Discovery Trending Launches KYC Verified Watchlist Risk Alerts
Token Minter AI Threat Detection Token Burner
Blog & News Docs Visit SolidProof.io

Veilon Info

www.veilon.io

A zk-native cross-chain wallet and protocol for private, untraceable transfers, swaps, and bridging powered by stealth addresses & encrypted transaction layers.

Veilon Logo
Onboarded date 25/02/2026

TrustNet Score

The TrustNet Score evaluates crypto projects based on audit results, security, KYC verification, and social media presence. This score offers a quick, transparent view of a project's credibility, helping users make informed decisions in the Web3 space.

51.54
Poor Excellent

Real-Time Threat Detection

Real-time threat detection, powered by Cyvers.io, is currently not activated for this project.

This advanced feature provides continuous monitoring and instant alerts to safeguard your assets from potential security threats. Real-time detection enhances your project's security by proactively identifying and mitigating risks. For more information, click here.

Security Assessments

Select the audit
"Static Analysis Dynamic Analysis Symbolic Execution SWC Check Manual Review"
Contract address
N/A
Network N/A
License N/A
Compiler N/A
Type N/A
Language Solidity
Onboard date 2026/02/25
Revision date 2026/02/25

Summary and Final Words

No crucial issues found

The contract does not contain issues of high or medium criticality. This means that no known vulnerabilities were found in the source code.

Contract owner cannot mint

It is not possible to mint new tokens.

Contract owner cannot blacklist addresses.

It is not possible to lock user funds by blacklisting addresses.

Contract owner cannot set high fees

The fees, if applicable, can be a maximum of 25% or lower. The contract can therefore not be locked. Please take a look in the comment section for more details.

Contract cannot be locked

Owner cannot lock any user funds.

Token cannot be burned

There is no burning within the contract without any allowances

Ownership is renounced

The contract does not include owner functions that allow post-deployment modifications.

Contract is not upgradeable

The contract does not use proxy patterns or other mechanisms to allow future upgrades. Its behavior is locked in its current state.

Scope of Work

This audit encompasses the evaluation of the files listed below, each verified with a SHA-1 Hash. The team referenced above has provided the necessary files for assessment.

The auditing process consists of the following systematic steps:

  1. Specification Review: Analyze the provided specifications, source code, and instructions to fully understand the smart contract's size, scope, and functionality.
  2. Manual Code Examination: Conduct a thorough line-by-line review of the source code to identify potential vulnerabilities and areas for improvement.
  3. Specification Alignment: Ensure that the code accurately implements the provided specifications and intended functionalities.
  4. Test Coverage Assessment: Evaluate the extent and effectiveness of test cases in covering the codebase, identifying any gaps in testing.
  5. Symbolic Execution: Analyze the smart contract to determine how various inputs affect execution paths, identifying potential edge cases and vulnerabilities.
  6. Best Practices Evaluation: Assess the smart contracts against established industry and academic best practices to enhance efficiency, maintainability, and security.
  7. Actionable Recommendations: Provide detailed, specific, and actionable steps to secure and optimize the smart contracts.

A file with a different Hash has been intentionally or otherwise modified after the security review. A different Hash may indicate a changed condition or potential vulnerability that was not within the scope of this review.

Final Words

The following provides a concise summary of the audit report, accompanied by insightful comments from the auditor. This overview captures the key findings and observations, offering valuable context and clarity.

