Introducing Smart Contract Auditing Sandbox
February 15, 2019 — Founded in July 2018 with backing from top VC’s in Silicon Valley and Wall Street, AnChain.AI is on a mission to secure the blockchain world. In the past few months, we have been working closely with smart contract developers, crypto exchanges, ratings agencies, and ratings agencies as their trusted partners.
Today we are proud to announce the launch of the Smart Contract Auditing Sandbox, available on the AnChain.AI website. Any DApps, protocols, developers, investors, exchanges, etc. are now able to scan their code immediately.
The sandbox allows smart contract developers (currently supports Solidity) to quickly scan their smart contracts for known vulnerabilities, fully automated, in minutes. We believe most smart contract incidents, such as BeautyChain (BEC token) in April 2018, can be prevented by using our sandbox.
In this article, you will learn about our company’s motivations and inspirations, code security from Penn State University Professor Song, and the world’s first smart contract auditing sandbox.
Where Can I Access Smart Contract Auditing Sandbox (CAS)?
To access the smart contract auditing sandbox, please click here.
The Broken Smart Contract Auditing Business Model
On October 2018, an incident in the smart contract world illustrates how broken the blockchain smart contract auditing business model is.
We Got Spanked: What We Know So Far
At 6pm PST Saturday, an unknown attacker drained 165.38 ETH (~$38,000) from our payment channel smart contract which…
It was our decision to forego a security audit for the payment channel contract. We actually had Zeppelin conduct an audit (discussion here) which cost $17,000 for the previous unidirectional payment channels contract(which was far simpler by comparison). We considered that quite expensive, given that the most funds ever held by that contract only ever reached $17,000 in total.
To be clear, we deem Zeppelin a great company that has made significant contributions to securing Ethereum smart contracts (i.e. SafeMath libraries) in addition to the many other manual auditing firms and platforms out there.
Yet, we have a different approach to smart contract auditing, specifically from the perspective of security.
AnChain.AI’s founding team comes from well established companies in the cybersecurity industry. We would like to bring a fresh perspective to the smart contract code security business.
We believe the AnChain.AI Smart Contract Auditing Sandbox is the right approach to securing the vulnerable blockchain ecosystem, just as sophisticated malware detection sandboxes have been employed by leading cybersecurity companies, like FireEye, for over a decade and seen great success and market validation.
Code Security 101 — Professor Linhai Song
We are fortunate to have top minds from the cybersecurity industry and academia serving on our Advisory Board. Prof. Linhai Song of Penn State University gives us a quick introduction to “Code Security 101”.
The goal of Prof. Song’s research has been to help developers build more efficient, reliable, and secure software systems. If you are in research area of “Automated software bug/defect detection” or “concurrency bugs in Golang and Ethereum”, you probably have read Prof. Song’s research papers.
Prof Song and Dr. Victor Fang, Founder of AnChain.AI, worked together at FireEye (Nasdaq:FEYE), the world’s best malware sandbox company. He earned his CS Ph.D from Univ of Wisconsin-Madison.
By Prof. Song:
Automated software bug/defect detection techniques are usually built based on static or dynamic program analysis.
Static Analysis examine source code or intermediate code of a program and look for specific buggy code patterns, without executing the program.
For example, each lock operation needs to be followed by an unlock operation. Intuitively, one static detector can look for a control flow path, where there is only a lock operation and no corresponding unlock operation. If succeeds, the detector can report a concurrency bug. The advantage of static techniques is that they have better code coverage, since static techniques do not depend on testing inputs to execute a program. The disadvantage is that a lot of information, like pointer alias, cannot be calculated precisely using static analysis.
Dynamic analysis monitor a program during its execution and report bugs when observing buggy execution behaviors.
