Introducing World’s First Smart Contract Auditing Sandbox — AnChain.ai Perspective on Code Security

Introducing Smart Contract Auditing Sandbox

February 15, 2019 — Founded in July 2018, and invested by top VC’s from Silicon Valley and Wall Street, AnChain.ai has a mission to secure the blockchain world. In the past few months, we have been working closely with smart contract developers, crypto exchanges who now consider us as their trusted partners.

Today we are proud to announce the launch of the Smart Contract Auditing Sandbox, available on the AnChain.AI website.

The sandbox allows smart contract developers (currently Solidity) to quickly scan their smart contracts for known vulnerabilities, fully automated, in minutes. We believe most smart contract incidents, such as BeautyChain (BEC token) in April 2018, can be prevented if our sandbox were offered earlier.

In this article, you will learn our motivations and inspirations, learn about code security from Penn State University Professor Song, and understand our World’s first smart contract auditing sandbox.


Where Can I Access Smart Contract Auditing Sandbox?

To access the smart contract auditing sandbox, please click here.


The Broken Smart Contract Auditing Business Model

On October 2018, an incident in the smart contract world illustrates how broken the blockchain smart contract auditing business model is.

It was our decision to forego a security audit for the payment channel contract. We actually had Zeppelin conduct an audit (discussion here) which cost $17,000 for the previous unidirectional payment channels contract(which was far simpler by comparison). We considered that quite expensive, given that the most funds ever held by that contract only ever reached $17,000 in total.

We deem Zeppelin as a great company that has made significant contributions to secure Ethereum smart contract, such as the SafeMath libraries. There are also various manual expert auditing firms and platforms out there.

AnChain.ai founding team are from the well-established cybersecurity industry. We would like to bring a fresh perspective to the smart contract code security business.

We believe AnChain.ai Smart Contract Auditing Sandbox is the right approach to secure the vulnerable blockchain ecosystem, like what cybersecurity companies like FireEye, have been employing this great technology for a decade to detect sophisticated malware.


Code Security 101 by Academic Expert

We are fortunate to have top minds from cybersecurity industry and academia to serve on our Advisory Board. Prof. Linhai Song, Penn State University gives us a quick introduction to “Code Security 101”.

The goal of Prof. Song’s research has been to help developers build more efficient, reliable and secure software systems. If you are in research area of “Automated software bug/defect detection” or “concurrency bugs in Golang and Ethereum”, you probably have read Prof. Song’s research papers.

Prof Song and Dr. Victor Fang, Founder of AnChain.AI, worked together atFireEye (Nasdaq:FEYE), the world’s best malware sandbox company. He earned his CS Ph.D from Univ of Wisconsin-Madison.

By Prof. Song:

Automated software bug/defect detection techniques are usually built based on static or dynamic program analysis.

Static analysis:

Static Analysis examine source code or intermediate code of a program and look for specific buggy code patterns, without executing the program.

For example, each lock operation needs to be followed by an unlock operation. Intuitively, one static detector can look for a control flow path, where there is only a lock operation and no corresponding unlock operation. If succeeds, the detector can report a concurrency bug. The advantage of static techniques is that they have better code coverage, since static techniques do not depend on testing inputs to execute a program. The disadvantage is that a lot of information, like pointer alias, cannot be calculated precisely using static analysis.

Dynamic analysis:

Dynamic analysis monitor a program during its execution and report bugs when observing buggy execution behaviors.

For example, a dynamic detection technique can monitor every array access and report bug when an access is out of the array’s boundary. The advantage is that almost all information during execution can be leveraged to build dynamic techniques. The disadvantage is that dynamic techniques depend on program inputs to run a program and it is usually difficult to achieve a good code coverage. To generate needed testing inputs, many techniques, like symbolic execution or fuzzing testing, are designed.


Features of Smart Contract Auditing Sandbox

Sandbox, simply put, is a specially designed “Virtual Machine”, that can execute the opcode instructions in a restricted environment.

Sandbox technique has been proven best to detect Advanced Threat Malware family. For example, modern advanced malware is “polymorphic” which will modify its bytes. Most Anti-Virus software still rely on “signature based” which is a hash of the payload bytes. Hence, these malware can easily bypass the AV detection since they’ve got a different hash, though they function similarly. Sandbox will analyze the code execution behaviors, and look for suspicious patterns, in a fully automated fashion.

