OmiseGO AMA 29: OMG Network Audits with Vansa & Kasima

In Blog, OMG Network by OMG Network

For our first AMA of the year we invited our CTO, Kasima, and CEO, Vansa, to respond to community questions around the (1) audits, (2) business-adoption, and (3) public release of the OMG Network. You can find a transcript of the AMA below the video.

Q1: Is the finalization of this audit enough to start allowing partners and Omise to utilize the OMG network for real transaction?

Kasima: Completion of the audits was a major milestone for us, and like I mentioned in the tech update, it took a lot of work to get there and we’re proud of it. However, in the same update I said that it’s just one component of a much larger system, and this is true of all layer-2’s.

The smart contracts themselves are a critical piece, but we have two other services — the child chain and watcher — that need to work together to run the plasma protocol. And so, our focus now moves over to those two to ensure we have all production-readiness put in place to operate them.
There is a pile of work to do to get there. This includes beefing up security, making sure the permits are good, ensuring proper monitoring, and setting up processes to take care of these moving parts. We’re going to be cautious about this, and just like our audit recommendations, are going to take things step-by-step to slowly bring this load on to the system.

Vansa: To roundup, because we always get the question, we’ll make our services public when us and our auditors feel like it’s responsible to do so.

Q2: In the audit you found some medium level security issues. Could you explain to us what these issues were?

Vansa: Kasima and I were discussing the audit findings earlier and the four big points that stuck out to me were: input validation, removal of unused code, denial of service attacks, and UTXO fragmentation.

Kasima: I’ll do my best to explain these at a high-level. (We’ll also release a seperate blog that goes more in-detail than this answer at a later date).

  1. Input validation: While our input validation function operated correctly, it also opened the door for someone to craft a certain kind of input that would allow ‘invalid’ inputs to be accepted.
  2. Unused Code: Let me amend that by saying we’ve removed currently unused which the auditors saw as unnecessary complexity for the 1st version of our framework. And while we took the code out to avoid security issues, we still have the option to put it back in when we want to.
  3. Denial of service attacks: This was around the gas stipend on calling a function known as “process exits,” which the network now handles better.
  4. UTXO fragmentation: If your UTXO is lesser than the cost it takes to exit the UTXO, it’s not worth paying for an exit. To bypass that, we now allow people to merge UTXO’s for free. In business-speak, if you have a 25 cent UTXO and the exit cost is more than that, you can merge your 25 with multiple 25’s to turn it into a 1 dollar, and use that dollar to exit instead.

Vansa: Another lesson we learned during the audit was that we gave the auditors a huge chunk of code to inspect, which is why it took a while. Now, we’re going to involve the auditors into the process more deeply and iteratively. This will help them check faster, and reduce the load on us, too.

Q3: What is OmiseGO doing to discourage entities from forking the network and creating a new coin, similar to what Binance did with Cosmos and the Atom coin?

Vansa: Based on my understanding, Binance didn’t exactly fork Cosmos and Atom. What they did was take Tendermint and built a bunch of tooling and functionality on top, alongside a proprietary exchange feature that allows you to trade on Binance. Not forking the main chain is a smart move not only because it’s expensive to maintain, but because you lose the community. Coming from an open-source background, Kasima, you understand how important community is in terms of developing source code.

Kasima: Absolutely, for example if you fork our network, you lose some upstream contributions from us and the burgeoning community around us. We are here to build a public service with a source code that’s available for use, but from a business perspective, it takes a lot of operational cost to run it. There are resources like people, infrastructure, and more to consider. So we hope we build something that’s valuable enough for people to use rather than having them forking and running off with it.

Vansa: In terms of business ventures, we’ve been building the network and now have all the historical knowledge when it comes to research and development decisions. Knowing these things will help us make better future decisions. As Kasima said, we’re building an open public network, however, in the early days we need to usher it along. We have both operational and business challenges to overcome. It’s not just grabbing a coffee and coding to come up with a full-functioning financial ecosystem, there are a lot of partnerships and business deals that need to happen. We also need to look at pieces that support this ecosystem. To paraphrase what Kasima always says, code doesn’t equal product and product doesn’t equal business.