Streamr Monoplasma Blockchain Audit Overview

CertiK | Mar 31, 2020

Article's Poster

Streamr is an open-source, crowdfunded, decentralized platform for real-time data.

The Streamr Network, the backbone of Streamr, transports streams of messages from data publishers to subscribers that appear to users as a global messaging service. Built on top of the network is the Streamr Marketplace --- an application built on the Ethereum blockchain that enables users to buy and sell access to real-time data streams on the Streamr Network. The Marketplace offers data producers the opportunity to monetize their data or make it freely available.

Monoplasma is an off-chain solution for community products -- a product that allows end-users to pool and sell data -- on the Streamr Marketplace. Its purpose is to provide a scaling solution for one-to-many payments for any systems that need to:

  1. Distribute value to a large and dynamic set of Ethereum addresses
  2. Allow recipients to accumulate value over time
  3. Withdraw tokens at their preferred moment

“The Monoplasma framework is reusable and un-opinionated, and as such, it’s a piece of software that might help others too. That’s why we wanted to make it standalone as a (hopefully useful) contribution to the Ethereum scaling space.” -- Henri Pihkala, CEO of Streamr

The Audit Process

The goal of CertiK’s audit was to review the source code for Streamr’s Monoplasma smart contract with its full Solidity inheritance chain. The outcome represents a certification that the verified smart contracts are robust enough to avoid any potentially unexpected loopholes.

The auditing process paid special attention to the following considerations:

  1. Testing the smart contracts against both common and uncommon vectors
  2. Assessment of the codebase for best practice and industry standards
  3. Ensuring the contract logic meets the specifications and intentions of the client
  4. Cross referencing contract structure and implementation against similar smart contracts produced by industry leaders
  5. Thorough line by line manual review of the entire codebase by industry experts

For any inconsistencies discovered between the actual code behavior and the specification, CertiK would consult with Streamr for further discussion and confirmation.

Results

The CertiK team looked at the authoritative roles, commits, proofs, and the withdrawal functionalities. The code review tested the following vectors, among others:

  1. Overflow and underflow: An overflow / underflow happens when an arithmetic operation reached the maximum or minimum size of a type
  2. Incorrect Control Flow: The control flow is incorrectly implemented
  3. Incorrect Arithmetics: May give inaccurate results
  4. Reentrancy Attacks: Malicious contracts can call back into the calling contract before the first invocation of the function is finished
  5. Replay Attacks: Can be used to replay a message or data transmission in a different context than intended

No vulnerabilities, either major or minor, were found in any of the areas. After an additional holistic analysis, the contracts were proven robust and mathematically correct.

About CertiK

CertiK leads blockchain security by pioneering the use of cutting-edge Formal Verification technology on smart contracts and blockchains. Unlike traditional security audits, Formal Verification mathematically proves program correctness and hacker-resistance. CertiK was founded by Computer Science professors of Yale University and Columbia University, securing over $5B in assets, including many of the world’s top projects.

The research efforts of CertiK have received grants from IBM and the Ethereum Foundation, and notable investors include Binance Labs, Bitmain, Lightspeed Venture Partners, Matrix Partners, and NEO Global Capital, among others.

To request the audit/verification of your smart contracts, please email audit@certik.io or visit certik.io to submit the request.

Twitter:https://twitter.com/certikorg

Reddit:https://www.reddit.com/r/CertiKOrg/

Telegram:https://t.me/certikorg

LinkedIn:https://www.linkedin.com/company/certik

About Streamr

Streamr​ is working on the real-time data protocol of the decentralized web. This includes a scalable, low-latency and secure ​P2P Network​ for data delivery and exchange. As part of the vision, Streamr is working on a real-time data Marketplace​. Functional versions of each component exist today, with full decentralization being the project’s goal over the next few years. The project was started by real-time data veterans with backgrounds in algorithmic trading and finance markets. Streamr is being built by contributors from around the world and was crowdfunded via ICO with $30M in October 2017. To learn more, visit streamr.network. You can follow Streamr on Twitter, Reddit, Telegram and LinkedIn.

Twitter:https://twitter.com/streamr

Reddit:https://www.reddit.com/r/streamr/

Telegram:https://t.me/streamrdata

LinkedIn:https://www.linkedin.com/company/streamr-network/