v1 readiness audit
Date: 2026-04-26
Audited tree: dev/main at cef0081
Supersedes: prior audit (2026-04-24)
Headline verdict
BLOCKED for Base-mainnet v1 ship today, but the gap shrank since the prior audit.
Substrate stability is now triple-confirmed (60-min sustained baseline + chaos + audit-fix-cycle re-verification). The known critical security finding (SECURITY-1 sibling, payload-context spoofing in evaluate_policy) is now fully closed fail-loud. Bridge code is launch-ready. What remains is operational + capital: register Base domain on validators, execute Sepolia drills, deploy mainnet contracts, fund pool, record external trade.
What changed since the prior audit
Substrate (already closed, further hardened)
- HETZNER-1 publicly closed via 60-min sustained baseline. Chain advanced +6,999 blocks at ~2 blocks/sec, perfect handshake parity, all 3 validators in lockstep.
- Live testnet still running at audit time, sync_phase=live, peer_count=2/2, operational_state=healthy. Current chain head is shown live on the home page and updates every 3 seconds.
Audit cycle
- A parallel pre-launch audit pass surfaced ~51 findings across 7 domains (cross-cutting bug+auth+security, net layer, contract auth, bridge, dependencies, performance, test coverage).
- ~48 production fixes + 10 regression tests merged.
- SECURITY-1 sibling fully closed fail-loud.
evaluate_policynow rejects payload-supplied caller / height / signatures / count / amount / recipient / memo / cached state facts that conflict with the verified envelope. - Bridge launch enablers closed. Python
generate-withdrawal-msg.pysigns with real prover private keys (no longer treats public keys as Ed25519 seeds); rotation drill digest tuple matches SolidityRotateProverKeys; drill 1/3/4/5 runbooks updated. - Net layer hardening. Unauthenticated
/sync/resetgated; P2P GetEpochSnapshot / GetBlockRange throttled. - Perf optimizations. Engine-tick
ChainStoremutex narrowed; observability writes deduped. - Verified test floor: 7,341 passed + 1 ignored / 0 failed at
51bc3f1f(interface 6,482 + scc-tui 843 + foundry 16). +42 net vs the prior 7,299 floor at80e5a51, the delta is regression coverage added for the V1/V2/V3/V1.1 wallet UX shipments.
Per-goal progress (deltas vs prior audit only)
Scores are adjusted only where a code/test/evidence delta justifies it.
| Goal | Prior | Post-audit | Δ | Basis |
|---|---|---|---|---|
| 1. MEV / private orderflow | ~91% | ~91% | No delta. | |
| 2. User errors / transfer safety | ~91% | ~91% | No delta. | |
| 3. Scams / phishing | ~89% | ~89% | No delta. | |
| 4. Bridge / cross-chain risk | ~95% | ~97% | +2 | Bridge launch-blocker closures (Python codec, rotation digest, drill runbooks). |
| 5. Finality / reorg risk | ~89% | ~90% | +1 | 60-min sustained baseline beyond the prior 15-min. |
| 6. Fee predictability | ~93% | ~93% | No delta. | |
| 7. Privacy / disclosure | ~91% | ~91% | No delta. | |
| 8. Key management / recovery | ~88% | ~88% | No delta. | |
| 9. Smart contracts / execution safety | ~90% | ~93% | +3 | SECURITY-1 sibling closed fail-loud across 8 spoofing axes. |
| 10. Governance | ~93% | ~93% | No delta. | |
| 11. Sybil / QoS | ~91% | ~92% | +1 | Throttle + auth gate added. |
| 12. Fragmentation / intent routing | ~86% | ~86% | Out of v1 scope. |
Updated simple average: ~92% (vs the prior ~91-92%). Modest tick up; the audit cycle was security/quality, not feature work.
Pre-mainnet checklist
| Item | Status |
|---|---|
| Scope locked | ✅ Done |
| Bridge strategy chosen | ✅ Done |
| Syntarie bridge hardening | ✅ Strengthened (runbook updates) |
| Base Solidity contracts + tests | ✅ Strengthened (Foundry codec/quorum tests) |
| Base Sepolia deploy + verification | ✅ Done |
| Emergency pause drill on Sepolia | ✅ Done |
| Full-suite re-verify | ✅ Done 2026-04-26 (7,341 passed at 51bc3f1f, +42 from 7,299 at 80e5a51) |
| Register Base domain on all validators | ⏳ Pending, operational only |
| Execute Sepolia drills 1 / 3 / 4 / 5 | ⏳ Pending, runbooks corrected |
| Complete end-to-end round-trip | ⏳ Pending, Python prover now signs correctly |
| Generate production prover keys + custody | ⏳ Pending |
| Deploy real Base controller multisig | ⏳ Pending |
| Mainnet dry-run without broadcast | ⏳ Pending |
| Mainnet deploy + BaseScan verify | ⏳ Pending |
| Fund seed-liquidity wallet | ⏳ Pending (capital) |
| Create pool + mint liquidity | ⏳ Pending (capital) |
| Record one external-address trade | ⏳ Pending (capital) |
Residual risks
| Risk | Status | Note |
|---|---|---|
| Chain stability unverified | ✅ Resolved + reinforced | 60-min baseline beyond the prior 15-min |
| Store corruption / restart chaos | ✅ Resolved | (unchanged) |
| Bridge Solidity quality | ⚠️ Improved | 2 new Foundry tests; external review still optional |
| Trusted-prover quorum on validators | ⚠️ Open, runbook-ready | Drill runbook + Python codec fixes remove silent-failure modes; operator execution required |
| SECURITY-1 sibling silent-spoof | ✅ Resolved | Fail-loud rejection + regression tests |
Capital-gated remainders
- Mainnet deployment gated on fresh deployer + real controller multisig + 5 production prover keys + paused-owner handoff.
- Pool launch gated on approved wSCC + USDC balances + explicit authorization to open value flow.
- Capital plan still expects $20–50k committed liquidity, optional $10–30k bridge review, optional $10–30k legal memo.
- External-address trade proof requires mainnet deploy + pool creation first.
- Operator-SSH steps (3-node health check, domain registration, 4 Sepolia drills, evidence capture), not capital-gated but ~1–2 focused operator days.
Ship decision
- Can we ship v1 to Base mainnet today? No. The substrate is rock-solid, the security finding is closed, the bridge code is launch-ready, but no operator drills have run since the runbook updates landed, no mainnet deploy artifacts exist, no pool exists, no external trade.
- Estimated time to true green light: ~1 focused week. Two days for operator-SSH labor (domain registration + 4 Sepolia drills + 1 round-trip + evidence capture). Two days for mainnet deploy (paused) + verification + multisig handoff. One day for pool deploy + first trade. Subject to capital being ready.
- What changed in posture: at the prior audit the bridge code was "ready in theory but had specific broken pieces." Today the bridge code is "ready in practice, execute the runbook." The block has shifted from code to operational labor + capital.
- Whiteboard summary: substrate is real, the chain advances, the security closure is fail-loud, the bridge speaks the same language on Rust + Solidity + Python, the test floor is the highest ever (7,341, see live height on the home page). The remaining gap: someone needs to push the buttons + spend the dollars.