The 4th KIR : Quantstamp_RT-Monitor _Progress Report(1)

KIR Quantstamp RT Monitoring: Final Progress Report

Summary
Quantstamp created a RT monitoring system for Klaytn. This status update is the final update
in the first phase of the Quantstamp RT Monitoring Project for the Klaytn blockchain.
This document is an update to the engagement and creation of a real-time Security
Monitoring Solution (RT-Monitor) to detect any abnormal transactions for the Klaytn
blockchain. We customized the different types of analyses based on the needs of Klaytn and
on the advice of its team. We were able to build a novel and new way to analyze Klaytn
tokens and smart contracts. During this process, we created a product that monitors for
overflow issues (that may occur due to malicious minting or the batch-overflow bug),
mint/burn events, and contract owner changes. With the integration and use of the monitoring
software, Klaytn now has enhanced security monitoring abilities. Klaytn ecosystem and users
will now benefit from our experience as researchers, software engineers, and security
auditors. Quantstamp has observed the best processes and models for real-time monitoring
solutions and other security measures, these methods have been implemented into the Klaytn
real-time security monitoring solution.

Project Milestones and Schedule Update

Milestones:

Ramp Up: Start: October 1st. End: October 9th (Complete)

1. Ramp-up on Klaytn Infrastructure (2 days) – The RT Monitor requires a provider node,
   preferably supporting the standard web3 API, in order to interact with the blockchain.
   Documentation will be reviewed. This may require discussions with the Klaytn team.
   The RT monitor system relies on the KAS provided by Klyatn.
2. Investigate Klaytn Web3 compatibility (1 day) – The RT Monitor utilizes the standard
   web3 API to query the blockchain data provider. In order to ensure that our service will
   behave appropriately with the Klaytn provider (i.e., all used web3 functionality is
   supported), we must perform testing.

Deliverables: Technical specifications

Port: October 9th. End: October 30th_(Complete)

1. Create app infrastructure and pipeline (2 days) Create new app instance for port,
   configure deployment
2. Add tokens to RT Monitor port (2 days) - Quantstamp will configure the RT Monitor
   to monitor a set of token contracts as provided by the Klaytn team. Testing will be
   performed to ensure that the monitoring service behaves as expected.
3. Rebrand UI (1 week) - Customize RT Monitor branding and style/color scheme,
   updating links

Testing and QA: Start: November 2nd. End November 27th (Complete)

1. Test various systems of the RT monitor - alerts, notifications, detectors
   Optional extensions: Can be complete in a follow-up engagement (it will
   require more time / milestone adjustments)

2. Monitoring of non-token smart contracts (1 week+) – If there are Klaytn smart
contracts that we wish to monitor that have functionality beyond typical token contracts,
the RT Monitor can be extended to support them. For example, we have previously
extended the RT Monitor to monitor oracle-based contracts, ensuring that trusted
oracles behave as expected. These extensions would be smart contract specific, and
would require some additional development and testing. The time-frame of these
extensions would scale with the complexity of the desired extensions.
**Revised. on Jan 12th

Key Deliverables Update

Week of October 19 – Complete
Introduced to Colin and Andy from Klaytn technical team. Scoped out the technical capabilities
of the KAS system.

Week of October 26 – Complete
Provided Colin and Andy access to Quanstamp Ethereum real-time monitoring system. Klaytn
team assessed the feature set.

Week of November 2nd – Complete
Quantstamp provided Klaytn team with design and layout of the intended real-time monitoring
system for Klaytn blockchain. Klaytn team requested additional features that Quantstamp team
implemented.

Week of November 9th – Complete
Quantstamp provided to Klaytn an interactive frontend including the rebranding and restyling to
test the interface.

Weeks November 16 and November 23 – Complete
Quantstamp merged front-end and back-end of Klaytn real-time monitoring service. Monitoring
system has undergone exhaustive testing and QA.

Week of November 30 – Complete
Delivered final production environment. The final dashboard can be found here:

Budget
List all activities where operating expenses incurred.

1. a) Budget: 320,614.84 KLAY
2. b) List of Activities incurring operating expenses
   Klaytn has agreed to make payment to Quanstamp for $20,000 per engineer-week (an
   equivalent of $500 per hour at 40 hours per engineer week). The effort estimated in this
   engagement was accurate. The services rendered were delivered in a timely manner. The
   Quantstamp team met with Klaytn team weekly to keep updated and on time.
   Quantstamp delivered the final product to the KIR team. At the completion of the project
   both teams discussed the final product and the additional features that were completed for
   Klaytn.
   The table below summarized the final expenses for this engagement:

image724×507 20.3 KB

@Prop_Quantstamp_KH Thank you for uploading the progress report.

Most things on the report look fine, but the dashboard https://klaytn-monitoring.quantstamp.com/dashboard seems responding too slowly. It takes too much time (probably more than a minute) for the dashboard to show up. Could your team investigate why the dashboard is working heavily and slowly and also fix any performance issues on the dashboard?

@Prop_Quantstamp_KH
Thanks for your update.

I would like to give some feedback like below. Please consider them in next phase.

• Website is too slow. For me, It is very hard to use. Mobile website is also slow.
• In your report, you tested the website and your system. Could you share/open the QA test case and result? It will be helpful for other KIR project like your project.
• In “Monitoring of non-token smart contracts”, is there any work which your team did? If you have, please update the report, If you don’t, please remove that content.
• Do you have any plans to open source the results of this project?

@GroundX_Ethan
Thanks for your feedback. Here below is our response:

1. Quantstamp has fixed the performance issue and it is very fast. To enjoy the good performance, the user should “do a hard refresh and clear their cache”. Hard refresh is holding the control/command key and clicking refresh. If you still have the performance issue even after the hard refresh, please let us know.
2. “Monitoring of non-token smart contracts” paragraph removed from the progress report.
3. We do not plan to open our source code.

As for the QA test case and result, "We have unit tests in the code that were written for this use case. However this is a closed source project so they are not available to share.

Hello, Quantstamp team @Prop_Quantstamp_KH
the progress report review is done. Thanks for your active participation.
Additional KLAY funding will be implemented on Jan 27th.
(*the date may be slightly changed depending on operation issues. )