NEW YORK, 09/12/2020 — We’re happy to announce that KardiaChain’s hybrid solution for enterprises and governments has been successfully audited with CertiK. A summary of the audit scope and findings as documented by the CertiK Professional Services Division follows up.

Use-Case Profile

KardiaChain is a public blockchain platform developed to facilitate enterprise and gov-grade DLT operations as an interoperability layer, hailing from Vietnam and focusing on the broader South-East Asian markets.

Kardia is designed to be able to tap into millions of users without the immense cost of educating the masses. Their ‘Dual Node’ technology enables cross-chain communications between public and private ledgers regardless of the nature and complexity of each respective project.

With partners spanning from BlockCrafters Capital, among other VCs, to top-shelf blockchain protocols and infrastructure providers of the likes of NEO, Chainlink, Matic, and CertiK, KardiaChain is positioned to provide easy-to-adopt solutions for institutional clients.

Code Review & Auditing Process

The initial review was conducted between October 5- October 30, by senior CertiK security engineers Georgios Delkos, and Alex Papageorgiou.

The CertiK Professional Services team assigned to KardiaChain reviewed the code implementation for the mainnet blockchain solution, effectively going through the most significant parts of the codebase responsible for the core functionality of the system, as pointed out in the project’s white paper.

A comprehensive examination has been performed, utilizing Static Analysis and Manual Review techniques. The auditing process focuses on the following considerations:

• Testing smart contracts against both common and uncommon attack vectors.
• Assessing the codebase to ensure compliance with current best practices and industry standards.
• Ensuring contract logic meets the specifications and intentions of the client.
• Cross-referencing contract structure and implementation against similar smart contracts produced by industry leaders.
• Through a line-by-line manual review of the entire codebase.

A total of 28 findings were reported on the vulnerability summary, the vast majority of which were informational (22), while only 2 minor and 4 major issues were identified. No critical issues were found during the auditing process, and the KardiaChain team alleviated all issues, pointing towards a well-written codebase by the team’s engineers.

You can review the full audit here.

About KardiaChain

KardiaChain is a public blockchain platform focused on interoperability and providing hybrid blockchain solutions/infrastructure for enterprises and governments in Vietnam and other countries in South & East Asia — Accessible blockchain for millions.

They are working with major services providers (enterprises and government) to decentralise their existing solutions. Our approach helps KardiaChain reach millions of users without the immense cost of educating the market. Our Dual Node technology allows cross-chain communications between any public and/or private blockchain regardless of protocol. This provides easy-to-adopt solutions for institutional clients.

Based out of Vietnam — KardiaChain boasts a lineup of top Enterprise and Blockchain partners — BlockCrafters Capital, NEO, Chainlink, Matic, Band Protocol, Contentos, CertiK,… VTVCab, LG CNS, Mai Linh Taxi, Vietnam Football Federation, Geleximco.

Learn more about KardiaChain: https://kardiachain.io

About CertiK

CertiK is an edge-standards cybersecurity firm founded by Computer Science professors hailing from Yale and Columbia University respectively, aiming to improve the security and correctness of smart contracts and blockchain protocols on a global scale.

Leveraging a seasoned team of multi-skilled engineers and security auditors, CertiK’s mission is to apply a plethora of high-level industry practices, covering the entire spectrum of static, manual, and dynamic analyses, in order to ensure each project subject to a formal audit is up-to-date with modern security standards while offering their services to the broader DLT community.

Over the past few years, CertiK has serviced more than 100 top-shelf blockchains, DeFi protocols, among other complex and/or custom smart contracts, including but not limited to Binance, Tera, Bancor, Shapeshift, and Blockstack.

Consult with one of our experts at bd@certik.io

Stay connected!

Website | Twitter | Linkedin | GitHub | CertiK Shield

KardiaChain Secures Hybrid Solution For Enterprises And Governments With CertiK was originally published in CertiK on Medium, where people are continuing the conversation by highlighting and responding to this story.

NEW YORK, 12/11/2020 — We’re excited to announce that CompliFi’s protocol has been successfully audited with CertiK. In more detail, a summary of the audit findings as documented by the CertiK Professional Services Division follows up.

Use-Case Profile

CompliFi Protocol comprises a decentralized protocol for issuing several financial derivatives without counter-party risk and no default mechanism by design.

Combating drawbacks of traditional derivative platforms, such as losses from risks related to user positions’ arbitrary liquidations as well as network congestion, CompliFi takes a nuanced approach.

Instead of relying on the ability to extract more collateral from risk holders to ensure that the opposite side of the trade can be paid off in full, CompliFi constructs derivatives that are backed by a predetermined pool of collateral. There is no market risk involved, as this transaction is reversible.

Users can swap collateral for equal amounts of two ERC-20 tokens, whose sum is always adding up to a fixed quantity of collateral. At this point, there are two options:

• users can sell one of the two tokens at a secondary market
• users can wait until settlement to claim their final share of collateral

Additional features allowing the protocol to operate seamlessly include minimal governance, no margin calls or liquidations, and limited sensitivity to blockchain network congestion.

Code Review & Auditing Process

The initial review was conducted between October 14- November 5, by CertiK engineers Alex Papageorgiou and Sheraz Arshad.

A comprehensive examination has been performed, utilizing Static Analysis and Manual Review techniques. The auditing process focuses on the following considerations:

• Testing smart contracts against both common and uncommon attack vectors.
• Assessing the codebase to ensure compliance with current best practices and industry standards.
• Ensuring contract logic meets the specifications and intentions of the client.
• Cross-referencing contract structure and implementation against similar smart contracts produced by industry leaders.
• Through a line-by-line manual review of the entire codebase.

A total of 95 findings were reported on the vulnerability summary, the vast majority of which were informational (84), while only 3 medium and 8 minor issues were identified. Despite no critical and major issues were found, the CompliFi team alleviated all minor and medium issues, as well as most informational, pointing towards a well-written codebase by the team’s engineers.

You can review the full audit here.

