Case Study: Melonport

Melonport quote 1(1).jpg

Investing someone else’s money isn’t as easy as it looks. But Mona El Isa was good at it.

After 8 years with Goldman Sachs Group Inc. and a stint with Jabre Capital Partners in Zurich, a global asset manager, the driven Englishwoman felt ready in 2014 to run her own hedge fund.

Instead, she ran into a wall of paperwork, costs, and administrative inefficiencies. The result of that experience would be to join forces with early blockchain developer Reto Trinkler and map out an open-source software to solve the problem, and to ensure that software was secure before releasing it to other traders.

They would need Deja vu Security. Deja’s security research and consulting services help organizations have the peace of mind to build and execute applications dealing with highly sensitive information.

How Melon Works

Here’s how it works: Managers choose from a customizable set of smart-contracts on Ethereum, which enable them to set up a technology-operated-and-regulated investment fund (TROIF) which mirrors a traditional one. The difference – automation of rules and processes which bind the manager via smart contract by secure blockchain technology enforcement. Investors thus have the possibility to invest in TROIFs without needing to place their trust in the manager’s promise, regulators, or central parties to ensure the security of their assets. The rules of the fund are transparent for everyone to see.

With Melon, setting up a fund can be done by spending approximately $25 paid to the Ethereum network and in a little under a couple of minutes. This contrasts heavily with the several months and hundreds of thousands of dollars required to set up a traditional fund today. Once a Melon Fund is created, it can only interact with digital (crypto) assets. When receiving crypto assets from investors, the technology automatically calculates the number of new shares to be created in the fund and sends them back to the investors – a process which is painfully slow and expensive traditionally. Melon tokens themselves are used to interact with the protocol and take part in the governance and decision-making of the protocol; it is designed to be a decentralized tool.

Melon screen

While it may sound complicated, right now investment funds are using numerous middle-men such as custodians, fund administrators, auditors, and lawyers to write out rules for funds and ensure that managers abide by them. Generalizing these rules in an open-source, modular fashion could be the first building block of a lower cost, more efficient, transparent, and secure financial system.

melon smart contracts.png

As El Isa sees it, Melon will be the code that operates and regulates the relationship between investors and managers. The protocol tracks asset prices in real time and handles the back-end of risk management and compliance, things that consumed almost all of her time when managing her own small fund.

El Isa hopes to start testing Melonport’s software with real cryptocurrency in Q3 2018. But before that, she knew she would need comprehensive security audits at each step, so clients would trust that solution.

What a Deja vu Security Client Needs

All went well with the initial coding, but before the tool could be publicly released the team needed to know it was secure. El Isa began seeking code auditors, working alongside George Hallam of the Ethereum Foundation. “We were fortunate to have George’s broad contacts and access to a list of auditors which he had previously engaged with whilst at the Ethereum Foundation. George was probably one of a handful of people in the world at the time who had been a part of a team which developed and deployed one of the first and most successful blockchains in the world.”  

The first real test was just trying out different people.

 “I was surprised at how the quality of audits could vary,” she said. “Until you’ve been through an auditing cycle you really don’t know what to ask for.”

El Isa was less pleased with the results of some audits than others and saw this as a big learning experience: “We engaged with auditors who were, frankly, not technical enough in their analysis. Our biggest concern was keeping investors’ funds safe in smart-contracts and identifying precise vulnerabilities on that front so it is imperative for auditors to dive deep into the code.”

“We looked for someone who could challenge our developers on this front.” This led to a phone call in the summer of 2017 with Andrew Spottswood, Director of Client Relations at Deja vu Security in Seattle, Washington. “We took an in-depth look at their code in certain asset classes,” said Spottswood. “It was a protocol review, then an overall review as well as a code review on different subjects.”

Both Melonport and Deja are members of the Ethereum Enterprise Alliance, which held its developers’ conference in Cancun, Mexico in early November, attended by Ethereum chief scientist Vitalik Buterin and other leading cryptocurrency developers. Deja vu Security CEO Adam Cecchetti met with El Isa at the conference, explaining the company’s expertise in smart contracts and Ethereum, then once again going over the scope of the work she wanted. “We finalized our project following that discussion,” he said.

Deja vu Security’s Melon Project

melon x deja

The project was handed over to security consultants Mitchell Harper and Dan Wessling. Harper had specific knowledge of Ethereum and blockchain, while Wessling had eight years of experience working with firmware and low-level hardware. Wessling was excited to be working on a blockchain project: “It’s a little more intense” than other software.

Before going into the code, Harper and Wessling spent weeks learning how to analyze the software and common issues arising in other smart contracts, researching everything they could about Ethereum and the Melon protocol.

Solidity is “a new language, a new environment. Solidity contract developers don’t have line-by-line debuggers. The Integrated Development Environment (IDE) is new and lacked certain features. This made testing of the application very difficult. There aren’t a lot of stable and mature tools.”

The next step was to create a test plan for analyzing the code. “The test plan involves certain attacks on the code we want to look into. It grows as we understand the application.”

About the code: “We were able to run it. We just had trouble trying to analyze its behavior. We would do a static code analysis of what we saw, then do a proof of concept by passing certain values to the function, verifying what might happen.”

Harper wound up writing his own test environment, which made it possible for both consultants to step through the code, line by line, and see the behavior of data going through it. “Then we divide and conquer from that, deciding what code we wanted to look at. We both had separate running testing environments. We weren’t doing the same thing and we found different behaviors.” This made for a more complete test of the code.

The code “was well commented, considering how rapid the development was. It’s also complex,” so the team wrote comments summarizing what should happen with specific functions.

Deja results Melonport.png

In the end, the team did find areas of concern, a half-dozen of which have real impact. Then there were 11 minor problems one might call “yellow lights,” and some general observations, “things we noticed with the logic in the code where we couldn’t find an immediate impact but wanted to document in case they’d overlooked it.”

The work was summarized in a roughly 25-page document. “There were a number of findings, then observations and next steps.” The test plan itself wound up in a separate document.

“We do provide code snippets in our findings and highlight the lines of code that are at issue. We provide the severity, complexity, risk, whether the finding was in design or implementation, the impact, details, and recommendations.” The whole process took about a month, but each week, Deja vu Security sent Melonport preliminary findings.

Good Work Challenges Clients

El Isa was impressed. “You know it’s good work when you’ve got people challenging you in different areas,” she said. “It shows they have done a thorough analysis. These require some thought from you. An audit that doesn’t challenge, doesn’t provide value.”

Getting Melonport to market requires more than writing code on smart contracts and a few audits. The Melonport team is now building a governance layer, and will then test the code in Q3 2018, with real assets.

“This technology is all still very young. Even when we are ready to deploy live on main-net with real economic value at stake, I would emphasize all of this is still very new and experimental. The lessons of the last two years have shown us that it can take many months of testing in a real environment to uncover vulnerabilities –even with numerous audits – so we hope users adopt the technology sensibly over time and perform their own audits to strengthen the overall ecosystem.”

Deja vu Security, too, is aware that blockchain’s evolution is just beginning, which is why it’s so vital to get the initial coding right. Future contracts will be built on this code, just as apps are written on operating systems. Cryptocurrencies and virtual coins, which are getting most of the industry hype, are just one part of a broader change.

“Businesses will continue to find new uses for blockchain in new and exciting ways. It will help improve verification of individual identities, assist in multi-bank check processing, and help manufacturers track supply chains.”

“The hype is above where we are in the technology, and we have to scale very slowly, since we’re talking about real economic value at stake.”

Deja vu Security, however, helps make a secure future possible.