Blockchain Auditing and the Industry’s Knowledge Gap
The advent of smart contracts has long drawn interest for its potential to revolutionize business agreements. There’s just one problem, and it’s one that has affected many spheres of the cryptocurrency space: a knowledge gap. This gap exists between people who specialize in conventional legal terms and contracts and those who specialize in the technological programming of the blockchain.
On a recent episode of The Tatiana Show, host Tatiana Moroz interviewed Hartej Sawhney, president and co-founder of the cybersecurity firm, Hosho. Calling in from the back of a taxi cab in Istanbul, Sawhney explained that Hosho’s business advantage has developed around overcoming the knowledge gap.
“We see ourselves as a cybersecurity company that happens to focus on the cryptocurrency/ blockchain space,” said Sawhney. “What we’ve been doing to date has been building up a team of white hat hackers, people who have a strong background in the DevCon community.” For those unfamiliar with DevCon, it is considered to be one of the world’s largest and most well known hacker convention.
Headquartered in Las Vegas, Hosho focuses on auditing smart contracts “on any blockchain” and simulating cyber attacks to test the security of different systems. In addition, Hosho is also developing other cyber securities solutions for the space such as a multi-sig wallet for Ethereum and a Telegram group bot that detects phishing scams.
Fraud and Mistakes
Smart contract auditing remains the core of Hosho’s work. “Everything to date has been mostly people taking advantage of the fundraising mechanism of an ICO on the Ethereum blockchain,” said Sawhney. Auditing means that the developers are checking to make sure a smart contract is doing what it is supposed to do.
Sawhney pointed out that auditing smart contracts has shown him that there is a knowledge gap when it comes to finding developers with competence in Solidity, the language used to write Ethereum-based smart contracts, who are then able to perform these audits. And, according to Sawhney, the other side of this problem is that those developers who are actually proficient at Solidity, for the most part, are “too rich to get out of bed.”
Hosho’s strategy for dealing with the knowledge gap is finding people with cybersecurity backgrounds and teaching them Solidity.
Essentially, to the public, projects with misfiring smart contracts fall under the category of scams.
At EthBerlin, a gathering of 7–8 of the biggest cybersecurity professionals in this space will converge to standardize what a smart contract audit entails. Given the early state of the industry, Sawhney went on to say that the gathering, while sorely needed, is also well-timed for establishing an international framework for self-governance before one is imposed by an entity outside of the industry.
While Sawhney stated that the knowledge gap is a real problem for the industry, he noted that standards were improving. “In North America, every single exchange has made it a standard to check for a professional third party audit. Asia has some catching up to do … The speed at which a cryptocurrency gets listed in Asia is a lot faster than anywhere else. This is also what makes Asia an exciting market.”
The New Standard
Hosho’s standard for a smart contract auditing consists of a full audit of the language and code in their smart contracts followed by an itemized list provided to the client of all the quandaries that Hosho has identified with its capacity to be smoothly executed.
After the client addresses the errors, Hosho provides a second audit to make sure that the contract’s code has been fixed. Once approved, Hosho, in effect, stamps the code to certify that the code has been audited by a third party: That seal is valid up until the point that the code is edited again.
Although this seal is of interest to legal teams and government officials, Sawhney pointed out that, in the majority of cases, “the one person who reads our report is the exchanges.” This emphasis on exchange approval is tantamount to making smart contract audits a standard security procedure.
Like Sawhney, Tatiana’s other two guests were concerned with establishing and maintaining standards within the cryptocurrency and blockchain ecosystems. In addition to Sawhney and his views on cybersecurity, Connie Gallippi described the journey of forming her Bitcoin nonprofit, BitGive, while Bitcoin Magazine’s managing editor, Christie Harkin, explained some of the rules for maintaining editorial objectivity in cryptocurrency journalism as well as some guidelines for successful news story pitches.
For these interviews and other content in the cryptocurrency space, find The Tatiana Show on the Let’s Talk Bitcoin Network.