AnChain.ai CAP sandbox product has built in:

  • Static analysis
  • Dynamic execution
  • Statistical ranking

Audit Report comprises of:

  • Executive summary.
  • Actionable recommendations on each found severe vulnerability.
  • Style-box presents the audited contract statistical sandbox behavior standing.
  • Identify the “Similar smart contracts” out of the entire Ethereum blockchain, by machine learning — clustering.

Thanks to AWS and Google Cloud, our fully automated sandbox has audited all 50,000+ smart contracts deployed on Ethereum blockchain mainnet.

Besides the vulnerability findings, we would like to highlight two unique features:

  1. Inspired by Morningstar, an investment research firm that provides stock ratings, our AnChain.ai Sandbox provides a style-box heatmap of where your smart contract stand among over 50K ETH smart contracts audited by AnChain.AI. We’re the first company to offer this style-box heatmap, and we believe this can help us understand the “situational awareness”.
  2. By using clustering, a machine learning algorithm, we identify the most “similar smart contracts” ever deployed. AI powered blockchain security in action!

We believe these unique features, combined with the vulnerability findings, the developers, exchanges, can improve the security of the audited smart contract.


Design principle of AnChain.ai sandbox, the 5 A’s

We have been months working with the developers, exchanges, token rating firms, etc. to understand their pain points.

We summarized what we learn, into these AAAAA design principle, that shapes our AnChain.ai sandbox:

  • Automated: Intelligent sandbox needs ZERO manual input. Analyzes both dynamically and statically and scans for known vulnerabilities. No need to comment your code like some formal verification products.
  • Accessible: Our sandbox is fully operating on public container cloud. You can submit on online IDE using copy and paste or by uploading a file.
  • Affordable: The sandbox democratizes smart contract audits. With a tiny fraction of the expensive manual expert auditing cost, we can prevent more vulnerabilities at the root.
  • Agile: Astonishing fast, enabled by the elastic cloud infra. Why wait for days or weeks for an audit, if sandbox only needs a couple minutes or less?
  • Aesthetic: Lastly, we all love aesthetic products like iPhone and Tesla. We invest in User Experience, and believe good design can improve productivity in hunting vulnerabilities.

Customer Testimonials

In the past several months, our pilot customers across the world have been providing valuable feedback. They are decentralized in different continents: USA, Asia, Europe, and even Africa!

To name a few:

1. Jason Liu, CEO of IPFSbit, a leading IPFS blockchain storage startup based in Beijing.

2. David Ojeyemi, CEO of Agrolyte, based in Africa:

“Complete and 100% reliable audits are being done with errors detected in matter of seconds. If such kind of security agency is not topnotch, I don’t know what is. Anchain is the future of Blockchain Security!

We look forward to hearing your smart contract stories with AnChain.ai sandbox!


This article is contributed by:

  • Victor Fang, Founder & CEO, AnChain.ai
  • Aram Hami, Marketing Manager, AnChain.ai
  • Prof. Linhai Song, Computer Science, Pennsylvania State University.

About AnChain.ai

AnChain.ai is a Silicon Valley based AI power blockchain security company, invested by top VC’s from both Silicon Valley and Wall Street: Amino Capital, Susquehanna International Group (SIG), CRCM, etc. The founding team has extensive experiences in cyber security, artificial intelligence, cloud, big data, previously worked at FireEye, Mandiant, EMC/RSA, Yahoo, Google, Amazon, Pivotal, etc. AnChain.ai is continuously securing top-tier crypto exchanges and DApps world wide by providing actionable value with its two products: Situational Awareness Platform (SAP) and Smart Contract Auditing Platform (CAP):

The Situational Awareness Platform (SAP) proactively protects crypto assets by providing proprietary artificial intelligence, knowledge graph and threat intel on blockchain transactions. The SAP is able to detect and even predict vulnerabilities and threats before and after they occur. AnChain.ai detected the first Blockchain APT (BAPT) hack in for the 1st time in history: BAPT-FOMO3D that have stolen $4 millions worth of ETH. SAP has been protecting world’s top DApp’s $8m weekly transactions.

The Smart Contract Auditing Platform (CAP) is a cloud based smart contract auditing sandbox that scans most known vulnerabilities such as re-entrancy, overflow, etc. The CAP is fully automated, fast scanning, accessible in the cloud, and connects to professional auditing experts. CAP is trusted by the world’s leading crypto exchanges, and DApp developers.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.