Smart Contract Audit Industry Comes of Age
The number of smart contracts is expected to reach 10 million in 2018. The smart contracts are accessible globally and store large amounts of value, which makes them an attractive target for hackers as was seen with The DAO and Parity wallet vulnerabilities. Once smart contracts are deployed, the code cannot be changed or patched easily, which has led to an immense need of audit. Diar speaks to Eduard Kotysh, CEO of Solidified, which is a comprehensive smart contract audit platform that has worked with Gnosis, Polymath, Bankera, Melonport amongst others.
The number of smart contracts is rapidly growing. Between June 2017 and October 2017, the number grew from 500,000 to over 2,000,000 with expectations to hit 10 million in 2018. The majority of smart contracts in Ethereum are written in Solidity, a programming language that was initially proposed in 2014 by Gavin Wood and later developed by Solidity team led by Christian Reitwiessner. Solidity is also prevalent in other projects utilizing smart contracts including permissioned Hyperledger, permissionless Hedera Hashgraph and others.
While there are some alternative languages, Solidity has become the most widely used smart contract language because it was implemented fast and solved immediate problems, which allowed it to gain inertia and network effects. The language doesn’t come without its fair share of criticism mainly because of its permissiveness and the lack of intuitiveness. In June of 2016, an attacker drained more than 3.6Mn ether ($50Mn at the time) because of a vulnerability found in The DAO smart contract code, which consequently led to a hard fork of Ethereum to recover the lost funds.
Philip Daian, a PhD researcher at Cornell University, said that The DAO hack “was actually not only a flaw or exploit in the DAO contract itself, Solidity was introducing security flaws into contracts that were not only missed by the community, but missed by the designers of the language themselves.” He added: “I refuse to lay the blame exclusively on a poorly coded contract when the contract, even if coded using best practices and following the language documentation exactly, would have remained vulnerable to attack.”
Another issue with writing smart contracts, regardless of what programming language is used, is that once they are deployed, the code cannot be changed and it becomes really hard to patch the issues since the contracts are immutable. Ilya Sergey, a computer scientist at University College London, analyzed a sample of nearly one million of smart contracts and found that 34,000 are vulnerable. Moreover, since they are accessible globally and usually store value, they become an attractive target for hackers. According to Group-IB, each ICO is attacked about 100 times within a month on average and according to EY, more than 10% of ICO proceeds are lost as a result of attacks. Apart from ICOs multi signature wallets have also been targeted by hackers.
In July of 2017, 150,000 ether ($30Mn at the time) was stolen as a result of a bug in Parity multi-signature contract. Another security vulnerability in Parity multi-signature contract was found just four months later and ended up rendering approximately 500,000 ether ($150Mn at the time) inaccessible. After the second vulnerability was found, Parity asserted that they have high standards of development including peer reviews and a bug bounty program. Mr Kotysh tells Diar that a possible reason for not finding the Parity vulnerabilities in time is that many audit firms do not expose smart contracts to a large enough audience of experts in order to find vulnerabilities. The audit is typically led by one or two people, not followed by a bug bounty and thus many issues are missed. Additional reason is the lack of incentives causing the experts to not want to ethically disclose the bugs.
Competition Grows in Smart Contract Audit Industry
|1||Boutique Audit Solutions||1. Initial Audit (all other steps are optional) - mostly private audits||Consensys Diligence, Zeppelin, New Alchemy Hosho, SmartDec|
|2||Audit Platforms||1. Initial Audit (multi-expert along with automated tools) 2. Client Fixes Issues 3. Re-audit (Verification of Fixes) 4. Bug Bounty 5. Publish all reports||Solidified, ChainSecurity|
|3||Automated Tools and Formal Verification||1. Automated Audit 2. Optional Bug Bounty||Quantstamp, Fujitsu, Securify|
Costly Solidity Hacks
|wdt_ID||Project||Date||Amount (at the time)||Type|
Writing a secure smart contract requires extreme levels of diligence and third-party verification is both time and resource consuming. According to Mr Kotysh, securing a smart contract is a multi-step process that takes the minimum of two to three weeks when done correctly. The risk of critical vulnerabilities can be reduced significantly through good coding practices, a third-party audit and potentially even formal verification. Formal verification is a method that uses mathematical models to analyze the code for errors in logic. Simply put, after a property of a smart contract is proven through formal verification, it’s extremely unlikely that malicious actors can break the proven property of the contract. However, the full formal verification procedure takes months and is very expensive.
Following the many high-profile fiascos, the smart contract audits are becoming more prevalent in the space. Consensys, a blockchain development company, also has a security division called Consensys Diligence, which performs smart contract audit amongst other services. Fujitsu announced in March that it is developing technology that can automatically verify, in advance, risks associated with smart contracts. Quantstamp had an ICO in November that raised $31Mn to develop a fully automated smart contract audit protocol.