About CompliFi

CompliFi (compli.fi) is a derivatives issuance protocol on Ethereum designed to entirely eliminate counterparty risk. It allows users to structure and issue a wide variety of tokenised risk products, tradable like any regular ERC20 token on third party protocols, while eliminating the need for collateral calls and liquidations.

CompliFi is dedicated to reaching the highest level of decentralisation, and has been designed from the outset to eschew all authority over user funds.

About CertiK

CertiK is an edge-standards cybersecurity firm founded by Computer Science professors hailing from Yale and Columbia University respectively, aiming to improve the security and correctness of smart contracts and blockchain protocols on a global scale.

Leveraging a seasoned team of multi-skilled engineers and security auditors, CertiK’s mission is to apply a plethora of high-level industry practices, covering the entire spectrum of static, manual, and dynamic analyses, in order to ensure each project subject to a formal audit is up-to-date with modern security standards while offering their services to the broader DLT community.

Over the past few years, CertiK has serviced more than 100 top-shelf blockchains, DeFi protocols, among other complex and/or custom smart contracts, including but not limited to Binance, Tera, Bancor, Shapeshift, and Blockstack.

Consult with one of our experts at bd@certik.io

Stay connected!

Website | Twitter | Linkedin | GitHub | CertiK Shield

CompliFi Secures Its Smart Contracts With CertiK was originally published in CertiK on Medium, where people are continuing the conversation by highlighting and responding to this story.

NEW YORK, 30 October 2020 — Ocean Protocol, a decentralized data exchange protocol to unlock data for the broader AI industry, announced the release of Ocean V3, which introduces a series of new concepts and functions to accompany the existing protocol.

All V3 contracts featuring Datatokens, the Ocean Market, and IDOs (Initial Data Offerings), were successfully audited by CertiK Professional Services Division, signifying the green-light for Ocean Protocol’s next venture.

Use-Case Profile

In Ocean Protocol, each data service gets its own datatoken. This enables data wallets, data exchanges, and data co-ops by directly leveraging crypto wallets, exchanges, and more.

Ocean Protocol’s V3 contracts enable data sharing in a Web3 fashion making it easier for individuals to publish, auto-price, and sell their personal data.

Datatokens are Ethereum-based ERC-20 tokens pegged to the respective value of the underlying data asset pegged to the respective token while providing access control to the data asset owner.

Furthermore, datatokens are subject to the Ocean Market, a community marketplace to sell, buy and curate tokenized data.

Datasets of datatokens are expressed and published via Initial Data Offerings (IDOs) empowering a whole virgin DeFi subculture, making Ocean Market the world’s first IDO launchpad.

Code Review & Auditing Process

Considering the fact Ocean Protocol’s V3 smart contracts varied in nature, CertiK experts engaged in the audit utilizing Static, and Dynamic Analysis, as well as a plethora of Manual Review techniques. The auditing process revolved around the following considerations:

• Testing smart contracts against both common and uncommon attack vectors.
• Assessing the codebase to ensure compliance with current best practices and industry standards.
• Ensuring contract logic meets the specifications and intentions of the client.
• Cross-referencing contract structure and implementation against similar smart contracts produced by industry leaders.
• Through a line-by-line manual review of the entire codebase.

A total of 60 issues were identified during the auditing process, 52 of which had informational character, 7 minor, and only 1 major.

After a series of coordinated intelligence and practice exchanges between CertiK auditing experts and the Ocean Protocol team, the latter managed to resolve any major issues following the recommendations cited by the CertiK Professional Services Division.

“Ocean Protocol’s ambition is to create a whole new marketplace revolving around tokenized data. That naturally doesn’t sound easy to achieve, hence the Ocean team was cautious of the challenges and committed to ensuring the integrity and the security of such a system.”

“We were impressed by the strict methodology employed during the audit — the entire process was seamless. Even after we made some last-minute changes to the code, CertiK accommodated our updates and reviewed them. As a result, we hardened our smart contracts and delivered a more secure product to the community,” said Alex Coseru, VP of Engineering at Ocean Protocol

The full audit report can be found by visiting the relevant CertiK Shield directory, here.

About Ocean Protocol

Ocean Protocol builds powerful Web3 apps for the emerging data economy. Founded in 2017, Ocean Protocol connects data providers and consumers, using blockchain technology.

Ocean technology allows private data to be shared, without compromising control or security for the data owner, while ensuring traceability, transparency, and trust for all stakeholders involved. Ocean allows data owners to monetize data while keeping control over their data assets. Ocean Protocol Foundation is based in Singapore.

oceanprotocol.com

About CertiK

CertiK is an edge-standards cybersecurity firm founded by Computer Science professors hailing from Yale and Columbia University respectively, aiming to improve the security and correctness of smart contracts and blockchain protocols on a global scale.

Leveraging a seasoned team of multi-skilled engineers and security auditors, CertiK’s mission is to apply a plethora of high-level industry practices, covering the entire spectrum of static, manual, and dynamic analyses, in order to ensure each project subject to a formal audit is up-to-date with modern security standards while offering their services to the broader DLT community.

Over the past few years, CertiK has serviced more than 100 top-shelf blockchains, DeFi protocols, among other complex and/or custom smart contracts, including but not limited to Binance, Tera, Bancor, Shapeshift, and Blockstack.

Consult with one of our experts at bd@certik.io

Stay connected!

Website | Twitter | Linkedin | GitHub | CertiK Shield

Ocean Protocol Secures V3 Contracts Implementation With CertiK was originally published in CertiK on Medium, where people are continuing the conversation by highlighting and responding to this story.

Decentralized Capital Markets

NEW YORK, 29/10/2020 — AllianceBlock, the protocol bridging the gap between traditional finance and DeFi by building the world’s first globally compliant decentralized capital market, has joined forces with holistic blockchain auditing firm CertiK to ensure the security and integrity of international settlements taking place in the AllianceBlock domestic network.

AllianceBlock is building a cross-industry financial bridge between traditional finance and DeFi, which started as an Ethereum sub-culture before transforming into the exponentially growing multi-billion dollar self-sustainable industry it is today.

