Callisto Network security department.

In this article I will describe the situation in the security department with my opinion on this.

Callisto Network as a security platform.

Fundamentally, there is a number of differences between Callisto and regular auditing companies. The main clients of audit companies are contract developers themselves who want to make sure that the contracts they have developed are secure. It was assumed that the main customers of Callisto will be investors who want to ensure the security of smart contracts in which they want to invest their money so as not to become victims of hackers.

Main issues in the development of the Callisto Security Department.

1. Structure of the Security Department.

We also have a goal to form an open market for audits and audit services. This means that we must establish a structure which will allow auditors to contribute in “freelance style”.

However, such a decision may affect the quality of audits. Currently, at least three full time auditors conduct each audit. By allowing third parties to participate in audits we risk getting lower quality reports. Therefore, it was decided that each audit should be conducted by at least two full-time auditors + one more full-time auditor or a third party auditor. Thus, at least two trusted auditors will participate in each audit.

Current stage: we have a proposal to implement an experimental hiring / contributing system which should solve this goal.

2. Reward calculation.

On the one hand, we need to achieve high quality of audits, on the other hand, it is necessary to allow auditors with little experience to participate and get paid.

The work efficiency can be increased by increasing the payments to auditors for finding errors and increasing penalties for not finding errors. However, not all contracts contain errors and auditors have no clue about whether they can theoretically find errors in contract they audit or not. Thus it is necessary to maintain payment for the work performed at a high level even without premiums for error reporting.

On the other hand, this approach opens up a strategy for auditors to maximize the amount of work performed by sacrificing the quality. In this case, auditors theoretically can accept audit requests and report no mistakes without even spending significant amount of time on contract code check. By “hoping that everything is fine and providing a report as if it is so” auditors could earn significant score.

It is necessary to find the right balance between the reward for finding errors, penalties for missing errors and the amount of work performed in the absence of reported errors.

Current stage: proposal #59 is intended to resolve this problem, however the right balance is difficult to find in absence of competitiveness between auditors.

3. Competitiveness and scalability.

The same can be said about scalability. We could form the EOS Audit Department, but this will require extra expenses.

Someone might say that we can start charging fees for audits. I am absolutely sure that this will not bring any benefit to the project.

  • First, our main clients should be investors, not contract developers. Investors most likely will not pay for an audit of a project in which they have not yet invested their funds.
  • Secondly, we will engage into competition with ordinary audit companies. The difference is that ordinary audit companies do not have a whole network with its own emissions and value. The entire income from company audits is spent on maintaining employees, while in Callisto, in addition to auditors, there are still many aspects of the project.
  • Callisto will not be able to fulfill its main mission if we start charging for audits, as in this case there will be projects that no one will audit or request an audit for and this projects will possibly cause damage to the entire crypto industry in the same way as it was with TheDAO or Parity Multisigs.

Current stage: there are 4 full-time auditors in Callisto. You can observe the workflow and statistics in an open google table or at github.

4. The issue of incentivisation.

In real terms, there are not so many auditors and they know each other, which is a consequence of the problem (3) “Competitiveness and scalability”.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store