Quantstamp_RT-Monitor _Progress Report_Q1 2021

Quantstamp_RT-Monitor _Progress Report_Q1 2021


Quantstamp provided a Real-Time Security Monitoring Solution (RT-Monitor) to detect any abnormal transactions for the Klaytn blockchain. We customized the different types of analyses based on the needs of Klaytn and on the advice of its team. We were able to build a novel and new way to analyze Klaytn tokens and smart contracts.

RT-Monitor monitors for overflow issues (that may occur due to malicious minting or the batch-overflow bug), mint/burn events, and contract owner changes. As the RT-Monitor has been in production for Klaytn since December 2020, Klaytn has enhanced security monitoring abilities. Klaytn ecosystem and users benefit from our experience as researchers, software engineers, and security auditors. Quantstamp has observed the best processes and models for real-time monitoring solutions and other security measures, these methods have been implemented into the Klaytn real-time security monitoring solution.

This progress report summarizes the major maintenance and support activities during the first quarter of 2021.

Project Milestones and Schedule


Key Deliverables

Status Update

Monitored Tokens: 21


Maintenance & Supports:

  • The dashboard Klaytn Monitoring responded slowly. [Resolved] The Quanstamp team investigated to find that the issue was caused due to the massive amount of alerts loading at the top of the page. We fixed the issue by limiting the amount loaded on the front-end. As the alerts are sorted chronologically, we configured the page to load only N alerts, and populate new ones only when old ones get dismissed.

  • There was feedback that the performance of the website and the mobile website was slow.

[Resolved] It was because an older cached version was being used. We informed Klaytn team to hard refresh and clear the cache. Hard refresh is holding the control/command key and clicking refresh.

  • The monitoring system seemed not to be checking recent blocks and it also showed failures on checking some contracts.

[Resolved] It was because the API limit on our KAS account was changed from 100K to 10K. We fixed the issue by purchasing the ‘Starter’ plan of KAS for one-year to set the limit 100K per day.

  • Quantstamp has changed the logos to token’s own logo. It is designed that any selected one is highlighted and the rest are greyed out.

  • Checks have failed for some contracts

[Resolved] Quantstamp team analysis: “These appear to be related to supply changes as noted in the event history table on the right side of the page, however, there is unlikely to be an issue with the monitored contracts. Since the monitoring service cannot distinguish between honest and malicious mints/burns, our service takes the safe approach of reporting all supply changes. For these types of contracts where mints/burns are expected and frequent behavior (such as KETH), we can disable the supply detector if the Klaytn team prefers. This will eliminate most of the false positives."

Klaytn team response: “Tokens like KDAI, KETH, KORC, KUSDT, and KWBTC are wrapped versions of DAI, ETH, ORC, USDT, and WBTC (i.e., they are minted on Klaytn when Ethereum’s tokens are transferred to Klaytn), so they are minted and burned frequently by transferring them between Klaytn and Ethereum. And, SKLAY is minted by staking KLAY on https://klaystation.io/, so its behavior of supply changes is normal.

Thus, I suggest to disable the supply detector for KDAI, KETH, KORC, KUSDT, and KWBTC."

Following the Klaytn team’s guidance, Quatnstamp disabled the supply detector for the above-requested contracts.

  • Checking failures for BPT

[Analysis reported] The Quantstamp team looked further into the BPT token here: Klaytnscope. We are not entirely sure what the token is intended for, but there’s a very strange function which allows any user to mint any number of tokens. If you check out the contract source at the above link, on L592 we have:

  • Function

  • addTotalSupply(uint256 _value)

  • public {

  • _balances[msg.sender] =

  • _balances[msg.sender].add(_value);

  • _totalSupply = _totalSupply.add(_value);

  • }

  • For example, any user could invoke the function right now and add 10^255 tokens to their balance. This is likely a critical issue with the code.

⇒ The Klaytn team informed Quantstamp that the team will report this issue to the BlockPet project.


  • Q1 2021 Licensing Fee: 30,000 USD

Hi, thanks for your update. I am just a stranger.

  1. I still see the event alarms for SKLAY being minted on the monitoring website.

  2. In future, more tokens will be added other than “KDAI, KETH, KORC, KUSDT, and KWBTC”.
    I think the end-user should be able to specify which tokens to be monitored. It’s better than writing hard-coded rules for better UX and easy maintenance.


1 Like

We would like to inform you that the review of the progress report was completed successfully without any rejection from GC members. The disbursement will be implemented tomorrow if there is no unexpected situation. We will inform you again after the transfer.

The 3rd tranche disbursement of the project was completed on 14 April 2021. Please confirm your receipt of the committed amount of KLAY through a reply to this post.

Yes, we received the payment. Thank you very much!