We’re way past the parallel competition era of blockchain technology, where the subject of discussion was often focused on which digital currency is more viable than the rest of the pile, and have entered the vertical growth era, where we’re now exploring potential game-changing solutions, and by extent, scaling them to solve real-life expectations.

What AllianceBlock is trying to offer in this case, is an important aspect missing from fintech nowadays, considering the DLT industry is at the point where traditional banking institutions and even governments are getting involved with DeFi, among other blockchain-powered markets.

That would be a solution to the fact there is currently minimal to absolutely no reliability at all, as to how these, still exotic to traditional financiers, computing protocols operate.

“CertiK has firmly established itself as the leading provider of end-to-end cybersecurity solutions and we are delighted to team up with a company that is setting a new industry standard in blockchain security protocols.”

“Collaborating with CertiK extends our remit considerably when it comes to enhancing the safety and security of our network through a stringent verification process. In return, CertiK will become part of our ecosystem of stakeholders as we usher in a new, global participatory economy,” said Rachid Ajaja, Founder and CEO of AllianceBlock.

By connecting both traditional and tokenized asset issuers, liquidity providers and aggregators, traditional and decentralized exchanges, the AllianceBlock team aims to facilitate an ecosystem of trusted and verifiable partners, that would, in their turn, empower a reliable entry point between traditional finance and the broader crypto domain.

For that reason, AllianceBlock entrusts its cybersecurity to CertiK, a leader in whole-chain, smart-contracts and VAPT verification, in order to ensure all applications running on top of the AllianceBlock ecosystem are not subject to being potential vectors of malicious activity.

To achieve that status, not only AllianceBlock and its components will be examined in unparalleled detail, but the blockchain services provider also plans on verifying each and every DeFi solution that goes through its native network with the help of CertiK Professional Services Division.

The collaboration will also offer benefits to CertiK, opening the door for them to enter the capital market world and forge relationships with other members of the AllianceBlock ecosystem and, in doing so, becoming part of the new era of capital market infrastructure providers.

About Alliance Block

AllianceBlock is building the first globally compliant decentralized capital market. The AllianceBlock Protocol is a decentralized, blockchain-agnostic layer 2 that automates the process of converting any digital or crypto asset into a bankable product. Incubated by three of Europe’s most prestigious incubators: Station F, L39, and Kickstart Innovation in Zurich, and led by a heavily experienced team of ex-JP Morgan, Barclays, BNP Paribas, Goldman Sachs investment bankers, and quants, AllianceBlock is on the path to disrupt the $100 trillion securities market with its state-of-the-art and globally compliant decentralized capital market. For more information, visit: https://www.allianceblock.io/

About CertiK

CertiK is a technology-led blockchain security company founded by Computer Science professors from Yale University and Columbia University built to prove the security and correctness of smart contracts and blockchain protocols.

CertiK’s mission of every audit is to apply different approaches and detection methods, ranging from manual, static, and dynamic analyses to ensure that the project is checked against known attacks and potential vulnerabilities. CertiK leverages a team of seasoned engineers and security auditors to apply testing methodologies and verifications on the project, in turn creating a more secure and robust software system.

CertiK has serviced more than 100 clients with high-quality auditing and consulting services, ranging from stablecoins such as Binance’s BGBP and Paxos Gold to decentralized oracles such as Band Protocol and Tellor.

To request your FREE consultation send us an email at bd@certik.io

Stay connected!

Website | Twitter | Linkedin | GitHub | CertiK Shield

AllianceBlock Joins Forces With CertiK To Secure Decentralized Capital Markets was originally published in CertiK on Medium, where people are continuing the conversation by highlighting and responding to this story.

TL;DR: In essence, smart contracts are computer protocols designed to enable autonomous transactions taking part in a distributed ledger network, without humane interference, hence they are “smart”.

So what is the value proposition here, who uses smart contracts nowadays, and why even bother?

In this article, we’ll elaborate on the above in layman’s terms, to help you easily consume the concept behind smart-contracts, and most likely grasp the fact you’ve been already interacting with a variety of such programs without even realizing it.

Brief History of Smart Contracts

Decentralized information management, distribution, and monetary settlement systems, commonly known as blockchains, are by nature tailored to block intermediary gloves from leeching-off data and/or funds subject to digital transactions.

Yet, it wasn’t before smart contracts were introduced as a savvy-addition to the architecture of such systems when we started to see game-changing computing protocols being adopted by governments and financial institutions at an astonishing pace.

In general, blockchain empowers faster, cheaper, and more reliable transactions in terms of integrity and overall security, but it was smart contracts that brought unparalleled automation to fintech service providers, and data management enterprises.

Nick Szabo, a legal scholar, cryptographer, and Bitcoin pioneer was the first to conceive the idea that decentralized ledgers could be used to facilitate self-executing pieces of code, otherwise referred to as digital contracts or smart contracts back in 1994.

In a nutshell, smart contracts were eligible to be converted to computer code, stored and replicated on-chain, while monitored by the broader distributed ledger network in a transparent fashion and at all times.

One could argue that the whole concept of a functioning blockchain itself is the definition of a smart contract in action.

Value Proposition

As previously mentioned, smart contracts make the process of storing, distributing, and exchanging information, as well as protocols that prove the legitimacy of physical and digital assets, and by extent their respective ownership status, faster, cheaper, and more secure.

That is simply because smart contracts can facilitate the execution of such quotes in a transparent, undeniable, and non-custodian fashion.

What’s even more fascinating, is the fact smart contracts have well-defined rules and penalties subjecting an agreement, similar to traditional contracts.

The difference here is that smart contracts don’t require lawyers or notary to act according to the pre-agreed rules but are eligible to enforce these obligations autonomously, again, saving precious time, effort, and money.

Ethereum’s 26-year-old founder Vitalik Buterin describes smart contracts as a program running code that may contain digital currencies, and/or other assets.