Mr Kotysh tells Diar that the automated audit solutions are really good efforts but they can’t be relied on just yet. He says: “The automated solutions are academic experimental efforts. What they do at the moment is find very common low hanging issues that we already know about. They can't fully verify the intended behavior of a contract, especially in complex systems where economic models and game theory need to be examined. In order for the automated tools to be effective, someone has to explain the intended behavior of the contract to the tool itself. This process requires writing an additional piece of software by a human, which itself is highly biased and error-prone. In my opinion, relying on fully automated audit solutions won't be possible for the next 3-5 years.”
|| ALL IN THE OPEN
There are two other categories of smart contract audit solutions - boutique audit solutions and audit platforms (see table). Mr Kotysh tells Diar that the audit platforms are more comprehensive and transparent. The final report of all Solidified audits is published publicly on GitHub. With boutique audit firms that perform private audits, there is no guarantee whether the issues that were found were all fixed. Mr Kotysh says that Solidified rejects all clients who want a private audit.
Neufund Looks to Ease Security Filing Pains on Equity Raise Platform
As fear of regulator backlash around Initial Coin Offerings ramped up this year - which has seen the new funding paradigm begin to drop in popularity, Berlin-based Neufund have wrapped their heads together with the German Federal Financial Supervisory Authority (BaFin) in an effort to tokenize equity offerings on the blockchain. The platform, slated to launch in the coming months, is attempting to bridge the on-chain and off-chain parallels of company structures.
It took Neufund a single month to raise over €12Mn for their Initial Coin Offering (ICO), which the company has dubbed as an Initial Capital Building Mechanism (ICBM). The monies raised through the ICBM from over 1000 investors have actually been committed and earmarked for the purchase of shares in companies that will seek to raise funds on the Neufund platform through an Equity Token Offering (ETO).
Whilst regulators worldwide continue to scratch their heads on a favourable framework for ICOs, Neufund is looking to call a spade by its name and have been gearing towards a legally compliant fundraising platform for securities under German regulator scrutiny. The platform will be available to all European Economic Area members, as well as worldwide registered organizations, however, would be closed off to US investors as well as 11 high-risk countries designated by the Financial Action Task Force on Money Laundering (FATF).
The allure of raising funds rapidly, with little to no paperwork through an ICO hasn't been dismissed by Neufund, but in fact, have assembled their own legally compliant structure, as well as tools to assist people over the hurdles faced in offering a security.
While it would take little imagination to envision Company Registrars utilizing blockchain in the future for company structures and shareholders, the prospect remains to be a distant one. And as tokenized shares are not recoginized by any court as they aren't officially registered,
Neufund has worked around the limitation by creating both off chain and on chain equity agreements in order to secure legally binding documentation between the company and its investors after successful raises.
A Special Purpose Vehicle (SPV) would effectively become a documented shareholder in the country's Company Registrar for the the equivalent equity that the company raising funds on the platform is willing to part with. The Investment Agreement, called Neumini, would then be parsed onto the blockchain where the equivalent equity would become tokenized. And a Token Holder agreement would be the legal bond between the SPV and the investors.
As a security offering however, or an investment asset, usual regulatory requirements such as a Prospects would be required. Neufund plans to assist fund seekers by providing a Prospectus template, what the company has called "Prospectus Light" where no more than the usual VC Pitch Deck or Business Plan would be required. The template would also include ready Legal Disclaimers that would then be passed onto BaFin for final approval - a process that should not take more than 6 weeks according to Neufund.
Most notably, unlike in the United States where the Securities and Exchange Commission (SEC) requires investors be accredited, under the ETO framework retail investors would be allowed in both public and private placements.
|| SLIGHTLY CENTRALIZED...FOR THE TIME BEING ATLEAST
While the tokens will be on the Ethereum Blockchain, and tradable, the availability on secondary markets will be limited to the partnerships that Neufund is building with various exchanges.
And while BaFin does have to approve the ETO, the first green light to get onto the platform will have to come from Neufund itself. But the walled garden approach might prove to be beneficial in instilling investor trust within a small blockchain microcosm.
Robinhood Ambitious on Crypto Trading Amid Mega Raise
Robinhood, a fintech startup that developed a commission-free trading platform, announced that it had raised $363Mn in a funding round led by DST Global. The company now boasts with more than 4Mn users, $150bn in transaction volume and is valued at $5.6Bn.
While originally Robinhood only allowed feeless stock trading in an app, the company has enabled options trading last year and launched a web version. This year, Robinhood has begun rolling out its new service dubbed Robinhood Crypto. The commission free service is so far limited to bitcoin and ethereum investments and it is only available in 10 states in the U.S. The expansion to new states happens when the company secures the necessary licenses for each state. Baiju, Robinhood’s co-founder and co-CEO expects al states to be covered by the end of 2018. Other unspecified cryptocurrencies are going to be rolled out eventually according to Bhatt.
