September 28, 2019 0

Introducing the first Bug Prediction Market

Introducing the first Bug Prediction Market

Wow, it’s legit. Two years ago, I tried to write my first smart contract and I wanted somebody who’s an expert to review it with me for security, for intended behavior and I couldn’t find anybody without spending fifty to hundred thousand dollars. Solidified is a full-service audit platform and what this means is that we perform all layers of technical due diligence security and intended behavior verification that’s needed to assert the biggest quality on a company that we can. Why this actually matters is smart contracts are rapidly becoming a part of our world a part of the legal world, financial world, technology and we’re all trying to make sure they work as intended because these systems are unsupervised so they have to work as intended if they don’t we have a serious problem. If you think about testing as a good way to make sure the code does what you want to do but the other way around is I have to make sure that it doesn’t do anything that I don’t want to and that’s pretty hard and it’s basically infinite work. We have started using some very simple methods to make it easier for our auditors to assess the complexity of contracts and we are now working on a more interesting tool which helps you to analyze the similarity of different contracts using all the data available out there. The way the whole market secures smart contracts it still is faulty to some extent. There’s still room for misuse there’s still room for malicious actors. We need to fix the audit process that is currently being done not just by us but pretty much by every audit firm out there in order to raise the bar for security in this space. I think one of the biggest challenges with the smart contract audit market right now it’s really related to the challenge of trust in general at smart contract audits because it’s really difficult to determine the difference between let’s say malice and ignorance when it comes to smart contract security. It’s causing some of the good experts to go to the dark side and try to make a lot more money on it than they could have made by disclosing it ethically. The auditor itself has nothing at stake so he can do a bad job and still get paid and life moves on. If you don’t have that much to lose what’s your incentive in doing an excellent job during a security audit? We would like to introduce the concept of a bug prediction market in order to open this up to a bigger audience and let anybody wager their reputation and money on the security of a contract. The bug prediction market essentially lets auditors or other experts stake some level of reputation on whether or not they can determine if a bug exists in code or not. This is important because in bug bounty programs you’re rewarded for submitting a bug for saying that “hey this code is not secure” but right now there’s no way for you to be rewarded for saying that “hey, this code is secure”. There’s ultimately no way to decide right now whether every bug has been found in a program or the incentives for finding the bugs aren’t enough. Your ability to correctly predict the outcome is very skill based how much you know about solidity or how much you know about the smart contract ecosystem directly impacts your ability to properly and accurately guess the outcome. It’s not just wisdom in the crowd there’s actually an element of one person who’s very very good at reviewing contracts and auditing contracts and reviewing code will have a much higher likelihood of correctly guessing the outcome. The key idea behind the bug prediction market is developing a security confidence metric. Just like a way for end users, for investors for people that have to ultimately interact with your DApp that they have an idea of how actually secure it is how much trust that they can put in it and the best way that I found as a researcher of doing this is the bug prediction market. The price of these markets basically represents the probability that the smart contract will be hacked or is safe or not. If our community believes that the contract is maybe 85% secure then we can think of it as a sort of a stamp of approval for the smart contract. The Solidified stamp, it enables you to nearly prove that your smart contract is secure. So at least what you can do is you can prove that you did everything within your possibilities you issued the most advanced way of securing a smart contract and you can show that to everyone. So what happens if a company includes the Solidified stamp onto their platform, or onto their app is they can actually prove that what they did is secure.

Leave a Reply

Your email address will not be published. Required fields are marked *

© Copyright 2019. Tehai. All rights reserved. .