“…and the program runs this code and at some point, it automatically validates a condition and it automatically determines whether the asset should go to one person or back to the other person, or whether it should be immediately refunded to the person who sent it or some combination thereof.” — Vitalik Buterin, Ethereum co-founder

At the same time, the distributed ledger network also stores a copy of each transaction, eventually making it immutable to changes or conflicts, while everyone can assess the nature of each of these transactions publicly.

In the end, this is the key-point that attributes value to automated smart contracts, offering undeniable certainty of operations.

While most of the time, blockchain users take for granted that smart contracts must be somehow directly related to operations carrying monetary value, a smart contract can do much more than settling cryptocurrency transactions.

Popular Smart Contract Use-Cases

We can find solutions relying on smart contracts that range from financial services, derivatives, insurance plans, breach contracts, property & real estate, credit markets, law, and crowdfunding, among hundreds more.

It is true smart contracts can exist almost in any blockchain, and under various formats, although without a doubt, the platform that made smart contracts mainstream is the Ethereum Blockchain, and its native Ethereum Virtual Machine or EVM.

DApps (Decentralized Applications)

Due to the fact smart contracts empower the majority of DApps out there, the latter are often dubbed as smart contracts themselves and in most scenarios, they are open-source and naturally decentralized.

If you’re not sure what a DApp might be, you can think of them as casual web3 and/or mobile applications, only running on web3 infrastructure and powered by some sort of a distributed ledger, once again, with Ethereum spearheading the industry with a difference.

DApps are popular among crypto-games, crypto-collectibles, blockchain voting systems, decentralized financial services, and much more.

Some DApps you might have already used without realizing it would include the popular cat-breeding game CryptoKitties, the Uniswap decentralized exchange (DEX), and OpenSea, an NFT marketplace to go for every crypto-collectible out there.

Contrary to typical applications, where the back-end is relying on centralized infrastructure, dapps run on top of decentralized computing networks such as the Ethereum blockchain.

While DApps used to be ugly one-pagers where you’d trade your crypto for a non-fungible collectible or ERC-20 tokens, nowadays we see some pretty interesting design in terms of aesthetic, as well as utility, meaning that DApps are only limited by the developers’ programming skills and level of creativity.

On the smart contract level, a DApp usually relies its functionality on one or more consecutive smart contracts, each tailored for a specific function of the DApp (eg. buy CryptoKitty, breed CryptoKitty, exchange/sell CryptoKitty etc.).

DeFi (Decentralized Finance)

Of course, it’s not all fun and games, especially when analogizing we’re talking about the crypto domain, and therefore more sophisticated DApps can be the catalyst for a more complex financial system, one that tackles the integrity of traditional financial processes.

As you read this, there is over $10B worth of cryptocurrencies locked in the broader DeFi scene, making it a standalone financial sector serving the crypto industry and its peers.

Undoubtedly, the cornerstone of such an economy has to be its “banking system”, in this case, Decentralized Exchanges (DEXs), various lending platforms, yield farming, staking, and more DeFi tools and services that rely their operations on blockchain technology, and more specifically on smart contracts.

A DEX is essentially a collection of inter-operating smart contracts that provide users with decentralized, autonomous, and transparent exchange services.

Unlike centralized exchanges of the likes of Coinbase, Binance, or Kraken, DEXs are non-custodian and usually work in a wallet-to-wallet fashion.

Decentralized Finance essentially stands for the ability of crypto users to own their funds in their wallet, and use them as they see fit using various DApps able to interact with a web3 wallet’s components.

Once again, this is only possible thanks to smart contracts.

Real Estate

Being one of the most well-established industries in the physical realm, the RE sector couldn’t stay unaffected by distributed ledger technology.

Powered by smart contract functionality, a new era lies ahead for the housing market, as the concept of tokenization promises a plethora of problem-solving adjustments.

Tokenization is the process of issuing a blockchain token (in this case, a security token) as a digital representation of a real tradeable asset.

Tokenizing a property essentially means slicing the physical ownership contract to multiple digital tokens that represent the full piece in combination.

Instead of having one owner per-property, tokenized RE could distribute the ownership rights among a large number of individuals, unlocking a whole new inclusive sub-market on top of the traditional industry.

It should be self-evident how smart contracts offer faster and cheaper transaction costs, as well as irrefutable proof of ownership that can, in turn, establish legal transparency and improved market security and traceability.

Additionally, both sellers and buyers can enjoy enhanced management over their respective assets, considering they could decide to buy, trade, or sell a token pegged to property value, with the ease of a single click, and without any sort of intermediaries.

Finally, the opportunity for fractional ownership significantly lowers the entry barriers for investors, making the industry more accessible to anyone regardless of their balance’s strength.

Supply Chain

From UPS and Walmart to IBM, and Maersk, smart contracts in the supply chain industry have upscaled the industry to a whole new standard.

By using a versatile data management infrastructure relying on IoT, RFID, QR, and Blockchain technologies, the supply chain sector is now in a firm position to track, authenticate and monitor the history of products, physical goods, and consumables in real-time.

This is probably the most widely spread use case among private enterprises, considering it solves a lot of the problems subject to counterfeit products, lost goods, and bad labeling.

For example, you can scan a QR code found in a Walmart product and learn where it was produced, under what circumstances, the credentials of the individual or company issuer, as well as the history of the product from production to shelves, including but not limited to details regarding the methods of transportation utilized, temperature conditions, and the date and time data often missing from consumables.

Once again, not only this saves enormous time, effort, and funds, but it also creates an immutable history of products otherwise impossible to track. All that, thanks to smart contracts.

Honorable Mentions

It is nearly impossible to cover all the potential use-cases smart contracts could be applied to, yet here’s a list of some of the most intriguing concepts that have been already leveraged the new computing protocol:

• Arts and Music
• Government Administration
• Space Industry
• Smart Cities
• Healthcare
• Public Libraries and Document Administration
• Automobile Industry
• Machine-to-Machine Economies (M2M)
• IoT
• International Settlements
• Proof Of Authentication, Ownership

and more…

Verdict

In general, smart contracts, being a by-product of distributed ledger technology, is set to change the way we handle transactions both in the physical and digital domains.

