Express Quantstamp contracts as javascript — Audit completed

Express Quantstamp contracts as javascript — Audit completed

Quantstamp is a smart contract security audit system by scalable and cost-effective way. I express Quantstamp contracts as Javascript for better understanding. Please refer to white paper or official blog for more information.

GitHub: quantstamp-contracts-js

Brief overview of Quantstamp

The smart contract security is essential to prevent security incident like the DAO. Unfortunately, Current smart contracts validation process require human experts so that it’s expensive and error-prone. Quantstamp solves this problem by building audit system on the Ethereum network.

At first developer submits his code via the Quantstamp contract with QST tokens witch is taken by a validator as a reward. A validator(which is qualified by Quantstamp) picks up a submitted request and perform security check. This check is off chain activity and done by security audit engine.

This engine consists of several components like Security Library. The library evolve to respond to new vulnerabilities. As a vilification output, the engine produces a report. A validator adds the report to the next Ethereum block. This reports can be public or private. Public reports are visible to everyone in a human-readable form. Private reports are encrypted.

QST State transition

As a audit goes through, there are few possible states like above diagram. This time focus on the red line transition. This transition is a successful process without any error. Let’s break down into 3 steps

  1. Developer request audit
  2. Validator get audit request
  3. Validator submit repot

1. Developer request audit

A developer submits ‘Samp’ contract paying 10 QST for verification by calling ‘requestAudit’ function of QuantstampAudit.sol. This contract contains all logic of audit process.

Look at ‘requestId’ of requestAudit function. This is a unique id.

By the way, The request is stored in another contract called as ‘QuantstampAudit.sol’. This is a storage contract.

developer.run(function() {
  // Create a contract to be audit
Samp = new Sample();
  // Cost of verification
const cost = 10;
  ...
  // Request audit
requestId = QSTAudit.requestAudit(Samp.address, cost);
});
/********** QuantstampAudit.sol **********/
requestAudit(contractUri, price) {
  ...
  const requestId = this.auditData.addAuditRequest(
from, contractUri, price);
  // Add request to queue
this.queueAuditRequest(requestId);
  return requestId;
}

A structure of the request is as follow.

class Audit {
...
{
this.requestor = requestor;
this.contractUri = contractUri;
this.price = price;
this.requestBlockNumber = requestBlockNumber;
this.state = state;
this.auditor = auditor;
this.assignBlockNumber = assignBlockNumber;
this.reportHash = reportHash;
this.reportBlockNumber = reportBlockNumber;
this.registrar = registrar;
}
}

2. Validator get audit request

A validator calls ‘getNextAuditRequest’ function. Then, a audit was picked up from the queue.

Please note that the picked up audit price is higher than minimum price (which is unique to each validators).

validator.run(function() {
  // Get audit request
QSTAudit.getNextAuditRequest();
});
/********** QuantstampAudit.sol **********/
getNextAuditRequest() {
...
  // there are no audits in the queue with a price high enough 
// for the audit node
const minPrice = this.auditData.getMinAuditPrice(msg.sender);
const requestId = this.dequeueAuditRequest(minPrice);
if (requestId === 0) return;
  // Update storage contract
this.auditData.setAuditState(requestId, AuditState.Assigned);
this.auditData.setAuditAuditor(requestId, from);
this.auditData.setAuditAssignBlockNumber(requestId, block.number);

...
  // push to the tail
this.assignedAudits.push(requestId);
}

3. Validator submit repot

The validator submits a report to the contract attaching a report hash. Please note that the validator mush submits report during audit timeout period.

Finally, the validator obtain QST token as a reward and the contract which is created by the developer is verified to be secure.

validator.run(function() {
  // Report hash -> Following creation is not real
const reportHash = CryptoJS.RIPEMD160(
CryptoJS.SHA256(JSON.stringify(Samp))).toString();
  // Submit report
QSTAudit.submitReport(
requestId, AuditState.Completed, reportHash);
});
/********** QuantstampAudit.sol **********/
submitReport(requestId, auditResult, reportHash) {
...


const allowanceBlockNumber =
this.auditData.getAuditAssignBlockNumber(requestId) +
this.auditData.auditTimeoutInBlocks;

// auditor should not send a report after its allowed period
if (allowanceBlockNumber < block.number) {
// update assigned to expired state
this.auditData.setAuditState(requestId, Expired);
return;
}
  // update the audit information held in this contract
this.auditData.setAuditState(requestId, auditResult);
this.auditData.setAuditReportHash(requestId, reportHash);
this.auditData.setAuditReportBlockNumber(requestId, block.number);
  ...

// Validator get QST token as reward
this.auditData.token.transfer(from, auditPrice);

}

Future study

This time, I only focus on normal state transition. Regarding other transition, Please check actual smart contract.

Now, Quantstamp is live on the Ethereum main net. So we can request audit actually. Please check this as well.


Express Quantstamp contracts as javascript — Audit completed was originally published in Coinmonks on Medium, where people are continuing the conversation by highlighting and responding to this story.