Startup of the week: Sub7
Updated: Dec 5, 2022
The Startup Club Manager Tomas Marty presents his latest venture: Sub7, a boutique Web3 Security firm offering a new paradigm into security offerings.
The company seeks to provide our customers with an alternative approach to traditional service models in order to gain further value out of their requirements & needs.
We sat down with Tomas to learn more about Sub7 and security issues companies are facing in Web3.
First of all, what the Web3 security audit is about? Smart contracts audit is the process wherein an auditor reviews the code of a crypto or blockchain project – among other things – for security issues, bugs, and errors that could expose the system or its users. Smart contract audit allows projects to address vulnerabilities in their code, including critical ones, that when exploited can result in a large volume of assets lost. Smart contract security audits are conducted using a set of standards and procedures.The smart contract audit process depends on the scope and size of the project. Generally, an auditor or team of auditors will follow a few standard steps:
The team will assess the project’s documentation to get a better understanding of the project and its intended use cases, architecture, and design. Collaboration between the auditor’s and project teams is essential so that auditors can gain a complete understanding of contract functions and an explanation of how the contracts should work together.
Check the project’s code against the standard list of vulnerabilities. Auditors launch a set of typical attacks against the project to see if any of the attacks could be successful. After this, the severity of vulnerabilities is determined and the project can realize whether there are any immediate points of concern that need to be addressed.
The audit team then conducts different kinds of tests to pinpoint bugs and errors in code. These tests can range from unit testing – targeted at certain functions – to integration testing, which is broader in terms of scope and volume of code. Usually, both automated and manual testing is used to check a project. If the audit team sees a large amount of failed tests, a temporary pause might be suggested if significant changes need to be made to the code-base. Automated testing is conducted using special software to identify inputs and outputs of financial assets in the project. These tools make it easier for the team to monitor what happens in the workings of the project, making it easier for the auditing team to locate common hurdles. Some of the tools auditors generally use are Manticore, Solium, Smart Check, and others. Also by allowing software to do easy monotonous tests auditors can focus on more complex problems. Manual testing is conducted when automated tools can no longer interpret the developer’s intentions. A quality auditing team will take in all of the specifications and then determine whether everything is working as intended. Upon detecting any bug, they will notify the development team and provide recommendations on how to fix the issues. The primary focus is to verify security issues that are the biggest threat to the long-term implementation of smart contracts by manual review.
When the audit is complete, the auditing team provides a detailed report specifying all the checks that have been performed and the findings thereof. Collaboration with the development team can also be done so that they understand all detected issues and recommended patching approaches.
The Sub7 story
Founded by a group of IT geeks, Security Paranoids and Crypto Degens with years of Web2 experience in top multinational IT Firms, Sub7 took the leap into Web3 understanding that there is still a huge gap on the security side in order to really to to mass adoption of this technology. Building Trust is one of the most important pillars in Security and Sub7 intends to use our vast experience in Security and Enterprise skills to support these new organisations on their growth.
This idea was conceptualised years ago as Tomas started investing into Web3. However the execution of the idea came at a later stage. As Tomas started building strong ties to many of the major projects and protocols in this space, he started participating frequently into multiple DAOs and holding various Advisory, Council and Core Contributor positions. As part of our duties and day to day activities, Sub7 founders interact with many new & upcoming projects that are seeking advice, consulting and/or investments, which gave us the confidence that this was the right time to move forward with this idea.
Sub7 has a vision to become the reliable trusted advisor in the Web3 space, ensuring the success of these new organisations. The company's clients are Web3 / Blockchain / Crypto organisations, protocols and DAOs, seeking security advice during their company's lifecycle.
The most challenging part of entrepreneurship was and still is to build strong relationships with our independent auditors and researchers. The most reward part of building this company is ability to support startups during their early stages of growth and providing the guidance they need to overcome their Security needs.
Sub7 founders and advisors hold working positions in: Yearn, BAYC, ETHLizards, Iluvium, 888 Inner Circle, Bankeless DAO, ETHSecurity / ETHStaker, RocketPool, Aelin, REN Protocol, Optimism, Gitcoin, Synthetix and many others. These privileged positions and connections allow Sub7 to be at the forefront of new Web3 projects.