Smart contracts enable a faster, cheaper, and more reliable exchange of information and monetary settlements, transparently, in a cross-border fashion, and almost instantly.

Whether you see the change coming or not, government agencies, banks, and enterprises you trust your everyday life with are already exploring and utilizing this technology to upscale societies to their modest form, which is more optimized and autonomous.

Of course, living in the digital realm, smart contracts are often targeted by malicious actors and software, hence the cybersecurity involved in such data administrative protocols must be on the edge of technological advancement as well.

Depending on the scenario and the delicacy of each business model, smart contract security may vary from industry to industry and even from project to project.

We at CertiK strive to secure the cyberworld regardless of the nature of each project that might be entrusting the integrity of its operations on DLTs and smart contracts and our numbers are loud about it.

Over the past years, we’ve audited and secured more than 150 smart contracts, and over 25 whole chains, while our expert engineers performed more than 20 VAPTs for top-shelf industry pioneers including but not limited to Binance, Tera, Kava, e-Money, Fetch.ai, Akropolis, Bancor, Shapeshift, and Blockstack.

To learn more about smart contracts, and find out the most optimal way to secure your next venture, don’t hesitate to connect with one of our engineers and get a free consultation today.

____

bd@certik.org

CertiK 101: Smart Contracts was originally published in CertiK on Medium, where people are continuing the conversation by highlighting and responding to this story.

Summer 2020 has been anything but ordinary. While most of the world seemed to have slowed down with shelter-in-place, DeFi has been doing just the opposite. We wanted to do a recap of this booming summer by spotlighting some top DeFi projects that have come our way to get audited. After diving intimately into these DeFi — as well as a host of others that we didn’t have room to list — we can’t be more excited about what’s in store for the DeFi world.

Without further ado, let’s take a moment to shine the spotlight on the ‘Summer of Security’:

Kava

Described by Entrepreneur as the “Uber of Bitcoin,” Kava allows users to earn high yields on their cryptocurrency while keeping them securely stored on hardware wallets like Ledger. They’re really pushing the space forward, and as a result, Kava was awarded the Launchpad Project of the Year by Binance.

We’ve worked with Kava many timesl, and we’re always ecstatic to find that the team has one of the finest codebases CertiK has seen from a project to date, especially in the Decentralized Finance sector.

ThorChain

Dubbed as a “decentralized liquidity network,” ThorChain aims to promote cross-chain liquidity without requiring pegged or wrapped tokens.

As is sometimes the case in the world of DeFi and blockchain, the team behind ThorChain is pseudo-anonymous. However, the ThorChain team continues to build the trust of their community through strong communication and initiatives, including a CertiK security audit.

Fetch.ai

This Cambridge-based artificial intelligence lab utilizes blockchain technology to provide the world with AI capable of executing powerful tasks required in the modern world.

With major partnerships including Binance, Blockchain for Europe, and Telekom Innovation Laboratories, a logical step on their journey to deliver groundbreaking AI was to ensure the security of their platform.

We’ve worked with Fetch.ai many times in the past, and we’re always delighted to see their strong code and innovative applications.

Injective Protocol

Launching on Binance’s Launchpad, Injective Protocol’s Layer 2 derivative exchange looks to solve many of the issues that plague decentralized exchanges (DEXs). This includes poor liquidity, high costs, and other inefficiencies.

There’s a lot of potential for this team to fix some of the salient issues that we’ve all faced while using existing DEXs.

Bancor

One of the most well-known and original DeFi projects, Bancor is a protocol that promotes liquidity and facilitates the instantaneous and decentralized exchange of various tokens on the Ethereum blockchain.

According to DeFi Pulse, there is, at the time of writing, more than $14m TVL in the Bancor protocol. Bancor is tackling the issue of impermanent loss head on, with their most recent upgrades to support liquidity providers from facing this systemic problem.

Swipe.io

Targeting the mobile crypto user, Swipe is developing a suite of mobile-friendly cryptocurrency apps (mobile wallet, debit card, etc.) which will appeal to existing users and attract new users to crypto.

For those unaware, Swipe was recently acquired by Binance. It’s no easy task to enable users to spend their crypto as if it were fiat — and that certainly doesn’t go without its own unique security risks. Regardless, it’s a huge undertaking that will certainly facilitate broader blockchain adoption. Swipe and Binance are certainly fit for the job.

Aave

DeFi royalty.

Arguably one of the largest Defi platforms, AAVE has made collateralized lending much more efficient in comparison to CeFi. Users are able to borrow, or supply, collateral at some of the most competitive rates in the market.

Aave’s protocol market size currently sits at an astonishing $1.2B.

CertiK has, proudly, audited both the AAVE token and the Safety Module / Staked AAVE.

Ampleforth

Made famous for its novel elastic supply economics model, the supply of AMPL adjusts dynamically to current demand and market conditions to mitigate supply-side shock.

With governments worldwide printing cash to prop up the global economy, Ampleforth’s vision of integrated supply and demand is even more relevant than ever.

Ampleforth’s Geyser caused a huge splash in DeFi, as they attracted a large number of Uniswap’s liquidity providers to support their pairs.

Akash

Akash DeCloud is the DeFi of cloud computing and brings to the world the very first decentralized cloud computing marketplace. Users and developers benefit from cloud computing at a tenth of normal prices — promoting, developing, and scaling, for new projects.

We’re excited to help secure these initiatives and watch closely as they innovate the centralized cloud computing world that we know of today.

With the summer season finished, we’ll see how the seasons change in DeFi. One thing’s for sure — there’s huge potential from what’s being built by these projects. The best part about our role is that not only do we get to directly help make these projects more robust and secure, but we also get a front row seat to the innovation!

Summer DeFi Spotlight was originally published in CertiK on Medium, where people are continuing the conversation by highlighting and responding to this story.

Use-Case Profile

PlotX is a non-custodial, decentralized prediction protocol that enables web3 users to predict the future price of crypto assets using prediction markets.

