Security
This page documents the current security posture of CAREL Protocol based on the internal security review completed in March–May 2026. This is not a third-party audit report.
Current Status
| Area | Status |
|---|---|
| Network | Starknet Sepolia testnet |
| Smart contract tests | 109/109 passing, 0 warnings (May 2026) |
| Backend tests | 208/208 passing |
| Internal audit | Completed — 35 contracts, FE reviewed; full BE audit (all ~55 files) completed May 2026 |
| External audit | Not completed — planned for Growth phase |
| Upgradeability | No proxy path — redeploy + migration model |
Internal Audit Scope
The internal review covered all three layers of the stack:
Smart Contracts — 35 Cairo Contracts
Two batches across the full contract surface:
Batch 1 — Core Protocol (18 contracts) Token, FeeCollector, Treasury, VestingManager, Governance, Timelock, EmergencyPause, Multisig, PriceOracle, TwapOracle, MerkleVerifier, PointStorage, PointToken, ReferralSystem, RewardsEscrow, SnapshotDistributor, Registry, CarelProtocol
Batch 2 — Trading, Staking, AI, Game (17 contracts) DiscountSoulbound, BattleshipGaraga, DCAOrders, PrivacyIntermediary, Staking (4 variants), PrivacyRouter, PrivateSwap, SwapRouter, SwapAggregator, AIExecutor, AISignatureVerifier, ActionTypes
Backend — Rust/Axum
Full file-by-file pass of all ~55 source files. Reviewed: auth flow (multi-wallet signature routing), on-chain privacy calldata verification, Garaga auto-prover orchestration (Groth16 + ZK-Honk), relayer and circuit breaker, Merkle tree generation, epoch snapshot finalization, bridge route optimization, DEX liquidity aggregation, NFT discount consumption, point calculator, social verifier, indexer (block processor + event parser), and bridge worker.
Frontend — Next.js
Reviewed: wallet connection flow, trade execution path, hide mode payload signing, AI execution integration, user input handling.
Audit Findings Summary
Smart contract audit — 25 total findings:
| Severity | Count |
|---|---|
| Critical | 6 |
| High | 9 |
| Medium | 6 |
| Low / Info | 4 |
All Critical and High findings have been addressed in the current codebase. External audit is required before mainnet deployment.
Backend Full Audit (May 2026) — 3 confirmed bugs fixed, 4 bug candidates open, 15 technical-debt items:
Confirmed bugs (all fixed in this commit):
| Severity | Finding | Status |
|---|---|---|
| Critical | expire_limit_order: expired orders permanently locked user from_token in contract — keeper never called on-chain refund | Fixed |
| Critical | Referral double-counting: backend synced referral bonus via submit_points (absolute total) AND called record_referee_points on ReferralSystem, allowing a second claim via claim_referral_bonus | Fixed |
| Medium | Race condition: social_verifier used add_points (delta) while point_calculator used submit_points (absolute overwrite) — running out of order caused stale or doubled on-chain point state | Fixed |
Bug candidates requiring fix before mainnet:
| Severity | Finding | File |
|---|---|---|
| Medium | merkle_generator.generate_proof silently returns unverified proof — user cannot claim rewards | services/merkle_generator.rs |
| Medium | Unknown BTC senders credited to DEFAULT_STARKNET_RECIPIENT — unintended credit to wrong address | bridge_worker.rs |
| Medium | Bridge worker calls mint_points on point token; other services use PointStorage.submit_points — bridge points may be overwritten to 0 | bridge_worker.rs |
| Low | Hardcoded POINTS_PER_USD = 25.0 in bridge worker diverges from protocol-wide rate | bridge_worker.rs |
See
backend-rust/AUDIT_BACKEND_RUST.mdfor full root cause analysis, technical-debt index, and prioritized pre-mainnet checklist.
V4 Hide Mode Audit (March 2026) — additional findings:
| Severity | Finding | Status |
|---|---|---|
| Critical | Verifier wrapper discarded public_inputs — ShieldedPoolV4 relied on these for action_hash, recipient, chain_id binding | Patched locally |
| High | Backend silently overwrote V4 binding fields (action_hash, root, nullifier) after payload generation | Patched locally |
| High | Proof binding inside Noir circuits incomplete — circuit does not constrain all on-chain fields | Open — requires circuit update |
Patched findings require on-chain redeploy and rewire to be active in production.
ShieldedPool V3 — Remediated Issues
Earlier internal review of V3 found and remediated:
- Nullifier no longer exposed in deposit calldata or events
- Unlimited approval drain path replaced with exact approval flow
- Zero-hash / short-proof bypass rejected
- Action and exit hash domain-separated by deployment context
- Reentrancy protection on submit, execute, and exit paths
- Cancel/retry no longer leaves permanently stuck pending actions
- Cross-user replay after cancel blocked by submitter binding
Open Hardening Items
| Item | Notes |
|---|---|
| V4 verifier redeploy | Patched verifier wrapper needs on-chain redeploy to be active |
| Circuit binding completeness | Noir circuits need update to constrain all on-chain fields |
| Admin key hardening | Current admin is single key — needs multisig before mainnet |
| AI rate-limit gas | ~4.9–5.1M gas vs 1.5M target |
| TWAP gas | ~3.4–3.7M gas vs 100–200K target |
| Backend — local ZK proof pre-validation | privacy_verifier.rs policy gate only; Honk pre-validation needed before mainnet |
| Backend — gas price oracle | gas_optimizer.rs uses hardcoded values; needs live oracle integration |
Backend — GARAGA_ALLOW_STATEMENT_OVERRIDE | Not blocked in production startup check; can override ZK public inputs in mainnet if misconfigured |
| Backend — epoch finalization without Merkle root | snapshot_manager can call finalize_epoch on-chain even if no Merkle root exists — users cannot claim rewards |
| Backend — chain-indexed transactions have no USD value | block_processor leaves usd_value: None → 0 points from calculator for all chain-indexed txs |
| Backend — DEX integrations are mock stubs | Ekubo, Haiko, Avnu clients return simulated quotes; real API integrations needed before mainnet |
| External audit | Required before mainnet — planned for Growth phase |
Security Assumptions (Testnet)
- Admin and relayer keys are stored securely and rotated under operational policy
- Verifier contracts are trusted once configured on testnet
- Oracle and bridge provider integrations are treated as partially trusted external dependencies
- Off-chain prover and relayer infrastructure is trusted not to leak payload internals
MockGaragaVerifieris testnet-only and will not be used on mainnet under any condition
Known Limitations
| Limitation | Notes |
|---|---|
| Hide Mode metadata | Reduces wallet linkability but cannot fully hide timing, fee, or tx graph metadata |
| Bridge dependency | Depends on external provider uptime (LayerSwap, Garden Finance) |
| RPC instability | Quote and indexer behavior degrades under provider rate limits |
| No upgrade path | No proxy — migrations require redeploy plus state movement |
| Battleship state | Gameplay state is backend-memory based, not fully on-chain |
What This Means
CAREL has completed a comprehensive internal security review across all three layers. Critical and High findings have been addressed. The project is at testnet stage and is not production-ready. External audit is the primary prerequisite before mainnet deployment.
If you find a security issue, open a private issue on GitHub.