The Tellor Oracle: How the Staked Proof-of-Work Oracle leveraged Formal Verification

CertiK | Aug 12, 2019

Article's Poster

CertiK is proud to have successfully completed the official audit of Tellor in coordination with their Mainnet release earlier this month.

Using a variety of intensive auditing techniques, including our industry-leading Formal Verification process, we’re proud to highlight Tellor as a more secure, safe, and protected environment.

The Tellor Oracle is a decentralized, secure, and simple alternative for off-chain data created to provide the infrastructure for decentralized applications to bridge the gap between off-chain data and on-chain needs.

As the Blockchain world allows anonymous parties to enter into binding digital agreements or smart contracts, clarity and security become paramount — especially if a smart contract relies on off-chain data to evaluate or execute a function.

The current landscape doesn’t allow for an elegant solution at scale, instead of forcing programs to rely on manual data feeding, a centralized or trusted “Proof-of-Authority” consensus or a “Proof-of-Stake” mechanism.

These existing methods have been suboptimal and inefficient. For smart contracts to bring true utility, off-chain data is necessary — and that requires a new solution.

Tellor provides it.

Tellor solves for the above by creating a Staked Proof-Of-Work(PoW) consensus mechanism where parties can request the value of an API call and miners compete to add this value. Those values are then put into an on-chain data bank, accessible by all Ethereum smart contracts.

This solution is efficient, balanced, and clear for the larger environment, especially as current smart contracts on Ethereum are fully self-contained.

In contrast, the “Tellor Oracle” allows for trustless access to off-chain information to ensure an honest input of data to the oracle. This process helps build a decentralized finance sector with an elegant, and secure oracle solution for high-value data for truly decentralized applications.

By streamlining the Oracle system, Tellor has built an ambitious project for a safer, more elegant blockchain world at-scale.

What We Did

CertiK gave the final audit review for Tellor’s project, identifying and solving the most difficult-to-detect errors before launch.

The Tellor team has demonstrated their professional and knowledgeable understanding of the project by having:

  1. A production-ready repository with high-quality source code
  2. Unit tests covering the majority of its business scenarios
  3. Accessible, clean, and accurate readme documents for intentions, functionalities, and responsibilities of the smart contracts.

By utilizing our unique Formal Verification technology, CertiK was able to identify undetected vulnerabilities in Tellor’s system, providing a more thorough security sweep and offering robust suggestions.

Unlike other security companies, CertiK utilizes Formal Verification to conduct a multi-pronged approach that results in a full, holistic, and comprehensive security audit.

The auditing process paid special attention to the following:

  • Testing smart contracts against both common and uncommon attack vectors.
  • Assessment of the codebase for best practice and industry standards.
  • Ensuring contract logic meets the specifications and intentions of the client.
  • Cross-referencing contract structure and implementation against similar smart contracts produced by industry leaders.
  • Thorough line-by-line manual review of the entire codebase by cybersecurity experts.

Below are a few of the key results and solutions presented by the CertiK team and implemented by the Tellor team before final deployment.

  1. CertiK suggested a major structural refactoring to solve a gas limitation issue to provide smoother and safer transactions. This structuring will not just make gas use safer, but it will allow increased efficiency for the Tellor product.
  2. CertiK found a potential overflow issue that other auditing had missed, allowing Tellor to prevent a security issue before launch. By catching this overflow issue before launch, CertiK was able to not only prevent a possible breach but to strengthen internal code to render such breaches impossible.
  3. CertiK suggested improvements for ownership transfer to allow for even safer transferring between users. By securing ownership transfer, CertiK was able to help Tellor guarantee the safety and ease of funds.
  4. CertiK worked with Tellor to improve overall code quality on and off security-related issues to enhance their already strong product. By solidifying code quality at the start, CertiK helped position Tellor for easier flow and maintenance.

Why This Matters

By working with CertiK before launch, Tellor was able to go deeper than previously possible, enabling them to launch with deep and earned confidence.

With a proactive approach to security, Tellor was able to harden their security at the earliest stages, enabling a safer base for future expansion and growth.

“Security is a requisite to a functioning decentralized network, especially in DeFi applications, where there is a lot of money riding on data points. We knew we had to find a team up to the task of ensuring our code was sound, and CertiK had our confidence” — Nick Fett, Chief Technology Officer at Tellor.

Overall, the team found the Tellor code to follow best practices. With the delivery of the audit report, CertiK concluded that the contract is not vulnerable to any classically known anti-patterns or security issues.

With this audit, CertiK can certify that Tellor passed our audit with a successful and secure product.

CertiK would like to congratulate the Tellor team for passing the rigorous verification process and wishes them luck on their project at large.

About CertiK

CertiK is a blockchain and smart contract verification platform founded by top Formal Verification experts from Yale and Columbia University. Incubated by Binance Labs, Certik has strategic partnerships with the world’s leading crypto exchanges such as Binance, OKEx, and Huobi, as well as protocols such as NEO, ICON, and QuarkChain.

CertiK’s formal verification method works differently than traditional testing approaches: rather than working manually, CertiK mathematically proves blockchain ecosystem and smart contracts are hacker-resistant and bug-free at scale. CertiK has secured over $4B in asset value, auditing several projects across all major protocols, including BNB, Terra, Crypto.com, and TUSD.

To request the audit/verification of your smart contracts, please email audit@certik.org or visit certik.org to submit the request.

Twitter: https://twitter.com/certikorg

Reddit: https://www.reddit.com/r/CertiKOrg/

Telegram: https://t.me/certikorg

LinkedIn: https://www.linkedin.com/company/certik