That is possible thanks to the innovative way in which PlotX uses an Automated Market Making algorithm — one that generates markets, settles markets and distributes rewards among the network’s users, all in an autonomous fashion.

Users get a consistent experience of making predictions on hourly, daily and weekly markets around the price of crypto assets like BTC, ETH, YFI etc. Furthermore, PlotX uses GovBlocks (also used in Nexus Mutual) for on-chain governance.

Code Review & Auditing Process

Among other aspects of the PlotX codebase, the CertiK Professional Services team was tasked with the examination of the native $PLOT token, as well as delicate smart-contracts related to Vesting and Staking operations.

Our PS team initiated the process by conducting a system-based analysis of the entire codebase. In addition, we followed our standardized procedure.

A comprehensive examination has been performed, utilizing Dynamic Analysis, Static Analysis, and Manual review techniques. The auditing process pays special attention to the following considerations:

• Testing smart contracts against both common and uncommon attack vectors.
• Assessing the codebase to ensure compliance with current best practices and industry standards.
• Ensuring contract logic meets the specifications and intentions of the client.
• Cross-referencing contract structure and implementation against similar smart contracts produced by industry leaders.
• Thorough line-by-line manual review of the entire codebase.

Notable Recommendations

We were unable to identify any severely exposed attack vectors subject to exploitment while reviewing and testing the smart-contracts in question, as well as their response to a variety of potential scenarios.

Furthermore, we relayed our findings, and optimization advice to the PlotX team, and the full audited source code can be found here.

After mutual discussion, we concluded that the ideal choice is to skip on some minor recommendations as they are not substantial optimizations and would require changes across the whole codebase.

“This was the third and final audit of the PlotX Smart Contracts by CertiK Professional Services.

CertiK has been at the forefront of improving the security of smart contracts in the broader blockchain spectrum and we absolutely loved working with their Professional Services team.

PlotX Protocol and the $PLOT token are scheduled for launch on the Ethereum mainnet, and getting the security audits in time has been an important milestone.”

- Ish Goel Co-founder of PlotX

About PlotX

PlotX is a non-custodial, decentralized prediction protocol that enables web3 users to predict the future of crypto assets using prediction markets.

Dubbed as the Uniswap of Prediction Markets, PlotX uses an Automated Market Making algorithm to create, settle markets and distribute rewards on the Ethereum Blockchain without any counterparty risk. Markets are focused on crypto-pairs like BTC, ETH, YFI etc and are automatically created in intervals of 1h, 1d and 1w.

Over 2400 unique addresses have made more than 10,000 predictions on PlotX since the launch of their alpha on kovan testnet.

Learn more by visiting the PlotX website or following them on Twitter, Telegram or Discord

About CertiK

CertiK is a technology-led blockchain security company founded by Computer Science professors from Yale University and Columbia University built to prove the security and correctness of smart contracts and blockchain protocols.

CertiK’s mission of every audit is to apply different approaches and detection methods, ranging from manual, static, and dynamic analysis to ensure that the project is checked against known attacks and potential vulnerabilities. CertiK leverages a team of seasoned engineers and security auditors to apply testing methodologies and verifications on the project, in turn creating a more secure and robust software system.

CertiK has serviced more than 100 clients with high quality auditing and consulting services, ranging from stablecoins such as Binance’s BGBP and Paxos Gold to decentralized oracles such as Band Protocol and Tellor.

Stay connected!

Remember to follow us on the platforms below to stay up-to-date with our latest updates and announcements.

Website: https://certik.io

Twitter: https://twitter.com/certik_io

Linkedin: https://www.linkedin.com/company/certik/

GitHub: https://github.com/CertiKProject

To request your FREE consultation send us an email to bd@certik.io

CertiK Audits PlotX Protocol  To Ensure Integrity Of Token Smart Contracts was originally published in CertiK on Medium, where people are continuing the conversation by highlighting and responding to this story.

CertiK is proud to announce version 1.0 of the DeepSEA compiler. You can download the executable and examples from the github releases page.

There are two major improvements in this release. First, the compiler is now complete enough to support practical smart contracts. Second, we have added two new compilation targets. In addition to Ethereum and the CertiK Chain, we now support writing contracts for Ant Financial’s AntChain, and have experimental support for compiling to Ethereum-flavored WebAssembly.

Basic feature set complete

In January we released a “pre-alpha preview” of the compiler, which could compile programs but had some gaps left, and a language manual which described the planned basic feature set. In this release we have completed those outstanding items (e.g. events, keccak hashes, reading calldata…), so we finally support the entire language as described in the manual.

This is by no means the final version of the language, and we will continue to improve it, but this version can now be used to write some useful programs. For example, one of our example programs, Olive.ds, was inspired by a real ERC20 contract which was used to manage the coin offering of the Olive live streaming platform. We selected this example because it is one of the more complex ERC20 contracts that CertiK has audited, so the fact that DeepSEA supports the same functionality shows that it can handle most token contracts.

For another example, CertiK is internally developing many smart contracts to support our Chain and security offerings, and we find that many of them are fully supported by the features that DeepSEA provides.

Future plans for the DeepSEA compiler

We will continue to add more language features to the compiler. In upcoming releases we will also add more target platforms to the backend, and provide support for loading contracts into an interactive theorem prover to prove them secure.

WebAssembly support

WebAssembly (WASM) has been trending in the blockchain industry for a while now. It seems likely to be the platform used by most smart contract languages in the future.

WASM first appeared in 2015 as a lightweight low-level language running in browser engines, and it has extensive tool support. Furthermore, WASM is designed with formal methods in mind: it has a formally defined execution semantics and a sound type system (validation rules). The type system ensures that if a WebAssembly program passes compilation, it will not exhibit any type errors or memory safety issues. The clearly-defined semantics make it easy to build verification frameworks and formally proven compilers, which makes WebAssembly an ideal target language for high-security smart contracts. Current WebAssembly blockchain users include Ethereum Foundation, Parity Technologies, Cosmos, and Hyperledger.

