Security Audit Report
Date: February 2026 Scope: Full codebase (15 Rust crates, 624 dependencies) + VexAI Python service Status: Pre-beta internal audit. External professional audit planned post-funding.
Summary
We ran 9 industry-standard security analysis tools against the entire Vexidus codebase. The results confirm zero critical or high-severity vulnerabilities in our application code.
| Tool | Purpose | Critical | High | Medium | Low |
|---|---|---|---|---|---|
| cargo-audit | Dependency CVE scan | 0 | 0 | 0 | 0 |
| cargo-deny | License & policy | 0 | 0 | 0 | 0 |
| cargo-geiger | Unsafe code detection | 0 | 0 | 0 | 0 |
| gitleaks | Secret scanning (full git history) | 0 | 0 | 0 | 0 |
| semgrep | Static analysis (SAST) | 0 | 0 | 0 | 0 |
| clippy (pedantic) | Rust linting (max strictness) | 0 | 0 | 0 | 0 |
| bandit | Python SAST | 0 | 0 | 0 | 0 |
| pip-audit | Python dependency CVE scan | 0 | 0 | 0 | 0 |
| Dependency pruning | Attack surface reduction | — | — | — | — |
All identified dependency CVEs have been patched. All unused dependencies have been removed.
Key Findings
Zero Unsafe Rust
Vexidus is written entirely in safe Rust. All 15 application crates contain zero unsafe blocks. The only unsafe code in the build is within well-audited, widely-used infrastructure dependencies (tokio, rocksdb, ring/rustls, libp2p).
Tool: cargo-geiger — scans the entire dependency tree for unsafe code surface area.
Zero SAST Findings in Production Code
Static analysis with semgrep (Rust and security-audit rulesets) found zero vulnerabilities across all production Rust code. Two low-severity findings were flagged in test utility scripts (not production) — a dynamic URL in a load tester and an HTTP request in a localhost test tool.
Zero Secret Leaks
gitleaks scanned the entire git history and found no leaked credentials, API keys, SSH keys, or private keys. Nine detections were all confirmed false positives (well-known public token contract addresses and deterministic testnet keypairs with no real-world value).
All Dependency CVEs Patched
- Rust:
cargo-auditchecked 624 crate dependencies against the RustSec Advisory Database. One high-severity CVE was found (bytesinteger overflow) and immediately patched. Remaining advisories are informational (unmaintained upstream crates with no impact on our usage). - Python:
pip-auditfound 10 CVEs across 6 Python packages. All were upgraded to patched versions on the same day. Re-scan confirmed zero remaining vulnerabilities.
Dependency Pruning
We analyzed every dependency declaration against actual usage in source code and removed 8 unused dependencies to reduce attack surface. Staged dependencies for planned features (ZK-STARK verification, hybrid key exchange) were intentionally retained.
Post-Quantum Ready
Vexidus includes Dilithium3 (NIST post-quantum standard) alongside Ed25519 for signature verification. Accounts can hold both key types, and key rotation is built in — positioning Vexidus ahead of the quantum migration timeline.
Production Hardening
Vexidus includes configurable security flags that allow the same binary to run in testnet mode (relaxed for development) or production mode (strict verification). All security-sensitive behaviors have corresponding CLI flags documented in the Validator Setup Guide.
Tooling
All security tools remain installed on our infrastructure for ongoing monitoring:
| Tool | Version | Purpose |
|---|---|---|
| cargo-audit | 0.22.1 | Rust dependency CVE scanning |
| cargo-deny | 0.19.0 | License policy enforcement |
| cargo-geiger | 0.13.0 | Unsafe code surface detection |
| gitleaks | 8.21.2 | Git history secret scanning |
| semgrep | 1.152.0 | Static application security testing |
| clippy | rustup | Rust linting (pedantic + nursery) |
| bandit | 1.9.3 | Python SAST |
| pip-audit | 2.9.0 | Python dependency CVE scanning |
Ongoing Security Practices
Current
- Automated dependency scanning before every release
- Output filtering and guardrails on all public-facing AI services
- Rate limiting on all API endpoints
- Ed25519 signature verification on all transaction bundles
- Configurable security modes via CLI flags
Planned
- CI/CD Integration: Automated
cargo audit+semgrepon every push - Fuzz Testing:
cargo-fuzztargets for critical execution paths - External Audit: Professional audit by a top-tier blockchain security firm (Trail of Bits, Zellic, OtterSec, or Halborn)
- Bug Bounty Program: Public bounty program via Immunefi or HackerOne
- Formal Verification: Consensus finality and bridge logic
Test Suite
The Vexidus codebase maintains a comprehensive test suite:
- 204 tests across all 15 crates
- All tests passing with zero failures
cargo checkclean compilation- Tests cover: state machine operations, token standards, staking, governance, multi-sig, bridge logic, signature verification, address derivation, hash formats, and more
Responsible Disclosure
If you discover a security vulnerability in Vexidus, please report it responsibly:
- Email: security@vexidus.io
- GitHub: Security Advisories
We take all reports seriously and will respond within 48 hours. Please do not disclose vulnerabilities publicly until we've had time to investigate and patch.