The Watchtower for the Vero Protocol. Automated security monitoring, formal static analysis, and an immutable on-chain audit trail — all in one place.
vero-audit-guard treats every line of the Vero Protocol as a potential attack surface. Nothing ships without:
- Static analysis —
scanner-enginecatches unsafe Rust patterns, unchecked storage writes, and incomplete code before they reach mainnet. - Real-time monitoring —
anomaly-detectorwatches the relayer service 24/7 for nonce spikes, failed-transaction bursts, and unauthorized address interactions. - Policy compliance —
audit-guardenforces Policy as Code on every PR using OPA, flagging non-compliant code before review. - Immutable audit history —
verifiable-audit-trailhashes every audit report and anchors it to the Stellar ledger, making tampering detectable by anyone. - Zero-tolerance on CRITICAL — The CI pipeline hard-blocks any PR containing a CRITICAL static analysis finding or policy violations.
┌─────────────────────────────────────────────────────────────────┐
│ VERO ORGANIZATION │
│ │
│ vero-core-contracts ──── scanner-engine ─────────┐ │
│ (Soroban/Rust) (Rust binary) │ │
│ ▼ │
│ vero-relayer-service ── anomaly-detector ── /reports/ ──┐ │
│ (Node.js) (TypeScript) (JSON) │ │
│ ▼ │
│ GitHub PRs ──── audit-guard ──────┐ │
│ (Pull Requests) (OPA/Rego) │ │
│ ▼ │
│ verifiable-audit-trail │
│ (Stellar memo TX) │
│ │ │
│ ▼ │
│ STELLAR LEDGER │
│ (immutable hash store) │
└─────────────────────────────────────────────────────────────────┘
| Component | Language | Role |
|---|---|---|
scanner-engine |
Rust | Static analysis of Soroban contracts |
anomaly-detector |
TypeScript | Real-time relayer monitoring |
audit-guard |
TypeScript | Policy as Code enforcement on GitHub PRs |
verifiable-audit-trail |
TypeScript | On-chain report hash anchoring (Stellar) |
BUILD_GUARD.sh |
Bash | Local and CI orchestrator |
.github/workflows/ |
YAML | PR-gated security pipeline |
vero-audit-guard/
├── src/audit-guard/ # OPA policy engine for PR compliance
│ ├── src/policy-engine.ts
│ ├── policies/pr_compliance.rego
│ └── package.json
├── scanner-engine/ # Rust static analyzer
│ └── src/main.rs
├── anomaly-detector/ # TypeScript relayer monitor
│ └── src/index.ts
├── verifiable-audit-trail/ # On-chain audit hash anchoring
│ └── src/index.ts
├── reports/ # Generated scan reports (gitignored content)
├── .github/workflows/
│ ├── security-scan.yml # PR-gated CI pipeline
│ └── policy-compliance.yml # OPA policy compliance checks
├── BUILD_GUARD.sh # Local automation script
├── POLICY_AS_CODE.md # Policy engine documentation
├── INCIDENT_RESPONSE.md # Emergency runbook
└── VULNERABILITY_DISCLOSURE.md # Bug bounty & reporting
See INCIDENT_RESPONSE.md for the full runbook.
Quick Reference:
| Severity | Response SLA | First Action |
|---|---|---|
| P0 (CRITICAL) | 15 min | Page on-call + invoke emergency_pause on contract |
| P1 (HIGH) | 1 hour | Isolate relayer, rotate keys |
| P2 (MEDIUM) | 4 hours | Investigate, patch, re-scan |
| P3 (LOW) | 24 hours | Track in backlog, schedule patch |
- Rust toolchain (
rustup install stable) - Node.js ≥ 20
cargo,npmcargo-audit(cargo install cargo-audit --locked)
chmod +x BUILD_GUARD.sh
./BUILD_GUARD.sh [path/to/vero-core-contracts]This will:
- Audit Rust dependencies with
cargo auditso known vulnerable crates fail the guard. - Build and run the Rust static analyzer.
- Run anomaly-detector tests.
- Build the audit trail module.
- Compute and optionally anchor report hashes on Stellar.
- Report the security health status.
| Variable | Component | Description |
|---|---|---|
AUDIT_KEYPAIR_SECRET |
audit-trail | Stellar secret key for on-chain anchoring |
RELAYER_METRICS_URL |
anomaly-detector | HTTP endpoint exposing relayer metrics JSON |
AUTHORIZED_ADDRESSES |
anomaly-detector | Comma-separated list of allowed relayer addresses |
NONCE_SPIKE_THRESHOLD |
anomaly-detector | Nonce delta threshold (default: 50) |
FAILED_TX_THRESHOLD |
anomaly-detector | Failed TX count threshold (default: 10) |
STELLAR_NETWORK |
audit-trail | mainnet or testnet (default: testnet) |
HORIZON_URL |
audit-trail | Horizon server URL |
- Bug reports: See
VULNERABILITY_DISCLOSURE.md - Emergency: security@vero.xyz
- PGP: https://vero.xyz/.well-known/security.txt