DeepSEA support for Ethereum WebAssembly

This release of DeepSEA introduces support for compiling to Ethereum WebAssembly (eWasm), the style of WASM used in the Ethereum 2.0 project. The difference between eWasm and the regular WASM we see in web browsers is that eWasm contracts follow a specific interface: they only export the memory section and a main function serving as the multiplexer for function calling, and they import the Ethereum External Interface (EEI) for Ethereum-specific features such as transfer, storage, events, etc. For other features like gas metering or hash functions (keccak256), eWasm uses a pre-compiled system contract deployed to a fixed address.

Because Ethereum 2.0 is still under development, the eWasm testnet and the keccak256 system contract are not available yet. Therefore, as of this moment, the DeepSEA eWasm backend cannot handle contracts that use hashing, which implies that features that make use of hashing do not work, (e.g. structs, mappings, and arrays).

The DeepSEA Wasm support is work in progress. Future releases will complete the eWasm implementation, and also add support for other Wasm flavors used by other blockchains.

Running a WebAssembly contract

To execute a WebAssembly contract, you only need to download the DeepSEA compiler and then use the `ewasm` option. Detailed information about usage is included in the DeepSEA reference manual. Here, we demonstrate a simple example, First, install the WebAssembly Binary Toolkit (WABT) by following the instructions on the WABT github repo. (If you are on MacOS, you can just type `brew install wabt`.) Then, we use DeepSEA to compile contracts. In this example, we compile a simple multiplication contract:

and run it on a Javascript virtual machine:

The contract calling convention is the same as Ethereum 1.0, where you pass the first 4 bytes of the keccak256-hash of the function you want to call. Here, we hard code the hash in JS script for simplicity. When compiling a custom contract, you can always change the hash for the function and fill in the right parameters.

AntChain support

Differences between the Ethereum and AntChain version

AntChain is compatible with EVM and Solidity, which lets us use the verified DeepSEA EVM backend to compile code for it. However, one important difference is the format of cryptographic identifiers. In Ethereum, users are identified by “addresses”, which are derived by first hashing an ECDSA public key using the Keccak-256 hash function (which is not standardized), and then truncating the result to 20 bytes. AntChain uses a different set of cryptographic primitives, and instead creates “identifiers” which are 32 bytes.

To handle this, we have created a new version of the DeepSEA compiler which lets the programmer use the keyword identity instead of address, and treats these as 32 bytes instead of 20 bytes. The compiler can be downloaded from the DeepSEA preview repository [insert link here]. This release also includes an example contract and the javascript code to deploy it.

Running a contract on the AntChain

In order to deploy contracts to the AntChain testnet, users must have an enterprise level Alipay account. More information about how to apply for testnet access can be found in the Ant documentation [https://tech.antfin.com/docs/2/147534] (in Chinese).

Once you have access, one can use the AntChain SDK to deploy the contract. In this DeepSEA preview release we include an example deployment script and the user manual has detailed instructions for how to use it. We start by downloading the DeepSEA compiler preview from github.

Next, we go to the contracts/token_ant folder, which contains an example contract called token.ds and an example deployment script called token.js. We run the deepsea compiler on the contract to produce two files token.bytecode and token.abi.

We then use the token.js deployment script to deploy the contract to the chain. It needs to be edited by the user to put in their account information, and it’s also possible to edit it to experiment with calls to the contract. The key part of the script is the following lines, which takes the bytecode file produced above and sends it to the AntChain.

The console.log statement prints out a data object which contains msg_type, txhash, receipt and so on. We can record the txhash and later use that in AntChain explorer.

Moreover, inside the callback function, we can make calls to the contract. For example, a single call to the contract method totalsupply() would be like the code snippet below

As a final step, we can confirm that our contract was successfully deployed using the AntChain explorer. We log in to the BaaS platform of Ant and find the explorer search bar at the top-right.

Use the txhash we recorded before, we can see the deployed contract:

Of course, this is only a simple example, and the Ant SDK provides further APIs to interact with the contract. [https://tech.antfin.com/docs/2/107127]

Future plans for DeepSEA/Ant support

Compiling contracts via EVM is only a first step. Although the AntChain is backwards compatible with EVM, the recommended way of deploying programs is by using the Ant-developed MYVM which offers better performance.

In the coming months, CertiK will develop a version of the DeepSEA compiler supporting the MYVM directly. Developing it involves developing a formal specification for the semantics of the MYVM virtual machine, and a backend generating MYVM code. So not only can third-parties use the DeepSEA language directly to write completely verified contracts, but programming language developers can reuse the backend to compile other programming languages in a secure way, and developers of verification tools can refer to the formalized semantics.

DeepSEA Version 1.0 with eWasm was originally published in CertiK on Medium, where people are continuing the conversation by highlighting and responding to this story.

CertiK is proud to announce another successful audit of Terra’s CosmWasm smart contract solution. The initial audit was completed in 2019, with a detailed report posted here.

Scope of Audit

Terra, one of the largest blockchain payment networks, is supported by a family of stablecoins which are pegged to the world’s major currencies. The main goal of the CosmWasm solution is to provide functionality that allows smart contracts to interact with other smart contracts, and be deployed on different blockchain platforms. The solution is a WebAssembly smart contract system, and is based on the Cosmos SDK and Tendermint BFT consensus protocol.

Procedural Process

The CertiK team launched the audit by analyzing the specifications of the project and the key areas of interest, which includes reviewing the unit testing of the code and launching fuzzing against targets in the codebase.

After, the team passed the code through automated tooling and gathered all the output to manually review each one of the issues that were returned from the tooling. The main process of the audit was the manual review of the key areas of interest and was divided into 3 parts: the language-specific, SDK, and wasm examination of the codebase, and target in scope.

The team of expert engineers reviewed the codebase written in golang and rust for language-specific problems and proper use of the language itself. In parallel, they also examined the usage and proper implementation of the Cosmos SDK. Additionally, the wasm implementation and targets generated by the codebase in local testnet and latest testnet were also reviewed.

