A service which checks for security flaws in smart contracts on the Ethereum blockchain is now revising its own procedures after falsely detecting vulnerabilities in a new cryptocurrency wallet.
Quantstamp is the security auditor in question. On the 1st of April it flagged some security vulnerabilities in a new wallet launched by Bancor, a Switzerland-based decentralised cryptocurrency exchange.
Quantstamp offers security checks of smart contracts for a fee of 25 QSP (the Quantstamp native token). It appears that a user paid for an audit of the Bancor wallet and published the results, which showed a number of security flaws. The results of the audit were discussed on Reddit in a discussion entitled “Public audit: Bancor vulnerability found”, and the story was reported by news outlets such as The Merkle and CoinDimes (the latter has since updated its report).
Bancor is a fairly big operation, raising more than $135 million in its 2017 initial coin offering, which is why people were concerned.
After a short time, Quantstamp withdrew its report and a user called JaredQSP posted in the Reddit message thread: “We have checked it and found it to be a false positive. We have adjusted our practices for future events like these.”
Bancor co-founder Galia Benartzi said:
“The false report which caused Bancor’s smart contracts to be incorrectly flagged as insecure focused on the interaction calls between Bancor smart contracts during Bancor’s automated token conversion process. What the initially false report ultimately revealed is the ability of Bancor smart contracts to serve as secure token converters which cannot be exploited by an illegitimate converter attempting to modify a token’s conversion path.”
The results of the Bancor report are no longer accessible on the public report page of the Quantstamp website and the following message appears at the top of the page:
We reported on the release of the wallet last week. It allows users to convert tokens to other tokens without the involvement of a counterparty. More than one hundred different tokens are available for exchange, with more to be added on a regular basis.