The Stellar Development Foundation (SDF) engaged Runtime Verification Inc. to conduct a security audit of the Soroban smart contract platform. The objective was to review the logic and implementation of critical components and identify any issues that could cause erroneous or undefined behavior, potentially leading to exploitation or malicious interaction with the Stellar network.
The audit was conducted over a period of approximately 10 calendar weeks, concluding on December 23, 2024. It focused on analyzing the following accepted Core Advancement Proposals (CAPs): CAP-0051, CAP-0053, CAP-0054, CAP-0055, CAP-0056, CAP-0058, CAP0059, and CAP-0060.
Given the extensive and complex nature of Soroban's codebase, a comprehensive approach was adopted to ensure the highest guarantees within the allocated timeframe. The audit encompassed two primary areas: a thorough code review of the specified CAPs, prioritized by their criticality, and dedicated fuzz testing using a variety of tools and configurations. The Soroban codebase is well-structured, adhering to best practices and containing informative documentation that clarifies complex invariants.