Sentrix Security Audit Summary
Last updated: 2026-04-28 Score: 8.3/10 (per V11 review)
This document summarizes the security audit history of Sentrix Chain. It is intended for:
- External auditors performing diligence
- Listing platforms (CG, CMC, exchanges)
- Researchers reviewing the chain's security posture
- Future contributors picking up the codebase cold
For the full technical detail of any individual round, see SECURITY_AUDIT_V11.md, SECURITY_REPORT.md, PENTEST_RESULTS.md, ATTACK_VECTORS.md.
At a glance
- 11 audit rounds completed (V1 through V11) between January 2026 and April 2026
- 116 findings raised cumulatively
- 78+ findings fixed; remainder are info-level (positive findings) or accepted-as-design
- 0 critical findings outstanding
- 0 fund-loss vulnerabilities identified across all rounds
- 6/6 pentest scenarios passed on live network
- All audits conducted by internal Sentrix Labs / SentrisCloud security team — no external audit firm engaged yet (see External audit posture)
Audit history
- Cumulative through round 10: 94 findings raised, 78 fixed (per
SECURITY_REPORT.md) - Round V11 (2026-04-25): 0 critical / 2 high / 5 medium / 7 low / 8 info-level findings (per
SECURITY_AUDIT_V11.md) - Total cumulative: 116 findings, 78+ fixed (numbers from
SECURITY_REPORT.md+ V11) - 0 critical findings outstanding across all rounds
Per-round breakdown of V1–V10 is aggregated in SECURITY_REPORT.md rather than maintained as separate files. V11 is documented separately because it was a deep code review (39 files, ~6,500 LoC).
V11 highlights (most recent)
The V11 audit covered 39 files / ~6,500 lines of Rust + Solidity code. Reviewer opinion: codebase is "in good shape, not typical for a project this young."
Positive findings (info-level — practices the codebase gets right):
- Zero
unsafeblocks across the Rust codebase - CI-enforced no-panic policy — clippy denies
unwrap,expect,panicin production paths - Checked arithmetic everywhere — no implicit overflow / underflow
- Constant-time API key comparison — prevents timing-side-channel auth bypass
- Argon2id keystore — modern KDF for validator key encryption
- Committed-root protection in trie — prevents state-root manipulation across forks
- Canonical BTreeMap signing payload — deterministic across implementations
- Pubkey → address verified on every tx — no signature forgery via address-spoofing
High findings (resolved):
- H01: Fee burn tracked in two places —
AccountDB::transfer()trackedceil(fee/2)as burned;add_block()creditedfloor(fee/2)to validator. Net math correct, but split logic. Fix: consolidated fee handling. - H02: Block timestamp not deterministic —
SystemTime::now()was called twice (coinbase creation + block creation), could differ. Not exploitable in PoA, but matters across validator restarts. Fix: capture timestamp once, pass to both call sites.
Medium / low findings: see SECURITY_AUDIT_V11.md for the full list with file paths and remediation notes.
Specialized audits
In addition to the 11 numbered rounds, several specialized topical audits have been run:
| Topic | Date | Status |
|---|---|---|
| BFT consensus engine | 2026-04-20 | Reviewed; bugs found + fixed (BFT skip-round, justification-set divergence) |
| EVM integration & gas accounting | 2026-04-22 | Reviewed; reverted-tx state-leak bug fixed (PR #281), gas-cap EIP-7825 alignment fixed (v2.1.46) |
| Dependency supply chain | 2026-04-21 | cargo audit clean; CI runs cargo audit + gitleaks on every PR |
| CI/CD security posture | 2026-04-21 | Reviewed; secret-scanning + signed-commit verification active |
| Validator infrastructure security | 2026-04-21 | Reviewed; SSH-key custody, validator host hardening documented in operator runbooks |
| Tokenomics correctness | 2026-04-25 | Reviewed; supply invariants hold across all forks |
| BFT skip-round root cause | 2026-04-28 | Phase 2 RCA documented in operator runbooks |
Pentest results
Pentest scenarios run against live testnet + mainnet (controlled, with operator awareness):
| Scenario | Outcome |
|---|---|
| RPC Flood (1000 requests) | ✅ Per-IP rate limiter held; chain never stalled |
| Malformed requests (32 cases: invalid JSON, SQLi, XSS, path traversal, etc.) | ✅ 31/32 — proper HTTP error codes; nginx caught one before node |
| Double-spend (same-nonce tx pairs via REST + RPC) | ✅ Auth layer blocked unauthenticated tx submissions before validation |
| TX spam (100 rapid + 5 duplicate-nonce) | ✅ All rejected at auth + rate-limit layer |
| P2P connection flood (120 simultaneous TCP) | ✅ Zero impact on block production or API latency |
| Oversized payloads (1KB → 2MB on RPC + TX endpoints) | ✅ Nginx drops large payloads before reaching node |
6/6 passed. Tested 2026-04-15 against live Foundation validator. Chain advanced from height 140,282 → 140,811 during the run with no missed blocks. Full methodology + raw test output in PENTEST_RESULTS.md.
Score breakdown
Per V11 audit (the most comprehensive code review):
| Category | Score |
|---|---|
| Memory safety | 10/10 (zero unsafe, checked arithmetic) |
| Cryptographic correctness | 9/10 (Argon2id, EIP-712, constant-time compares) |
| Consensus determinism | 8/10 (timestamp non-determinism fixed; some signing-path complexity remains) |
| Concurrency / race conditions | 8/10 (Tokio task isolation good; some shared-state contention edge cases tracked) |
| Tokenomics / supply integrity | 9/10 (supply invariant tests, no double-mint paths) |
| RPC / API surface | 8/10 (auth, rate-limit, no SQLi-like — pure JSON parsing throughout) |
| EVM integration | 7/10 (revm-backed; reverted-tx state-leak now fixed; some gas-accounting nuance) |
| Operational security | 8/10 (multisig governance, audit trails, runbooks, off-chain coordination — improving as decentralization scales) |
Overall: 8.3/10 — production-ready for current network scale (4 validators, Foundation-operated).
Areas for continued improvement (tracked in docs/security/ + audit folder):
- Fee tracking architecture refactor (H01 underlying complexity)
- BFT skip-round corner cases (Phase 2 RCA findings — implementation in progress)
- External validator onboarding hardening (ongoing as set decentralizes)
External audit posture
No third-party audit firm has reviewed Sentrix Chain code as of 2026-04-28. External audit is something we'd pursue when budget + scope align — no committed timeline.
The chain runs continuous internal review:
cargo audit+gitleakson every PRslither+mythrilon Solidity contracts (CI gate)- Manual code review by Sentrix Labs / SentrisCloud security team for every PR
- Public bug bounty: see SECURITY.md (safe-harbor policy in effect)
Listing platforms or external auditors performing diligence: contact [email protected] for code-walkthrough or audit-prep discussion.
How to report
If you find a security issue:
- Do not open a public GitHub issue.
- Email
[email protected]with details. - Include reproduction steps, impact assessment, and suggested fix if applicable.
- We acknowledge within 48 hours; remediation timeline depends on severity.
- Safe-harbor policy applies — researchers acting in good faith are protected from legal action; see SECURITY.md for full terms.
Cross-references
SECURITY.md— safe-harbor + reporting policySECURITY_REPORT.md— V1–V10 cumulative summarySECURITY_AUDIT_V11.md— most recent round, full detailATTACK_VECTORS.md— threat modelPENTEST_RESULTS.md— pentest methodology + outcomesMULTISIG.md— SentrixSafe technical specification- GOVERNANCE.md — control / governance model