SCSA Member Spotlight: Quantstamp

SCSA Member Spotlight: Quantstamp

Quantstamp is leading blockchain security company based in San Francisco and a founding member of the Smart Contract Security AllianceIt was founded in 2017 and is now a leading provider of smart contract security, and also develops enterprise blockchain solutions


We recently sat down with Quantstamp CEO Richard Ma to chat about Quantstamp and how security standards can help the industry.


Tell us a little bit about yourself and Quantstamp


I'm Richard Ma, CEO of Quantstamp.We help companies, both large enterprises and new up-and-coming startups, secure and deploy their blockchain projects.


We've been very fortunate, and have been doing very well over the last two plus years. We've secured over 1.5 billion dollars worth of value through our smart contract audits and various Security Solutions. In early 2018, we attended Y-combinator and that was an excellent experience. We have been very focused on bringing smart contracts to the mainstream in a safe and secure manner so that eventually, lots of people feel comfortable using it.


Can you share a bit about your background? What drew you to the blockchain, and how did you get involved?


Initially I was working in trading, mainly commodities, and that was very educational. What I found interesting was that every single day there were billions of dollars exchanged in the stock market. But at the same time, if I wanted to go and send a bank wire to one of my friends, it would be a slow, cumbersome process. You need to go to the bank, and they cost anywhere between $10 to $35, and it takes them at least three days to get it, which, especially as I was working as a high-frequency trader, felt like an eternity. 


I was drawn to blockchain because I saw this sharp contrast between what's possible today with the internet, and the state of inefficiency in finance. This idea that with the rise of the internet you could have instant financial transactions—instead of having individual countries that have their own rules, you have a global system where anyone can do business with anyone. That made me very interested in Bitcoin and Ethereum, but specifically, Ethereum, because it allows you to create programmatic rules that can form the backbone of future global financial transactions on these things called smart contracts. However, while Ethereum allows you to do a lot, at the same time, there are some potential security issues


When I was initially interested in Ethereum, I invested in something called The DAO, which was like a global corporation that was run by its members using smart contracts. It turned out that there was a bug in the DAO and part of my investment was stolen in the well known DAO Attack. That’s when I realized security was going to be very important for blockchain technology to take off.


How did your company initially start your blockchain work


I think the story started when I took part in The DAO. Its subsequent events got me interested in future-facing businesses; and their need for security solutions for mission-critical infrastructure. At the time, and still to this day, there were very few experts who could audit smart contracts because it's such a new technology. It became apparent that there is a need to be able to scale smart contract security. 


So in the middle of 2017, along with my co-founder and Technical Fellow Steven Stewart, we started to work on an idea of how we could audit more smart contracts automatically. Over time we actually built a decentralized security network. Then we also signed up more and more customers needing enterprise audits. That's been a fascinating journey.


How has your company evolved as the space has matured? What services are you providing now compared to when you started?


In 2017 when we started, there were just a handful of new startups that were trying to innovate with smart contracts like those on Ethereum. We were primarily targeting small startups.


Today, there are lots of different platform options beyond Hyperledger and Ethereum. There’s Corda, Quorum, Polkadot, Klaytn, Tendermint and many more. Also, many startups have now built fully-fledged blockchain solutions, and a lot of more extensive enterprise companies have entered the space. That includes many well-known names in the manufacturing industry, the automotive industry and also many banks. I would say there's been substantial evolution in the blockchain space, and that's going to continue.


In your opinion, what are some of the biggest challenges right now in blockchain security?


I would say there are three large challenges right now in blockchain security. The first challenge we see is there's no standard for what an audit should look like. 


What are things that should be checked because there are so many different types of attacks? In traditional penetration testing, there is something called the OWASP Top 10. There's a lot of standardized security tools that can check your website, but that does not exist currently in the blockchain industry. So one thing I really like about the SCSA, is the idea of trying to create standards over time by aggregating the best practices for many different top-tier companies.


The second biggest challenge is that there's still a lot of information asymmetry concerning security practices. The main reason is that the technology evolves quite quickly. Lots of the materials that are out there are already out of date. Today, many types of attacks have been patched or are no longer possible, but new ones have emerged. This will continue for quite some time because the technology is still in rapid development. 


