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; through,andthentakesadvantageofthelivedeployedcontract.Theconsensusrequiredbythe nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; Quantstampprotocolmitigatestheeffectsofbadactorsbasedontheeconomicallydominant nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; strategy-itwouldbetoocostlytotrytomanipulatetheresults.Verifiedsmartcontractsare nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; producedwiththeproof-of-audithash,whichincludestheversionofthesecuritylibraryusedby nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; theverifierandaplain-textreportisreleasedbasedonconsensus.Inthefuture,weplantooffer nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp;smartcontractinsuranceinpartnershipwith3rdpartiestofurthermitigaterisksofusingsmart nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; contracts. 2. We incentivize miners by making the verification and certificationof smart nbsp; nbsp; nbsp; nbsp; nbsp; nbsp;contracts part of the validation node software on Ethereum Inablockchainarchitecture,“miners”areparticipatingentitiesthattrytoaddtransactionsto nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp;thechain.IntheQuantstampprotocol,minersarecalledverifiers.Averifierneedstorunthe nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp;validation node software which watches for updates on the Quantstamp validationsmart nbsp; nbsp; nbsp; nbsp; nbsp; nbsp;contract. Thefeeforperingtheservicemakesverifiershonest.Averifierthatcertifiesa nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; contractproducesaproof-of-audithashandinturn,theverifierisawardedatokenfee.Incasea nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp;verifierfindsaviolationofsecuritygoalsbyacontract,s/heproducesacounterexamplethatisa nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; witness to the violation and the escrowsmart contract pays a bounty fee to the verifier. nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp;Developersareresponsibletoaddressvulnerabilitieswhentheyarefound,butnow,theycan nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp;address it before real stakes are involved. How we improve the developer’s process Well-intentionedsoftwaredevelopersneedhelptoproducebettercode.AspointedoutbyLuuet nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; al., there is a semantic gap rooted in a misunderstanding of how code cutes inthe nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp;6blockchain;consequently,thereisapressingneedforbettertoolsthatcanassistthedeveloper nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; in capturing vulnerabilities prior to deployment. The current way developers test code - nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; manuallyviaopensourcecodereviewsandunittestsiftheyarediligent-isnotsufficientto nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp;meettheneedsofblockchaintechnology,whichideallyoffersperfectsecurity.Alloftheabove nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; sareverymanual sthat allowforhumanerror. Thereisaneedforaneasy nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; process of verifying smart contracts while minimizing the chance of seriousvulnerabilities nbsp; nbsp; nbsp; nbsp; nbsp; nbsp;slippingthroughthecracks.TheQuantstampprotocolprovidesthiseasyinterfacewhilealso nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; helpingtoprotectdeveloperreputationsbyprovingontheblockchainthattheyhavepered nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp;this auditing. 6 Luu et al. describe this semantic gap in their paper “Making Smart Contracts Smarter.” They propose to enhance the operational semantics of Ethereum and offer a symbolic cution tool called Oyente to find bugs in smart contracts. We pragmatically believe that very few developers, in practice, will ever utilize such tools, just as very few do in the ordinary practice of software engineering. 8 nbsp;Quantstamp, by example SupposeadeveloperplanstodeployasmartcontractwritteninSolidityonEthereum.Thereis nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp;substantialriskwhenwritingcodethataccessesamonetarysystem,andthedevelopermus/p