Skip to main content

Security and Audits

Quantus has engaged multiple independent security firms to audit critical components of the protocol. This page tracks audit status and links to published reports.

Completed Audits

AuditorScopeStatusReport
EigerHash algorithm (Poseidon2) and consensus (QPoW)Completed[Link pending]
NeodymeML-DSA-87 / Dilithium signature implementation (qp-rusty-crystals)Completed[Link pending]

In-Progress Audits

AuditorScopeStatus
EigerZK circuits (qp-zk-circuits) -- wormhole circuit, prover, verifier, aggregatorIn progress
HashcloakThreshold signatures (near-mpc) -- MPC node for NEAR chain abstractionIn progress

Security Architecture

Quantus's security model is layered across multiple boundaries:

Cryptographic Layer

  • Transaction signatures: ML-DSA-87 (NIST Level 5), audited by Neodyme
  • P2P encryption: ML-KEM-768 + ML-DSA-87 via forked libp2p
  • Block hashing: Poseidon2, audited by Eiger
  • ZK proofs: Plonky2 STARKs (no trusted setup), audit in progress

Consensus Layer

  • QPoW mining: Double Poseidon2 hashing, audited by Eiger
  • Chain selection: Heaviest-chain (cumulative work), not longest-chain
  • Finalization: Deterministic at 179 blocks behind best

Application Layer

  • Replay protection: 11-stage transaction extension pipeline (CheckNonce, CheckEra, CheckGenesis, etc.)
  • High-security accounts: Mandatory delay periods with guardian cancellation
  • Wormhole nullifiers: Prevent double-spending of ZK proof-based transactions
  • Forkless upgrades: Governance can patch vulnerabilities without hard forks

Responsible Disclosure

Security issues should be reported to the Quantus team via:

  • GitHub Issues: Quantus-Network/chain (for non-sensitive issues)
  • Direct contact: For critical vulnerabilities, reach out via Telegram or team contacts

Research