Skip to content

Security: btc-vision/btc-runtime

Security

SECURITY.md

Security Policy

Verichains

Audited by Verichains

Professionally Audited by Verichains

Audit Status

Aspect Status
Auditor Verichains
Audit Date 2025
Report Status Pending Publication
Severity Issues Found All resolved

About the Audit

The OPNet Smart Contract Runtime has undergone a comprehensive security audit by Verichains, a leading blockchain security firm with extensive experience in:

  • Smart contract security audits
  • Blockchain protocol assessments
  • Cryptographic implementation reviews
  • WebAssembly security analysis

Audit Scope

The security audit covered all core components of the btc-runtime:

Contract Standards

  • OP_NET Base Contract - Abstract contract class, lifecycle hooks, method dispatching
  • OP20 Token Standard - Fungible token implementation, transfers, approvals, minting/burning
  • OP20S Signatures - Gasless approvals, EIP-712 typed signatures, nonce management
  • OP721 NFT Standard - Non-fungible tokens, ownership, enumeration, metadata
  • ReentrancyGuard - Reentrancy protection mechanisms (STANDARD and CALLBACK modes)

Storage System

  • Pointer Architecture - u16 primary pointers, u256 sub-pointers, SHA256 key hashing
  • Persistent Storage - StoredU256, StoredString, StoredAddress, StoredBoolean
  • Array Storage - StoredU256Array through StoredU8Array, bounds checking
  • Map Storage - StoredMapU256, AddressMemoryMap, MapOfMap nested structures

Cryptographic Operations

  • Signature Verification - Schnorr signatures, ML-DSA quantum-resistant signatures
  • Hash Functions - SHA256, double SHA256 (hash256)
  • EIP-712 Domain Separator - Typed data signing, replay protection
  • Address Derivation - P2TR, P2WSH, P2WPKH address generation

Security Mechanisms

  • SafeMath Operations - Overflow/underflow protection for u256, u128, u64
  • Access Control - onlyDeployer patterns, role-based authorization
  • Input Validation - Calldata parsing, bounds checking, type verification
  • Event System - 352-byte limit enforcement, proper encoding

Bitcoin Integration

  • Transaction Parsing - Input/output decoding, script parsing
  • Address Validation - Bitcoin address format verification
  • Script Building - Opcodes, CSV timelocks, witness structures
  • Network Configuration - Mainnet/testnet handling

Supported Versions

Version Supported
1.10.x ✅ Current
1.9.x ⚠️ Upgrade recommended
< 1.9.0 ❌ Not supported

Security Best Practices

When developing contracts with btc-runtime, follow these guidelines:

Use SafeMath for All Arithmetic

import { SafeMath } from '@btc-vision/btc-runtime/runtime';

// CORRECT: Use SafeMath
const total = SafeMath.add(balance, amount);
const remaining = SafeMath.sub(balance, amount);

// WRONG: Direct arithmetic can overflow silently
// const total = balance + amount;  // DON'T DO THIS

Always Validate Inputs

class Test extends OP_NET {
    public transfer(calldata: Calldata): BytesWriter {
        const to = calldata.readAddress();
        const amount = calldata.readU256();

        // Validate recipient is not zero address
        if (to.equals(Address.zero())) {
            throw new Revert('Cannot transfer to zero address');
        }

        // Validate amount is positive
        if (amount.isZero()) {
            throw new Revert('Amount must be greater than zero');
        }

        // ... proceed with transfer
    }
}

Use Reentrancy Guards

import { ReentrancyGuard, ReentrancyGuardMode } from '@btc-vision/btc-runtime/runtime';

@final
export class MyContract extends ReentrancyGuard {
    constructor() {
        // Use CALLBACK mode for contracts with safe transfer callbacks
        super(ReentrancyGuardMode.CALLBACK);
    }
}

Implement Access Control

// Check deployer authorization
this.onlyDeployer(Blockchain.tx.sender);

// Custom role checks
class Test {
    private onlyAdmin(): void {
        if (!this.isAdmin(Blockchain.tx.sender)) {
            throw new Revert('Caller is not admin');
        }
    }
}

Handle Cross-Contract Calls Safely

const result = Blockchain.call(targetContract, calldata, true);

if (!result.success) {
    throw new Revert('External call failed');
}

// Parse and validate response
const response = result.data;

Never Use Floating-Point Arithmetic

// WRONG: Floating-point is non-deterministic
// const price = 1.5;  // DON'T USE FLOATS

// CORRECT: Use fixed-point with integers
const PRECISION = u256.fromU64(1_000_000); // 6 decimals
const price = SafeMath.mul(amount, PRECISION);

Reporting a Vulnerability

We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.

How to Report

  1. DO NOT open a public GitHub issue for security vulnerabilities
  2. Report via GitHub Security Advisories
  3. Include detailed steps to reproduce the vulnerability
  4. Allow reasonable time for a fix before public disclosure

What to Include

  • Description of the vulnerability
  • Affected component(s) and version(s)
  • Steps to reproduce
  • Potential impact assessment
  • Suggested fix (if any)
  • Proof of concept (if applicable)

Response Timeline

Action Timeframe
Initial response 48 hours
Vulnerability confirmation 7 days
Patch development 14-30 days
Public disclosure After patch release

Audit Report

The full audit report from Verichains will be published here upon completion of the disclosure process.

📄 [Audit Report - Coming Soon]

Contact

Security is a continuous process. This document will be updated as new audits are completed.

There aren’t any published security advisories