Quantstamp: Auditing Smart Contracts



Ethereum is the largest platform for developing decentralized applications on a blockchain. More than 6 million ETH are tied up in smart contracts on the Ethereum network, and more applications are being built every day. Ethereum smart contracts are written using a proprietary coding language, Solidity. The sheer volume of coding involved in these projects is inherently prone to mistakes and vulnerabilities, leading to security concerns about potential attacks. Programmers learning Solidity are even more likely to make errors.

Quantstamp (QSP) has developed a smart contract auditing method to find and correct these errors. Running Validation Nodes on the Ethereum network, the QSP protocol can review ERC20 tokens for common mistakes. Using both human and automated reasoning, QSP can discover weaknesses in the source code and keeps an updated library of each one. After completing a satisfactory audit, the smart contract is given an Proof-of-Audit stamp within its hash.


The Quantstamp Network (QN) operates nodes on the Ethereum blockchain. These nodes process smart contracts (SC) through a security audit engine to validate the integrity of the contract. Validation Nodes (VNodes) run the QSP protocol and publishes a report. The SC is held in escrow at this time, and QSP encourages skilled programmers to attempt to find new issues. Any new bug found in the code is updated to a network-wide database. Developers can then correct vulnerabilities, securing their projects from defects and attacks. Once a VNodes deems the contract satisfactory, a Proof-of-Audit is included in the SC hash.

The QSP protocol has two components:

  1. Automated software that scans Solidity within SCs, and checks against known issues.
  2. Bounty payout to programmers to find new problems and update the security library.

Developers and users can submit the source code for their project, and a processing fee, to QSP. They are encouraged to include a substantial bounty reward for programmers to discover vulnerabilities.

The submitted source code is then distributed across the QN and VNodes begin the protocol. The smart contracts are processed through a Security Auditing Engine that utilizes a combination of automated techniques. During this time, the source code is made available for programmers to look for bugs.

The Security Audit Engine utilizes several established reasoning methods:

  • Propositional Satisfiability (SAT)
  • First Order Logic
  • Bounded Model Checking
  • Static Analysis
  • Symbolic Execution
  • Satisfiability Modulo Theorem (SMT)

VNodes update the network database of known issues, the Security Library (SLib), with additional discoveries by the security engine and bug finders. These updates can then be applied to the automated auditing process. Completed audits issue private reports, which flag critical issues for developers.

In order to achieve satisfiability, there must be a consensus among VNodes across the QN. The hash of the smart contract is stamped after successful validation. Once completed, the Proof-of-Audit will assure users and investors of the reliability and security of the SC. After deployment, a public version of the report will be made available.

Quantstamp rewards community members for participating in social media and real world engagement activities. Users who post content regarding QSP or security measure can submit a Proof-of-Caring to Quantstamp. Valid submissions are then eligible to receive tokens for whichever company is being audited. Individuals in China, South Korea and the United States are not able to participate in airdrops by law.


The distributed nature of the QN ensures a minimum level of fault tolerance. Should any VNode miss of fail to report an issue, other nodes on the network will catch this. Node operators must stake QSP tokens, which are insurance against any misuse of the network or malicious activity.

Issuing public reports of critical vulnerabilities could be used as a starting point for would-be attackers to gain entry. To prevent this, QSP issues private reports to developers indicating issues within the source code. Once the developers have corrected the problems, they can re-submit the SC for auditing. Only after a project is deployed will the reports be made public, and the errors within should already have been addressed.

The SLib collects known issues within the Solidity language. This can also be used by hackers and bad actors to glean information on how to penetrate Ethereum SCs. To counter this threat, QSP will release updates to the SLib on an incremental basis. Developers and registered users can pay a subscription fee to re-validate contracts using the updated library.


Given the infancy of the blockchain technology, smart contract adoption, and Ethereums Solidity programming language, technical errors and vulnerabilities are apt to occur. There is a growing demand for automated tools that allow developers to create more secure applications with a higher degree of security. Since the cryptocurrency markets inherently involve large sums of money, this demand is of utmost concern. Quantstamp provides a decentralized platform to meet this need.

Verification using computational reasoning has limits, but additional oversight and debugging from skilled programmers can guarantee accuracy and find new problems. Using the QSP protocol, node operators and bug finders can be compensated for putting in the work to provide more reliable security measures.

Building a repository of known issues will allow developers to write better code more efficiently. The Proof-of-Audit signature in the contracts hash will assure investors and users of the projects dependability and safety.

Due diligence is an essential aspect of investing or participating in the emerging crypto-markets. Quantstamp provides essential information regarding the source code of an asset, something most people are unable to assess for themselves. Having a quick method for determining the reliability of a programs back-end is invaluable. Existing applications can stay abreast of the latest security issues and correct them before they are exploited. New projects will be held to a higher standard.

This will lead to innovation.

Leave a Reply

Your email address will not be published.