v1 readiness audit
Date: 2026-04-26
Audit author: Sentinel (Claude Code, post-Codex sunset)
Audited tree: dev/main at cef0081
Supersedes: LORE-2 (2026-04-24)
Headline verdict
BLOCKED for Base-mainnet v1 ship today — but the gap shrank since LORE-2.
Substrate stability is now triple-confirmed (60-min sustained baseline + chaos + audit-fix-cycle re-verification). The known critical security finding (SECURITY-1 sibling — payload-context spoofing in evaluate_policy) is now fully closed fail-loud. Bridge code is launch-ready. What remains is operational + capital: register Base domain on validators, execute Sepolia drills, deploy mainnet contracts, fund pool, record external trade.
What changed since LORE-2
Substrate (already closed, further hardened)
- HETZNER-1 publicly closed via 60-min sustained baseline. Chain advanced +6,999 blocks at ~2 blocks/sec, perfect handshake parity, all 3 validators in lockstep.
- Live testnet still running same commit at audit time — height 154,000+, sync_phase=live, peer_count=2/2, operational_state=healthy.
Audit cycle (NEW since LORE-2)
- 7 Codex audit agents (Argus, Specter, Vault, Bastion, Tariff, Tempo, Crucible) ran a parallel pre-sunset audit pass.
- ~51 findings produced; ~48 production fixes + 10 regression tests merged.
- SECURITY-1 sibling fully closed fail-loud (Vault round 2).
evaluate_policynow rejects payload-supplied caller / height / signatures / count / amount / recipient / memo / cached state facts that conflict with the verified envelope. - Bridge launch enablers closed (Bastion). Python
generate-withdrawal-msg.pysigns with real prover private keys (no longer treats public keys as Ed25519 seeds); rotation drill digest tuple matches SolidityRotateProverKeys; drill 1/3/4/5 runbooks updated. - Net layer hardening (Specter). Unauthenticated
/sync/resetgated; P2P GetEpochSnapshot / GetBlockRange throttled. - Perf optimizations (Tempo). Engine-tick
ChainStoremutex narrowed; observability writes deduped. - Verified test floor: 7,299 passed + 1 ignored / 0 failed at
80e5a51(interface 6,482 + scc-tui 801 + foundry 16). +27 net vs prior floor.
Roster
- Codex sunsetted 2026-04-25. All Codex agents retired.
- Fenrir (Claude Code) is the new test authority; replaces Patch.
Per-goal progress (deltas vs LORE-2 only)
Sentinel only adjusts a goal's score where a code/test/evidence delta justifies it.
| Goal | LORE-2 | Post-audit | Δ | Basis |
|---|---|---|---|---|
| 1. MEV / private orderflow | ~91% | ~91% | — | No delta. |
| 2. User errors / transfer safety | ~91% | ~91% | — | No delta. |
| 3. Scams / phishing | ~89% | ~89% | — | No delta. |
| 4. Bridge / cross-chain risk | ~95% | ~97% | +2 | Bastion launch-blocker closures (Python codec, rotation digest, drill runbooks). |
| 5. Finality / reorg risk | ~89% | ~90% | +1 | 60-min sustained baseline beyond LORE-2's 15-min. |
| 6. Fee predictability | ~93% | ~93% | — | No delta. |
| 7. Privacy / disclosure | ~91% | ~91% | — | No delta. |
| 8. Key management / recovery | ~88% | ~88% | — | No delta. |
| 9. Smart contracts / execution safety | ~90% | ~93% | +3 | SECURITY-1 sibling closed fail-loud across 8 spoofing axes. |
| 10. Governance | ~93% | ~93% | — | No delta. |
| 11. Sybil / QoS | ~91% | ~92% | +1 | Specter throttle + auth gate. |
| 12. Fragmentation / intent routing | ~86% | ~86% | — | Out of v1 scope. |
Updated simple average: ~92% (vs LORE-2's ~91-92%). Modest tick up; the audit cycle was security/quality not feature work.
Pre-mainnet checklist
| Item | Status |
|---|---|
| Scope locked | ✅ Done |
| Bridge strategy chosen | ✅ Done |
| Syntarie bridge hardening | ✅ Strengthened (Bastion runbook updates) |
| Base Solidity contracts + tests | ✅ Strengthened (Crucible Foundry codec/quorum tests) |
| Base Sepolia deploy + verification | ✅ Done |
| Emergency pause drill on Sepolia | ✅ Done |
| Patch full-suite re-verify | ✅ Done by Fenrir 2026-04-26 (7,299 passed at 80e5a51) |
| Register Base domain on all validators | ⏳ Pending — operational only |
| Execute Sepolia drills 1 / 3 / 4 / 5 | ⏳ Pending — runbooks corrected by Bastion |
| Complete end-to-end round-trip | ⏳ Pending — Python prover now signs correctly |
| Generate production prover keys + custody | ⏳ Pending |
| Deploy real Base controller multisig | ⏳ Pending |
| Mainnet dry-run without broadcast | ⏳ Pending |
| Mainnet deploy + BaseScan verify | ⏳ Pending |
| Fund seed-liquidity wallet | ⏳ Pending (capital) |
| Create pool + mint liquidity | ⏳ Pending (capital) |
| Record one external-address trade | ⏳ Pending (capital) |
Residual risks
| Risk | Status | Note |
|---|---|---|
| Chain stability unverified | ✅ Resolved + reinforced | 60-min baseline beyond LORE-2's 15-min |
| Store corruption / restart chaos | ✅ Resolved | (unchanged) |
| Bridge Solidity quality | ⚠️ Improved | 2 new Foundry tests; external review still optional |
| Trusted-prover quorum on validators | ⚠️ Open, runbook-ready | Bastion's drill runbook + Python codec fixes remove silent-failure modes; operator execution required |
| SECURITY-1 sibling silent-spoof | ✅ Resolved | Vault round 2 fail-loud rejection + Crucible regression tests |
Capital-gated remainders
- Mainnet deployment gated on fresh deployer + real controller multisig + 5 production prover keys + paused-owner handoff.
- Pool launch gated on approved wSCC + USDC balances + explicit authorization to open value flow.
- Capital plan still expects $20–50k committed liquidity, optional $10–30k bridge review, optional $10–30k legal memo.
- External-address trade proof requires mainnet deploy + pool creation first.
- Operator-SSH steps (3-node health check, domain registration, 4 Sepolia drills, evidence capture) — not capital-gated but ~1–2 focused operator days.
Ship decision
- Can we ship v1 to Base mainnet today? No. The substrate is rock-solid, the security finding is closed, the bridge code is launch-ready — but no operator drills have run since the runbook updates landed, no mainnet deploy artifacts exist, no pool exists, no external trade.
- Estimated time to true green light: ~1 focused week. Two days for operator-SSH labor (domain registration + 4 Sepolia drills + 1 round-trip + evidence capture). Two days for mainnet deploy (paused) + verification + multisig handoff. One day for pool deploy + first trade. Subject to capital being ready.
- What changed in posture: at LORE-2 the bridge code was "ready in theory but had specific broken pieces." Today the bridge code is "ready in practice — execute the runbook." The block has shifted from code to operational labor + capital.
- Whiteboard summary: substrate is real, the chain advances, the security closure is fail-loud, the bridge speaks the same language on Rust + Solidity + Python, the test floor is the highest ever (7,299). The remaining gap: someone needs to push the buttons + spend the dollars.
Source: docs/audits/integration-v1-readiness-post-audit-fix-sprint-2026-04-26.md in the Syntarie source repo.