Richard Ma, the CEO and founder of Quantstamp, stands at the forefront of the cryptocurrency auditing landscape.
With his firm recognized as one of the leading smart contract auditing entities, Ma’s perspective offers invaluable insights into the evolving challenges and paradigms of crypto safety.
In an interview with CryptoPotato that was held at Token2049 in Singapore, Ma delves deep into the current limitations of smart contract auditing, the varied nature of crypto hacks beyond just smart contracts, and offers a discerning guide on assessing the credibility of security audits.
Richard Ma’s journey in the world of cryptocurrency commenced with a direct and personal brush with its vulnerabilities.
“When I discovered Ethereum… I invested in the DAO (2016). A few weeks later, it got hacked with over $50 million taken. That’s why I launched Quantstamp.”
This unfortunate encounter transformed Ma from an investor to a luminary intent on fortifying the digital finance landscape.
Not Enough: The Limits of Smart Contract Auditing
The world of crypto is rapidly expanding, with projects mushrooming every day. Investors and users are constantly on the lookout for projects that not only promise high returns but are also safe. Here is where the ‘audited by’ tag comes into the picture. Projects promote this tag as a badge of safety and assurance. But is it enough?
“Yeah, audits are definitely not enough,” Ma begins, “and just saying ‘audited by’ is also not enough because about a third of all the projects that are audited, they don’t fix some serious issues they have.”
He elaborated on the gap between what the auditors suggest and what the projects choose to implement. It was a striking insight that although auditors could highlight vulnerabilities, the onus to rectify them falls on the projects.
But the concerns don’t end there. “For a lot of projects, they’ll release a lot of things without getting audits and then wait until they have a bunch of updates and then get it audited all at once. And so that time in between audits, that could be risky.” Ma exemplified this by citing Nomad Bridge, among others, where small edits made between audits became the focal point of exploitation.
From MT. Gox: Hacks – Well Beyond Smart Contracts
Ma’s depth of knowledge in crypto was evident as he delved into the multifaceted nature of hacks in the crypto space.
“Many of the biggest hacks in crypto, they’re not smart contract hacks. They’re exchange hacks or thefts from custody providers. One of the earliest big hacks was Mt. Gox, and that was an exchange exploit.”
Further widening the horizon of the conversation, he touched upon the threats that lay outside the realm of smart contract vulnerabilities. “There’s a lot of ways to hack those exchanges, custody providers. And also, people using Metamask often lose their private keys.”
Exploited Despite Being Audited: Determining Audit Credibility
When asked about the credibility of audits, Ma’s insights were keen and thought-provoking.
“The best way to get a feeling for the credibility of the audit is to simply take five of the previous audit reports and read through them.”
A good audit, in Ma’s perspective, is not one that merely points out the common issues but goes into the depth of a project’s design and functionality.
He emphasized the unique circumstances of each project. “For every single project, there are always some design considerations, and there are always some unique circumstances where in the audit report it should be explained.”
Over 700 Audits Completed
Quantstamp’s trajectory under Ma’s leadership highlights the importance of understanding and addressing these challenges head-on. Having performed over 700 audits and serving 600 active customers, Quantstamp is leading the charge to secure the future of digital assets.
“I think it’s important to remember that security is not a one-time thing but a continuous process. We need to evolve, adapt, and be vigilant at all times. At Quantstamp, we’re committed to that vision,” said Richard Ma, hinting at the bigger picture of crypto safety in the coming years.