On November 12th, 2020, we announced the launch of QuickScan, an automated tool for scanning smart contracts to access vulnerabilities. Check our press release on Cointelegraph for more details.
What powers CertiK Security Oracle's Insights?
The CertiK Security Oracle provides real-time, on-chain security insights for smart contracts which enable users to assess any potential risk prior to interacting with a protocol, minimizing the chance that insecure smart contracts are utilized by a user base. Today, we’re shining a light on QuickScan, a new, unique tool CertiK is leveraging to assess smart contract security and empower the reliability and credibility of Security Oracle insights.
What is QuickScan?
QuickScan is a new security toolset that leverages automated scanning technologies to check deployed smart contracts against a wide range of known vulnerabilities at scale. The lean yet powerful tool produces highly accurate smart contract security scores, which indicate the risk potential for hacks and code malfunctions. Depending on the complexity, with QuickScan, it is estimated that it will take 40-60 minutes to complete a smart contract analysis.
How Does it Work?
CertiK QuickScan security score consists of a combination of static and dynamic technologies, which we call Security Primitives. Security Primitives are similar to security service endpoints, but are used for scanning smart contracts. Each Security Primitive assesses a specific security area against a smart contract and assigns an aggregated Security Score between 0-100.
Five Primitives of QuickScan
Currently, there are five QuickScan Security Primitives from two categories (Static Primitives and Dynamic Primitives) as stated below. We are actively integrating new Security Primitives into QuickScan.
Whitelist Primitive | Dynamic
Blacklist Primitive | Dynamic
Quality Primitive | Dynamic
Bytecode Analysis Primitive | Static
Source-Code Analysis Primitive | Static
Depending on its complexity, it takes roughly 40-60 minutes to complete a QuickScan as Primitives under the hood compute heavily in real-time. The final score calculated by each Security Primitive will be aggregated and weighed to produce an output in the form of a final security score.
For example, smart contract A runs through QuickScan and each Primitive returns scores as: Whitelist: 100; Blacklist: 100; Quality: 70; Bytecode: 85; Source-Code: 80. QuickScan would then return a security score of (100+100+70+85+80)/5=87;
Smart Contract B also runs through QuickScan and each Primitive returns scores as: Whitelist: 70; Blacklist: 100; Quality: 100; Bytecode: 85; Source-Code: 80. QuickScan would then return a security score of: (70+100+100+85+80)/5=87. Although two smart contracts have the same final score of 87, their security scores still differ from each other according to each primitive. Hence users might make different decisions depending on the scenarios they are facing.
While QuickScan could be leveraged as an automated toolset, it cannot replace a formal full audit. Security experts play a crucial role in analyzing complex business logic and unknown vulnerabilities specific to each organization.
QuickScan is a proprietary CertiK service, offered exclusively to existing and potential clients. For more information, simply fill out a form and our team will get back to you promptly.
Protect your community and your organization today. For inquiries or questions, get in touch with one of our team members via firstname.lastname@example.org