The Soroban Audit Bank: Fostering a Secure Smart Contract Ecosystem

In September, we began evaluating projects in the Soroban ecosystem to identify candidates for the program, and reached out to gauge their readiness for an audit. We prioritized financial protocols that manage on-chain value and that have the potential to be widely used, as well as infrastructure contracts and components that may be incorporated in multiple upstream services. For the most part, we selected projects that participated in the Stellar Community Fund this year and that have an active presence in the ecosystem. In all cases, we selected projects that were able to demonstrate readiness.

Smart contracts, which allow the execution of user provided code on blockchains, exist in an extremely adversarial environment. They are written to public ledgers, where there are no firewalls of any kind to protect against hackers, and anyone can dig through the code to discover bugs and vulnerabilities. They are immutable, which means it's difficult — if not impossible — to change them once they're deployed, and often, they handle a large amount of capital. According to web3 bug bounty platform Immunefi, $335,574,150 was lost across 18 different smart contract hacks in November 2023 alone. Audits help prevent hacks by identifying vulnerabilities before contracts go live, which is why they're crucial to the development of secure smart contract protocols.

From the beginning, Soroban has included tools to improve smart contract security. It offers built-in unit testing, supports integration tests for cross-contract calls, and is built in Rust end-to-end, which means that it can take advantage of the robust set of security tools the Rust ecosystem has created over the years. Fuzz testing, for instance, which injects a large corpus of unexpected inputs and has proven to be an extremely valuable approach to vetting smart contracts, is incorporated across the Soroban stack using Cargo-fuzz, the most popular Rust fuzz-testing library.

But tools alone are not enough to take full advantage of the Soroban's security features: projects need help from experts with experience rooting out vulnerabilities, experts who know how to put contracts through their paces and how to use the slate of tools to the greatest effect. The Audit Bank introduces a stable of those experts into the ecosystem, and gives them an incentive to hone their Soroban and Rust chops by connecting them to projects in need of audits. This program complements the development and audit support that industry-leading web3 security firm, Certora, is providing to the ecosystem. The focus on promoting security best practices matches perfectly with Soroban's fundamental design, and helps set high standards that can set the Stellar ecosystem apart - and this program is just the beginning.

If you have built a financial protocol or oracle on Soroban and are interested in participating in the Audit Bank program, please email [email protected].

If you are a builder looking to get started on Stellar, make sure to check out the Stellar Community Fund, an open-application awards program that supports innovation and development. And make sure to join the Stellar Dev Discord for updates on the Soroban Security Audit Bank!