Learnings and Findings

For the moment contracts can be only written in ​Rust,​ but the Terra team has stated that more programming languages are currently being looked into for future integration.

CosmWasm takes advantage of the Actor model to communicate through messages, which has the advantage of a fully encapsulating state and removes classes of bugs such as the infamous solidity ​re-entrancy attack.​

Recommendations and Outcome

The recommendations expressed by the audit were mostly regarding the usage of pointers within the codebase. CertiK’s team of engineers found no major or critical issues related to the codebase, a few of which were minor and informational.

Overall, the audit has found that the Terra team has done a good job implementing the specifications of the project into code. The usage of language is of a very high standard with good code coverage on unit testing. The SDK specifics are also well-implemented concerning the requirements of the framework and the same applies to the Cosmos wasm implementation.

Finally, the audit did all the necessary recommendations to the Terra team, and issues were discussed and addressed.

About CertiK

CertiK is a technology-led blockchain security company founded by Computer Science professors from Yale University and Columbia University built to prove the security and correctness of smart contracts and blockchain protocols.

CertiK’s mission of every audit is to apply different approaches and detection methods, ranging from manual, static, and dynamic analysis to ensure that the project is checked against known attacks and potential vulnerabilities. CertiK leverages a team of seasoned engineers and security auditors to apply testing methodologies and verifications on the project, in turn creating a more secure and robust software system.

CertiK has serviced more than 100 clients with high quality auditing and consulting services, ranging from stablecoins such as Binance’s BGBP and Paxos Gold to decentralized oracles such as Band Protocol and Tellor.

Stay connected!

Remember to follow us on the platforms below to stay up-to-date with our latest updates and announcements.

Website:https://certik.io

Twitter:https://twitter.com/certik_io

Linkedin:https://www.linkedin.com/company/certik/

GitHub:https://github.com/CertiKProject

To request your FREE consultation send us an email to bd@certik.io

CertiK Audits Terra’s New CosmWASM Smart Contract Solution was originally published in CertiK on Medium, where people are continuing the conversation by highlighting and responding to this story.

AllianceBlock provides the bridge between traditional and digital capital markets for all participants, reflecting how traditional finance would be designed today with current technology.

The Alliance Block DeFi Ecosystem is designed as a multi-sided protocol that enables its members to issue, transfer, own tokenized/ digitized asset, trade, in another word all services that exist in the traditional capital market, while being fully compliant with regulations. It allows any entity to create assets and applications without the need for approvals from centralized “trust” authorities. The objective is to create the world’s first globally compliant decentralized capital market

The CertiK team was contracted by the AllianceBlock team to audit the design and implementation of their smart contracts, and its compliance with the EIPs it’s meant to execute on. The audited source code link can be found here.

Code Review Overview

The goal of the audit was to review the Solidity implementation for its business model, study potential security vulnerabilities, its general design and architecture, and uncover bugs that could compromise the software in production.

CertiK’s Auditing Process

A comprehensive examination has been performed, utilizing Dynamic Analysis, Static Analysis and Manual review techniques. The auditing process pays special attention to the following considerations:

1. Testing the smart contracts against both common and uncommon attack vectors
2. Assessing the codebase to ensure compliance with current best practices and industry standards
3. Ensuring contract logic meets the specifications and intentions of the client
4. Cross referencing contract structure and implementation against similar smart contracts produced by industry leaders
5. Thorough line-by-line manual review of the entire codebase

Summary and Recommendations

The project’s codebase is a typical EIP token implementation, along with batch token transfer and vesting mechanisms. The codebase strictly adheres to the standards and interfaces imposed by the OpenZepllin open-source libraries and as such its typical ERC-20 functions can be deemed to be secure.

During the audit process, CertiK and AllianceBlock worked together to remediate all issues found in the process. Although certain optimization steps CertiK pinpointed in the source code mostly referred to coding standards and inefficiencies, the minor flaw that was identified was remediated to ensure the security of the contracts.

“Smart Contract Security is imperative to the blockchain ecosystem. When you invest in a token, you want to ensure the Smart Contracts are secure in every way. CertiK, the leading blockchain security company, has an outstanding reputation and together with their great attention to detail and deep knowledge we made sure to achieve exactly that.” — Matthijs de Vries, Founder & CTO of AllianceBlock.

About AllianceBlock

AllianceBlock is building the first globally compliant decentralized capital market. Incubated by three of Europe’s most prestigious incubators: Station F, L39, and Kickstart Innovation in Zurich, and led by a heavily experienced team of ex-JP Morgan, Barclays, BNP Paribas, Goldman Sachs investment bankers, and quants, AllianceBlock is on the path to disrupt the $100 trillion securities market with its state-of-the-art and globally compliant decentralized capital market.

Twitter: https://twitter.com/allianceblock

Telegram: https://t.me/allianceblock

LinkedIn: https://www.linkedin.com/company/certik

Website: www.allianceblock.io

About CertiK

CertiK is a technology-led blockchain security company founded by Computer Science professors from Yale University and Columbia University built to prove the security and correctness of smart contracts and blockchain protocols.

CertiK’s mission of every audit is to apply different approaches and detection methods, ranging from manual, static, and dynamic analysis to ensure that the project is checked against known attacks and potential vulnerabilities. CertiK leverages a team of seasoned engineers and security auditors to apply testing methodologies and verifications on the project, in turn creating a more secure and robust software system.

CertiK has serviced more than 100 clients with high quality auditing and consulting services, ranging from stablecoins such as Binance’s BGBP and Paxos Gold to decentralized oracles such as Band Protocol and Tellor.

Stay connected!

Remember to follow us on the platforms below to stay up-to-date with our latest updates and announcements.

Website: https://certik.io

Twitter: https://twitter.com/certik_io

Linkedin: https://www.linkedin.com/company/certik/

GitHub: https://github.com/CertiKProject

To request your FREE consultation send us an email to bd@certik.io

The Alliance Block DeFi Ecosystem is designed as a multi-sided protocol that enables its members… was originally published in CertiK on Medium, where people are continuing the conversation by highlighting and responding to this story.