The Cryptonomist had the chance to conduct an interview with the CEO of Quantstamp Richard Ma to talk about his project, the future of the company and more.
Can you tell us about Quantstamp, its vision, and its goal?
Quantstamp is a blockchain security company whose mission is to facilitate the mainstream adoption of blockchain applications by providing state-of-the-art security services.
We help companies, both large enterprises and new, up-and-coming startups, secure and deploy their blockchain projects. More and more, users want to see if a project they are considering using has undergone an audit. This is because there is real value at risk, and blockchain is still a very experimental technology. We’ve secured over 1.5 billion dollars worth of assets through our over 100+ audits.
What are 2 projects that have required more work and have proved particularly difficult to verify?
There are a number of factors that impact the difficulty of auditing a given project.
One challenge is when there’s a lack of documentation, or even if there is documentation that is poor or overly complicated. One of our recent audits was lacking documentation, so our team had to do a lot more testing to almost reverse-engineer the functionality the developers intended to achieve. This is completely backward to how it should be. When code is hard to read, it results in more upfront work, and adds a lot of back and forth communication to make sure everything is clear.
Over-engineering is also a major issue. Projects sometimes try to accomplish the near-impossible on-chain, so they end up large and inflated. Even if there are no vulnerabilities in the standalone code, that doesn’t guarantee that it will be deployed properly, or used in the proper context by the end-user. The most secure contracts are small, simple, and super transparent. The more features, states, and inputs there are, the higher the number of out-of-ordinary states. These projects can then be extremely difficult to audit.
A recent, well-known example (not audited by Quantstamp) concerns ERC777, where a hacker utilized an attack vector through features of ERC777 tokens to steal nearly 25 million USD worth of digital assets. Although the implementation of ERC777 is relatively small, when the functionality is stretched to the edge, interactions really matter. If we think about a project that is 100x the size of ERC777, beefed up with tons of contract options, and features–this is feature pollution. 90% of the features won’t even be relevant to the end-user.
When over-engineering happens, we start by pointing out abnormal hypothetical scenarios. It’s important to remember that no project was ever hacked when it was used as intended by the developers. Instead, systems are exploited by finding an edge case, creating an abnormal situation, and ultimately going against what developers had in mind. What makes auditors good is being able to come up with edge scenarios, weird transaction orders, or unintended inputs that somehow drive the system out of ordinary, and assess if these situations could serve as an attack vector or not.
What are Quantstamp’s future development plans?
Quantstamp’s mission is to enable a future of safer and more reliable mainstream blockchain applications.
One step towards achieving mainstream adoption is getting the entire ecosystem to work together. This is one of the reasons we co-founded the Smart Contract Security Alliance, to bring together blockchain security companies, research institutions, and other organizations dedicated to securing blockchain technology and driving the industry forward. We plan to continue leading the charge on initiatives like this and helping to drive standards for the industry.
Lately, we’ve been doing a lot of work for the DeFi market. It’s exciting to see how blockchain technology is changing the way money and value is exchanged, how we view transparency, and how sensitive information is managed. The DeFi projects we’ve been securing are creating new ways of using and thinking about money. There’s a lot of innovation happening right now in an effort to address long-standing problems within a really traditional sector. Having good security both before and after deployment is super important, and as the DeFi space grows, we’re really excited to be part of this growth by securing the technology.
We’ve also had the opportunity to work on exciting and meaningful projects, showing how blockchain tech can create concrete improvements in a lot of different sectors. We want to continue making an impact by working with some of the world’s leading enterprises and securing blockchain projects that are really changing society.
What do you think blockchain is missing to become mainstream?
Companies are clearly interested in the power of blockchain technology, but they can be held back by security concerns and not having someone to guide them. Over 1 billion dollars worth of digital assets has been lost or stolen due to security vulnerabilities in blockchain applications.
Our core business is helping these companies get off the sidelines and tap into the potential of this technology. We produce scalable products that address the entire spectrum of blockchain security.
With any new technology, adoption can be slow. There’s always a learning curve, along with both technical and regulatory challenges to overcome. In spite of these challenges, we already work with some of the world’s leading enterprises and research institutions. As more use cases come out, a lot of organizations, governments and enterprises are going to realize the impact this technology could have on how they operate.