Blog

AMA with Callisto Security Audit team 01/10/2018

AMA with Callisto Security Audit team 01/10/2018

Hello, @RideSolo, @yuriy77k, @gorbunovperm

How does the team handle the priority of smart contracts that need to be audited and what are the future plans?

We primarily audit solidity smart contracts that are compatible with Ethereum Virtual Machine (ETC/ETH/CLO/QTUM).

We recently started auditing EOS contracts which are different than, ETC/ETH/CLO and other ethereum compatible blockchains.

Can you give some statistics of the audits done?

For the current month we completed about 15 audits.

Where do we stand with the management platform of requests / replacement of Github? Also, is it open for everyone to read?

This platform will be open for everyone, and developers could see progress ot audits.

Is there a plan to host contracts on CLO blockchain directly for the sake of providing a better or different infrastructure than others in market?

Yes, we invite developers to our network.

Anyone can deploy his dApp/token/ICO on Callisto network, however if your question is about marketing plan, that will be over my power to answer it.

Do you have any plans to buy off influencers to promote Callisto (Suppoman and others)?

This question not for security department.

Nobody knows anything about security audit. Tell us something about the plans of the Security Audit team?

We plan to increase the number of audits to 60 per month, and also establish a department for the audit of EOS contracts.

Will the team make perform an audit on the Cold Staking SC? As millions of Callisto’s will be involved, it must be a secure contract.

Of course, we plan an audit and a bug bounty. We all understand the importance of such contracts so no risks are going to be taken.

How many auditors are there in the team now? And don’t you think 60 audits/month won’t make a very long queue?

We have 6 auditors in Solidity team and 1 for EOS. If the queue will grow we’ll hire more auditors.

How many auditors are needed for 1 smart contract or is the audit done by one auditor? Excuse me I’m just a miner but it’s important if I want to spread a word.  How is the audit performed in details?

3 auditors make independent audit of smart contract, then I reveal their reports and make conclusion.

You said you have done 15 audits this month. How many issues did you find? Do you always find something?

Personally, I find medium issues frequently, and less high severity issues. A high issue is more like a direct exploit where a hacker can take a direct advantage of the contract.

About 1/5 of audited smart contracts contain High severity issues. 

What prevents you from keeping it to yourself and exploiting it by yourself?

I’m paid more when I find high severity issues, and if I hide it other auditors can find it anyway. So it is more than safe to audit with callisto team 🙂

When I think of security, I think of a big man at the door. What is it you actually check. Is it code ?

We conduct a thorough analysis of the code and testing.

Looking at the code, we analyze the logic of the contract and look for weaknesses.

Why don’t you publish your statistics on the work done on audits of smart contracts?

Currently, our reports  publshed on GitHub,  and everyone can see it:

https://github.com/EthereumCommonwealth/Auditing

Is this your full time job?

For the last month it was almost a full time job, but not full time since currently I’m a phd student.

The issues you find. Are they made intentionally or are they rather ‘typo’s’?

There’s often a problem with the logic.

What happens after you found an severe issue and the developer decides not to adress it and asks for the results not to be made public?

If serious vulnerabilities are found, we give the developer 15 days to fix everything and then publish the report on the Github. If the issue is not serious we publish it immediately

End of AMA

Topics:AMA