For example, a dynamic detection technique can monitor every array access and report bug when an access is out of the array’s boundary. The advantage is that almost all information during execution can be leveraged to build dynamic techniques. The disadvantage is that dynamic techniques depend on program inputs to run a program and it is usually difficult to achieve a good code coverage. To generate needed testing inputs, many techniques, like symbolic execution or fuzzing testing, are designed.
Features of Smart Contract Auditing Sandbox
A sandbox, simply put, is a specially designed virtual machine that can execute the opcode instructions in a restricted environment.
Sandbox techniques have been proven as the best means to detect Advanced Threat Malware families. For example, modern advanced malware is polymorphic, which will modify its bytes. Most Anti-Virus software still rely on signature based which is a hash of the payload bytes. Hence, these malware can easily bypass the AV detection since they’ve got a different hash, though they function similarly. By contrast, a sandbox will analyze the code execution behaviors and look for suspicious patterns in a fully automated fashion.
AnChain.AI CAS sandbox product has the following features built into it:
- Static analysis
- Dynamic execution
- Statistical ranking
Audit Report comprises of:
- Executive summary.
- Actionable recommendations on each found severe vulnerability.
- Style-box presents the audited contract statistical sandbox behavior standing.
- Identify the “Similar smart contracts” out of the entire Ethereum blockchain, by machine learning — clustering.
Thanks to AWS and Google Cloud, our fully automated sandbox has audited all 50,000+ smart contracts deployed on Ethereum blockchain mainnet.
Besides the vulnerability findings, we would like to highlight two unique features:
- Inspired by Morningstar, an investment research firm that provides stock ratings, our AnChain.AI Sandbox provides a style-box heatmap of where your smart contract stands amongst over 50K ETH smart contracts audited by AnChain.AI. We’re the first company to offer this style-box heatmap, and we believe this can help us understand the bigger picture of the dynamic smart contract security environment.
- By using clustering, a machine learning algorithm, we identify the most similar smart contracts ever deployed. AI powered blockchain security in action!
We believe these unique features combined with the detected vulnerabilities arm developers, DApps, exchanges and the entire industry to improve the security and auditing process behind smart contracts.
“The 5 A’s”: Design Principles of AnChain.AI’s Sandbox
- Automated: Our intelligent sandbox needs ZERO manual input. Analyzes both dynamically and statically scanning for known vulnerabilities. No need to annotate your code like some of the formal verification products.
- Accessible: Our sandbox is fully contained on a public container cloud. You can submit using copy and paste, uploading a file, copy/pasting a smart contract address, or employ a more private deployment option.
- Affordable: The sandbox democratizes smart contract audits. With a tiny fraction of the expensive manual expert auditing cost, we can prevent more vulnerabilities at the root.
- Agile: Astonishingly fast, enabled by the elastic cloud infrastructure. Why wait for days or weeks for an audit when our sandbox only needs a couple minutes or even less?
- Aesthetic: Lastly, we all love aesthetic products. We invested heavily in user experience and believe high-quality design can improve productivity in hunting down vulnerabilities.
In the past several months, our pilot customers across the world have been providing valuable feedback. They are decentralized in different continents: USA, Asia, Europe, and even Africa!
To name a few:
1. Jason Liu, CEO of IPFSbit, a leading IPFS blockchain storage startup based in Beijing.
2. David Ojeyemi, CEO of Agrolyte, based in Africa:
“Complete and 100% reliable audits are being done with errors detected in matter of seconds. If such kind of security agency is not topnotch, I don’t know what is. AnChain is the future of Blockchain Security!”
We look forward to hearing your smart contract stories with AnChain.AI sandbox!
A blockchain data analytics firm providing intelligence, indicators, and investigative resources for clients to enhance their security, risk, and compliance strategies.
Feel free to reach out to us directly at: firstname.lastname@example.org
With extensive experience in cybersecurity, artificial intelligence, cloud computing, and big data AnChain is continuously securing top-tier crypto exchanges, protocols, investors, custodians, and enterprise with our Blockchain Ecosystem Intelligence.