On October 1, 2018, @RideSolo, @yuriy77k, and @gorbunovperm, the Callisto security audit team, answered questions from the community about smart contracts security audits.
Hello, @RideSolo, @yuriy77k, @gorbunovperm
How does the team handle the priority of smart contracts that need to be audited, and what are the future plans?
We primarily audit solidity smart contracts compatible with Ethereum Virtual Machine (ETC/ETH/CLO/QTUM).
We recently started auditing EOS contracts, which are different than ETC/ETH/CLO and other ethereum compatible blockchains.
Can you give some statistics about the audits done?
For the current month, we completed about 15 audits.
Where do we stand with the management platform of requests/replacement of Github? Also, is it open for everyone to read?Also, is it open for everyone to read?
This platform will be open for everyone, and developers could see progress of audits.
Is there a plan to host contracts on CLO blockchain directly to provide a better or different infrastructure than others in the market?
Yes, we invite developers to our network.
Anyone can deploy his dApp/token/ICO on Callisto Network; however, if your question is about the marketing plan, that will be over my power to answer it.
Do you have any plans to buy off influencers to promote Callisto (Suppoman and others)?
This question not for the security department.
Nobody knows anything about security audit. Tell us something about the plans of the Security Audit team?
We plan to increase the number of audits to 60 per month and establish a department for the audit of EOS contracts.
Will the team make perform an audit on the Cold Staking SC? As millions of Callisto’s will be involved, it must be a secure contract.
Of course, we plan an audit and a bug bounty. We all understand the importance of such contracts, so no risks are going to be taken.
How many auditors are there on the team now? And don’t you think 60 audits/month won’t make a very long queue?
We have 6 auditors in the Solidity team and 1 for EOS. If the queue grow we’ll hire more auditors.
How many auditors are needed for 1 smart contract or does one auditor do the audit? Excuse me. I’m just a miner, but it’s essential if I want to spread a word. How is the audit performed in detail?
Three auditors make an independent audit of smart contract, then I reveal their reports and make a conclusion.
You said you have done 15 audits this month. How many issues did you find? Do you always find something?
I find medium issues frequently and less high severity issues. A high issue is more like a direct exploit where a hacker can directly advantage the contract.
About 1/5 of audited smart contracts contain High severity issues.
What prevents you from keeping it to yourself and exploiting it by yourself?
I’m paid more when I find high severity issues, and if I hide it, other auditors can find it anyway. So it is more than safe to audit with Callisto team ?
When I think of security, I think of a big man at the door. What do you actually check. Is it code ?
We conduct a thorough analysis of the code and testing.
Looking at the code, we analyze the logic of the contract and look for weaknesses.
Why don’t you publish your statistics on the work done on audits of smart contracts?
Currently, our reports published on GitHub, and everyone can see it:
https://github.com/EthereumCommonwealth/Auditing
Is this your full-time job?
It was almost a full-time job for the last month, but not full time since I’m currently a phd student.
The issues you find. Are they made intentionally, or are they rather ‘typo’s’?
There’s often a problem with the logic.
What happens after you found a severe issue and the developer decides not to address it and asks for the results not to be made public?
If serious vulnerabilities are found, we give the developer 15 days to fix everything and then publish the Github report. If the issue is not serious, we publish it immediately.
End of AMA
Appendix
Previous Ask Me Anything sessions with Callisto team:
Yohan Graterol’s Ask Me Anything on 21/09/2018.
Yohan Graterol’s Ask Me Anything on 10/09/2018.
Miscellaneous
Trust the Blockchain, Audit the Smart Contracts.
Follow Callisto’s security department on Twitter to get our latest news and updates!