Today we are very pleased to announce the formation of the Ethereum Trust Alliance (ETA). The ETA is a group of global blockchain security companies that are creating a security rating system for smart contracts to help users gain greater awareness of smart contract security and differentiate contracts which have gone through rigorous security checks. The founding members are MythX, Quantstamp, Runtime Verification, Sooho, SmartDec and ConsenSys Diligence.
The Ethereum ecosystem is growing, but for it to truly become a global settlement layer for all types of transactions across all types of industry sectors, there must be an indicator of the level of trust in the security of smart contracts that power those transactions. Automated analysis tools and audit firms have become more sophisticated in the ways in which they can assure a developer that smart contract security issues are found and fixed. The industry has further made sure that best practice guides, and lists of known vulnerabilities are well known. Yet for the industry to further evolve, we believe that a ratings system for security in smart contracts is absolutely necessary.
Why do we need security ratings?
In order for Ethereum to be trusted for financial transactions and management of large stores of value via decentralized applications, users and institutions must have more accurate information regarding risk. As we have seen many times, it only takes one small flaw in smart contract code to lock up or lose tens of millions of dollars in an instant Today there is no way to easily tell that one smart contract has been through a full security audit by a professional team while another has not, yet we click the send button anyway.
Credit ratings agencies such as Moody’s are designed to inform the public about the relative risk associated with a particular financial asset. Similarly, ETA ratings are designed to signal to the Ethereum community which smart contracts have been through certain levels of rigorous testing to help ensure that vulnerabilities have been addressed. The higher the ETA level the lower the associated risk.
How will ETA ratings be used?
The ETA will create a registry of smart contracts, where anyone can easily query the security rating level of a smart contract. With this, a variety of use cases will be enabled. Ethereum wallet users will see a contract’s security rating before they send tokens to it and executives and investors will be able to easily determine the risk level of smart contract systems. Exchanges can require a specific ETA rating level before new tokens are listed. Multi-member consortia with smart contracts created by multiple entities can require an ETA rating before they are published, and organizations will be able to include the ETA ratings in their internal (or external) risk analysis and assessment.
If only we had these ratings during the ICO boom of 2017, we believe that many of us who were woefully uninformed about fundamental risk indicators would have had the information required to make better decisions.
This announcement of formation concludes Phase 1 of the ETA. We are now beginning work on the of first specification to be delivered in Q1 2020, which will include:
1. Rating level definitions and requirements
2. Security tools and auditor requirements
3. A process for the application and issuance of ratings badges
4. Specifications for the API and registry.
After publishing the specification, we will begin community trials and testing of the API and Registry as we prepare to go live.
We thank you for your interest and support!
Tom Lindeman, MythX
Grigore Rosu, Runtime Verification
Richard Ma, Quantstamp
John Mardlin, ConsenSys Diligence
Jisu Park, SooHo
Sergei Pavlin, SmartDec