Mr Bhatt said: “We expect by the end of the year to be either the largest or one of the largest crypto platforms out there but we also really feel we’ll have the absolute best experience for investing in crypto as well—from having a large variety of coins available to a more favorable cost structure—mainly no commissions—to just quality of product.” At this time, Robinhood doesn’t support cryptocurrency withdrawals but plans to do so in the near future. Mr Bhatt plans are ambitious to say the least. Coinbase crossed 20Mn customers in March and now stores more than $20bn worth of cryptocurrencies. It is currently available 32 countries.
Robinhood Raises Millions, But Coinbase Still Ahead
|3||Notable investors||DST Global, Index Ventures||Digital Currency Group, Andreessen Horowitz, NYSE, USAA and BBVA|
|4||Users||4 Million||20 Million|
|6||Supported crypto||Bitcoin, Ethereum||Bitcoin, Ethereum, Litecoin, Bitcoin Cash|
While Coinbase brought $1bn in revenue last year from trading fees, Robinhood won’t charge any commissions on cryptocurrency trading. Robinhood’s revenue is is generated by charging for a premium subscription service Robinhood Gold and also by collecting interest on fiat deposits.
Facebook Jumps onto Blockchain Bandwagon
Facebook is known for having tendencies to invest in emerging services and technologies. In the past four years, the social media giant has acquired Instagram for $1Bn, WhatsApp for $19Bn and Oculus for $2Bn. David Marcus, a former Head of Messenger at Facebook and a former CEO of PayPal, who also joined Coinbase’s Board of Directors in December, announced that he will be setting up and heading a small group to explore how to best leverage blockchain across Facebook. The blockchain group will report directly to the company’s CTO, Mike Schroepfer.
In January, Mark Zuckerberg expressed his concern with the internet, which is becoming too centralized and controlled by a handful of large companies including his own behomoth. He acknowledged that Facebook is making too many errors enforcing its policies and preventing misuse of its tools. Mr Zuckerberg said “A lot of us got into technology because we believe it can be a decentralizing force that puts more power in people’s hands.”
He also discussed possible counter-trends that can help decentralize the internet; namely encryption and cryptocurrency that can take power from centralized systems and put it back into people’s hands. “I'm interested to go deeper and study the positive and negative aspects of these technologies, and how best to use them in our services" he concluded. The move to research blockchain is not that much of a surprise but it still begs the question at how exactly can Facebook utilize the emerging technology.
Almost an obvious answer to this question would be implementation of self-sovereign identity (SSI) (Diar, 30 April). The SSI or decentralized identity, which is powered by blockchain would allow all Facebook users to store and control their personal data. Instead of the data being saved on Facebook’s servers, the data would be stored locally with each user who could selectively permission who gets access to specific piece of information.
Possible Blockchain Use Cases for Facebook
|1||Self-sovereign identity||Decentralize the storage of personal data → less liability and responsibility|
|2||Payments||Nearly instant domestic and cross border payment settlement → competitive advantage against established players|
|3||Utility token||Create a Facebook economy → incentivize content creation (YouTube model)|
It could be an appeasing answer to Cambridge Analytica scandal, in which personal data of 87Mn of users was compromised. While being questioned by the press following the scandal, Mr Zuckerberg said: “For some reason, we haven’t been able to kick this notion, for years, that people think that we sell data to advertisers. We don’t.”
The company could also seek to use blockchain to enable users to instantly settle domestic and cross-border payments with end-to-end tracking. It is currently possible to pay other Facebook users with a debit card but Facebook struggles to compete against Venmo in the U.S. and WeChat Pay and AliPay in Asia. If Facebook had a solution that worked internationally, it could prove to be a significant competitive advantage.
Another possibility that Facebook could consider is creating its own global digital token, which would be paid out to users to incentivize creation of content similarly to what YouTube does. Following the recent regulatory uncertainty around the legality of utility token issuance and whether the tokens would be considered securities, such option is unlikely in the short term.
Receive Diar Every Monday – The Digital Assets & Regulation Trade Publication
Disclaimer: Unless otherwise specified, the content of the articles published on www.diar.co constitutes intellectual property of Diar Ltd and may not be reproduced or republished in whole or in part without prior written consent. The information contained in the articles published on www.diar.co does not in any way constitute financial or investor advice and is only intended for informative purposes. Readers may not rely on such information to decide on investment or financing options or otherwise rely on such information in making decisions with monetary or financial effects. Diar Ltd does not accept any liability of any kind with regards to the validity of the information or with regards to any damage suffered as a result of reliance on such information. © 2018 Diar Ltd. Contact: email@example.com