Security Audits
Specter has undergone comprehensive security audits covering smart contracts, ZK circuits, and infrastructure.
Audit reports
| Audit | Scope | Status |
|---|---|---|
| Smart Contract Audit | All Solidity contracts (core, token, policy, scaling) | Completed, all findings remediated |
| ZK Circuit Audit | Circom circuits (redemption, access proof) | Completed, all findings remediated |
| Infrastructure Audit | Validator, relayer, nginx, systemd, PM2 | Completed, 25 findings all remediated |
| Scaling Audit | Batch/sharded architecture (BatchCommitRevealVault, SessionVault, ShardedTreeRegistry) | Completed |
Audit coverage
Smart contracts
- CommitRevealVault — reentrancy, access control, overflow
- CommitmentTree — Merkle tree integrity, root history
- NullifierRegistry — uniqueness, ordering
- NativeAssetHandler — precompile interaction, authorization
- GhostERC20 / Factory — mint/burn access control, CREATE2
- Policy contracts — validation logic, gas limits
- AssetGuard — authorization model
ZK circuits
- Redemption circuit — constraint soundness, completeness
- Access proof circuit — non-destructive proof properties
- Poseidon hash — implementation correctness
- Merkle proof verification — path validation
- Nullifier derivation — uniqueness guarantees
Infrastructure
- Validator node security — firewall, TLS, key management
- Relayer services — rate limiting, HMAC auth, CORS
- nginx configuration — header security, TLS settings
- PM2 process management — restart policies, memory limits
Responsible disclosure
If you discover a security vulnerability, please report it responsibly. Contact the team via the Specter Discord security channel or email security@specterchain.com.