I think the third challenge is each time a new entrant comes into the blockchain industry and tries to start a company, they are starting from scratch. They're making a lot of the same types of errors when they approach blockchain application development. This is similar to how web development used to have a lot of reinventing the wheel. I think this will happen for some time until enough of the expertise has been built up in the industry. Until there’s enough experienced blockchain developers who are going to disseminate themselves into other projects, industries or start new ones. Like any ecosystem it will mature over time, but we’re not there yet. 

Do you have any interesting customer stories that you would like to share?


We recently finished a project for Siemens, which is trying to build smart contracts inside of their own organization. These are not public smart contracts that anyone in the world can access. They want to improve the efficiency inside of their manufacturing processes. Quantstamp helped them to build a new better type of analyzer that they can use inside of their own system. That's been deployed live and is accelerating their project development cycle.


The second example is Emaar Properties. They built the Burj Khalifa which is the tallest building in the world and are the largest real estate company in the world. They're using blockchain to track their loyalty points system and also helping to track referrals from when people sell real estate. Quantstamp has been working closely with them to make sure that their system is safe, well designed and secure. There's recently some awesome news that's coming out. I think they're ready to deploy early this year.


The last example is Omisego. They've been doing really interesting work in consumer payments. We’ve worked closely with them to build the next version of plasma which is a scalable system for payments. That's more on the audit side, and I’m pretty excited about what they're going to do this year.

What is the role of standards today, and which standards would really be especially useful for companies building more and more sophisticated blockchain systems?


I think one set of standards we will see in the future is continuing to improve code for usability, and also having a set of standardized architectures for how to build complicated smart contract systems. The main reason why is because of counter examples. 


Currently many companies still roll their own systems and have their own naming conventions; even with very well-used and pretty complicated smart contracts. I'll give an example of that. 


MakerDAO and DAI is a really well used system—currently both inside of MakerDAO’s own systems such as oasis.app and also inside of third party applications such as Compound, which is leveraging DAI. In February, more than $1Billion was locked up into the Maker system, and the larger Maker ecosystem. However, its coding convention is very non-standard. The variable names don't actually mean anything, and that makes it very hard to audit because you're trying to figure out what's the difference between flip, flap and flop. 


I think in the future, these types of things will become more standard. More and more money will be going through them, so it's important for the open community to be able to easily understand how these systems work and audit them.


The second thing I think will happen over time is that bigger companies and organizations will want to have more open source standards when they are building big systems. 


Currently, as part of the Smart Contract Security Alliance, we are trying to build the standards. Over time, more companies will join the SCSA and provide part of their codes and policies, to be open sourced, and be considered best practice. The SCSA will make it easy for people find and use these resources, helping new projects innovate further.


What is Quantstamp planning for the future?


Currently we are helping build solutions for the growing DeFi market - smart contract based projects that mirror and improve upon centralized financial tools. One thing that I think is going to be important, is having security both before decentralized finance projects are deployed, and also afterwards.


We've been working on live security monitoring and figuring out ways to provide insurance-like coverage to protect the live value inside of those contracts. I think eventually if the value reaches the billions of dollars, regular consumers will require it from these companies, so that's a really big potential growth area.

Education is important, what has Quantstamp been doing to increase knowledge about blockchain best practices?


We published a book called “The Fundamentals of Smart Contract Security”. It was published by Momentum Press. It's available on Amazon and as an e-book


We have also been involved in a lot of events where we talk about security best practices. You can find some of these talks on our Youtube Channel.

How do you see the future of the blockchain security ecosystem in terms of different technical stacks that companies are using?

I've seen a lot of convergence in terms of using WASM. Even for Ethereum they have considered a variant called eWASM. I think using existing languages that a lot more developers are familiar with is a good way to help mainstream software developers easily onboard into blockchain development. I think that's going to be a really big convergence.


The other open question is whether there are still going to be a lot of different computing platforms in the future. There is Ethereum, Hyperledger and many others. I think that maybe there's going to be several vertices in the future. I definitely see Hyperledger having a strong preference on the enterprise side. Maybe in the future there is going to be some consolidation. People will gravitate towards certain platforms that already do most of what they want in terms of having the right developer ecosystem, having the right dev tools, and so on. 


For companies this all means having a sufficiently large number of potential employees who understand how to build something on these tech stacks. That's kind of where I see the blockchain security ecosystem evolving towards. Eventually there will be some convergence.