Quantstamp - protecting against the next DAO hack

Depending on when you entered the market of crypto, the DAO hack is either the most prominent example of smart contracts gone wrong -- or something that you've never heard of. The DAO stood for "decentralized autonomous organization" and it was meant to be an investor-directed fund - where investors would reach consensus on investment decisions, but there was no formal organization actually choosing investments (as there is with traditional mutual funds or venture capital funds).

It was an ambitious objective; the concept of a DAO has been talked about for years in cryptographic circles as a philosophical shift from centralized, top-down organizations. The DAO, the company, was meant to be a major push in that direction. They raised over $30 million and all was set for a smart-contract driven company to test the waters of autonomous, decentralized investing.

Only there was one problem. The smart contract had serious security vulnerabilities which were exploited by an opportunistic hacker. The hacker stole 3.6M ether. That amount has a value today of approximately $1 billion (at the time, it was closer to $50M). Nonetheless, it was a huge amount.

The theft was so large and it was believed that the loss of confidence could jeopardize trust in Ethereum (on which the smart contract ran). There was lively debate on whether to nullify the theft by changing the blockchain. On one hand, it's a blockchain fundamental that the chain is immutable- it cannot be changed for any reason. On the other hand, this was an anomalous, massive incident. It was decided to return the money to the victims; as as result Ethereum Classic was created- that is the Ethereum blockchain which did NOT return the funds (for those who believe that changing the blockchain goes against the whole principle), while the Ethereum blockchain was changed to restore the funds to The DAO investors.

And it's not just The DAO; many ICO's have had their smart contracts hacked with millions taken. CoinDash and Veritaseum have had funds stolen during their ICO. A new company, Quantstamp (https://quantstamp.com/), has emerged to develop a roster of specialists to vet smart contracts for security vulnerabilities ahead of time. The company assembles engineers and those in related fields to examine the smart contract for potential ways it can be exploited. They also facilitate bug bounties so that individuals are incentivized to try to hack the contract code (before deployment) and report areas of weakness. By automating the process between all the parties, Quantstamp hopes that this will drive down costs and improve the resulting security of their clients' operations.

One open question is: will companies prefer to use a decentralized approach (Quantstamp) versus a single firm whose contributors are employees and don't change each time they provide service? It remains to be seen. One data point suggests companies are comfortable with the Quantstamp approach is that Request Network, a company which recently launched its ICO, utilized Quantstamp to verify its smart contract. Request was an in-demand ICO and raised 100,000 ETH (~$32M). Their ICO went of smoothly and perhaps Quantstamp's smart contract review played some role in that.

Have a look at Quanstamp's white paper for more details (https://docsend.com/view/shcsmhe).

If the early days of crypto have taught us one thing, for as much innovation as there is, and as much profit is to arise from the work of companies and investors alike, there are some number of bad actors who are not interested in adding constructively to the ecosystem, but instead probe for vulnerabilities, and attempt to "profit" at the expense of others. There have been thieves of all varieties throughout history; it's just that today's thief is technically savvy. He exploits a system which is largely unregulated and where recovery of funds is often impossible. Hopefully, Quantstamp and others looking to address this problem can fortify the exchange of cryptocurrencies and make it such that 'crypto crime doesn't pay'.