Callisto Network development insight (11/27/2019)
Callisto Network was founded with two main goals: improve the security of the smart-contract development industry and develop a reference implementation of Ethereum protocol improvements that could be used in Ethereum Classic.
To fulfill the main goals of the project, we identified four areas in which work was carried out:
- Facilitate the growth and the development of Ethereum Classic as well as develop a reference implementation of protocol improvement proposals for ETC.
- Develop a reference implementation of Cold Staking protocol.
- Develop a system for smart-contract auditing, paid at the protocol level.
- Develop a governance system.
The first three points have been successfully achieved by the Callisto team and community. Also, it should be noted that we already proposed the developed features for Ethereum Classic as it was mentioned in this article earlier.
Improving the security of crypto-industry.
One of the most important problems in the crypto industry is the numerous hacks of smart contracts, leading to the loss of user funds.
Analyzing most of the hacks, we can conclude that the main problem is the irresponsibility of smart-contract developers who do not pay attention to security aspects when developing their DApps, sacrifice security audits and bugbounties for the sake of faster launch or fail to fix errors and deal with problems that may occur after the launch of their DApp.
One of the goals of Callisto as a project is to not only help those developers who want to request a security audit, but also fight the irresponsibility of others who want to sacrifice the security of their customers.
How can we force DApp developers to pay attention to security?
The importance of mass media is evident nowadays. DApp security is a very abstract term in crypto industry. However, the situation will change if an independent trusted party appears, providing agnostic information about the various DApps.
This trusted party must not only provide the information about the DApps that passed a security audit but also (1) mark the DApps that were never audited as “not audited” thus highlighting the risks of using this DApp and encouraging the developers to proceed with a security audit and (2) highlight risks of using a DApp with any bugs in case those were found during the audit, but the developers did not fix them.
This scheme, however, is not viable in the case of ordinary private organizations providing security audits. Private security auditing organizations have no effect on those developers who does not want to request an audit and have no willing to pay for it. Here comes Callisto Network.
If there is no trusted independent security-related media sources that would provide info about DApps then its the reason for Callisto to become one.
We have a large portfolio of audited projects and a fine-tuned auditing workflow. We have received a number of proposals for improving the SEO and the representativeness of the auditing results.
How can Callisto Network benefit from it?
By creating such a service that provides information about a large number of audited projects, Callisto can receive a large amount of traffic and attention from various users.
Traffic can be monetized through the provision of advertising and affiliate programs in the same way as other information resources do (Coinmarketcap, DAppRadar, blockchain explorers etc.) With the more adoption this services can be used to fuel the further development of the project and the revenues can be used to buy CLO at the market and burn it similarly to how LEO, BNB and multiple other crypto assets are burned.
Do we need a special blockchain for this?
The short answer is “no”.
The reason for Callisto to be an independent blockchain is that it was intended to be a reference implementation of future ETC protocol improvements (which are already developed).
The described auditing scheme, media resources and core features of Callisto can be implemented in a token on another blockchain in theory.
Problems with Callisto audits representation and establishing a registry of audited DApps.
There are some problems that interfere the ability of Callisto team to build a set of tools that will help to improve the representation of performed audits.
1. The lack of automatisation of audit requesting.
It is necessary to implement a smart-contract for the governing of Callisto Security Department. This smart-contract should also preserve the history of audits and audit reports.
Callisto Security Department is intended to be a DAO implemented in smart-contract. We have a reference implementation of the DAO structure here. However it turns out that Ethereum smart-contracts are not ideally suitable for the implementation of this organization and automatization of its workflow. It would be too hard and cumbersome to use our current Ethereum-based Security DAO smart-contract in practice.
Currently the Security Department of Callisto is operating and governed by security manager who is strictly following the rules that would be otherwise defined by the smart-contract.
While relying on security manager is a viable solution, it has a serious drawback — the impossibility of automated integration of Callisto and third party services. It should be possible for any service like a decentralized exchange, informational website or statistic service to offer an option to request a smart-contract security audit at Callisto without any intermediate actors. This is only possible for the described DAO-like structure that utilizes smart-contracts to govern the workflow of the Security Department.
2. Organized database of audit reports.
It is necessary to implement a smart-contract for that will preserve and automatically represent the security audit results and preserve the associated data.
Our current github repo is a temporary solution that is suitable for the organization of workflow but it is not suitable for the representation of reports for non-tech users.
This is necessary to build a frontend (website) that will represent audits in a more user-friendly form. This requires the implementation of a smart-contract that will be responsible for the auditing-related activity. This contract must preserve the history of audit requests, auditor’s statistic and final results (audit reports).
Ethereum is not suitable for building this Security DAO.
Callisto Security DAO smart-contract must have the following functionality to:
- Automatically handle audit requests.
- Allow security auditors to sign-up and “become a member of Security team”.
- Allow registered auditors to pick available audit requests according to the assigned priority.
- Allow registered auditors and third parti verifiers to submit audit reports for the active security audits.
- Allow security manager to assign/unassign auditors, check submitted audit reports, assign severity of findings and assign the score of each involved auditor after the completion of each security audit.
- Preserve the score of each auditor and history of auditor’s activity.
- Preserve the data associated with each audit request.
- Ensure the necessary privacy so that during the security audit, the auditors could not access each other’s reports, while the manager could access each auditor’s report.
Although it is theoretically possible to create a smart-contract of Callisto Security DAO, this is not a good option, as this adds additional complexity and significantly worsens the workflow.
The main disadvantage is the requirement of payment (tx fee) for each action. Currently there are alternative smart-contract development platforms that yield significant improvements and we are currently investigating the possibility of creating the Callisto Security DAO on one of this new smart-contract development platforms.
Currently, EOS is one of the most suitable platforms for the implementation of this DAO. Although EOS has a number of disadvantages (read this article for more detailed overview). We are looking forwards to integrate CLO with EOS ecosystem and possibly with alternative EOS-based chains like TELOS, WAX, LYNX etc.
There is a CLO-pegged token on EOS chain and a centralized gateway currently.
The reason of integration with EOS ecosystem.
Callisto is intended to be a reference implementation of self-securing smart-contract development protocols which pays for the security of its DApps. In practice it turns out that Callisto became a “protocol that pays for security of other protocols without any return”.
This financial model can not be sustainable in long term and we need to seek for better opportunities of establishing a source of funding for the security department, token holders and decision makers.
EOS is intended to have a system of worker proposals and a number of parties interested in improving the security of the EOS ecosystem as well as sources of funding that can be deployed for ecosystem improvements in theory.
Putting it all together in a Roadmap.
The following goals are currently relevant for Callisto Network:
- Callisto-to-EOS gateway and CLEOS (CLO-pegged token): the implementation of user-friendly UI and backend service handling crosschain swaps.
- Researching of the possibility of implementation of Callisto Security DAO on EOS/alternative EOS-based chains.
- Development of the central information/statistical media source to collect/represent the data associated with the performed/requested/ongoing security audits.
- Development of the Treasury Governance Sysem UI.
- Researching of the possibility of implementation of Callisto Governance system for CLEOS token.