Mobile Application Analysis Statement

Application Analysis

The Veilon mobile client is a React Native (Expo) wallet that integrates with the Veilon privacy-pool smart contracts on Sepolia. It supports public ERC20 transfers, zero-knowledge shielded deposits and withdrawals, and private intra-pool transfers. Proof generation is delegated to a backend relayer; the device handles wallet custody, secret storage, transport encryption, public-input validation, and on-chain submission. The team has now remediated twenty-three of the issues raised across both audit cycles - eleven of them in this remediation round, including every Medium-class finding and the previously-High TLS pinning misconfiguration - and the codebase has matured significantly. There are no remaining Critical or High findings. The items that stay open have been formally acknowledged by the team with documented compensating controls and a remediation roadmap:

  • The relayer still receives cleartext shielding secrets server-side, so a compromise of the relayer operator de-anonymises every shielded operation. The team has acknowledged this as the dominant architectural trust assumption of the current design and accepted the residual risk on the basis of the layered compensating controls (ECDH+AES authenticated transport, application-layer relayer ECDH public-key pinning, TLS SPKI pinning, and client-side publicInputs validation) and a roadmap commitment to on-device proof generation as the long-term mitigation. The finding has been re-rated from Critical to Medium in this cycle to reflect that the realistic attack surface is now reduced to relayer-operator compromise rather than an exploitable implementation flaw; Medium is the lower bound of what the residual architectural risk supports.
  • Proof-level chain binding is implemented in the contract but disabled at deployment because the production circuits do not yet embed the chain identifier as a public input. The always-on deployment-chain modifier in PrivacyPoolV2 blocks cross-deployment replay unconditionally, and the team has acknowledged this contract-level mitigation as sufficient for launch; the circuit-regeneration work is tied to the same roadmap milestone as on-device proof generation so that the circuits are touched only once.
  • A set of Optimization and Informational items remain open and have been formally acknowledged by the team as deferred to post-production: absence of automated test coverage for the hardened cryptographic paths, absence of crash-reporting telemetry, an unused SDK wrapper layer retained as the attachment point for the future on-device proof path, a deprecated shield() delegating stub, a hardcoded developer-only relayer URL, a leafIndex placeholder that is not consumed by the current relayer-driven proof path, an AppState listener subscription that is never released, and an imported resetHandshake helper that is never invoked on wallet switch, delete, network switch, or disconnect.

Trust Model and Privileged Components

The mobile client's security boundary is shaped by a small set of privileged components, each with explicit responsibilities and constraints:

  • SecureStore holds per-wallet private keys and per-address commitment-encryption keys; access is gated by the operating-system keystore and the application-layer PIN.
  • The off-chain relayer holds cleartext shielding secrets for the duration of proof generation and is authenticated both by a pinned ECDH public key at the application layer and by SHA-256 SPKI pinning at the TLS layer in production builds.
  • The deployed PrivacyPoolV2 contract authorises operations through ZK-proof verification and an always-on deployment-chain modifier that blocks cross-chain replay; the client additionally validates the relayer's returned publicInputs against the circuit specification before submitting on-chain, so a malicious or buggy relayer cannot quietly swap field positions.
  • PIN and biometric authentication gate wallet operations and emergency withdrawal; emergency withdrawal cannot proceed without an explicit PIN.
  • The relayer is currently a single point of trust for transactional privacy and must be operated under that assumption until on-device proof generation is implemented; the team has formally acknowledged this constraint.
  • Transport-layer TLS public-key pinning is now correctly configured against react-native-ssl-pinning v1.6.0 (pkPinning: true, mandatory sha256/ prefix, multiple pins to survive certificate rotation), and production builds fail closed when no pins are configured.
  • Proof-level chain binding is implemented in the contract but disabled at deployment because the production circuits do not yet include the chain identifier as a public input; the contract-level deployment-chain modifier covers the launch-time threat model.
  • The PIN itself is hashed with a memory-hard KDF; legacy weak hashes are migrated transparently and force-wiped at the documented migration deadline.

Security Features

The two remediation cycles introduced or hardened a substantial set of positive controls:

  • PIN hashing uses scrypt (N=214, r=8, p=1) with constant-time comparison and persisted brute-force counters that survive application restarts.
  • All cryptographic randomness paths fail closed when the platform CSPRNG is unavailable; the previous Math.random fallbacks have been removed across the polyfill chain and the SDK utilities.
  • ECDH transport encryption between mobile and relayer is mandatory and the plaintext fallback has been removed; payloads are protected with authenticated AES-CBC + HMAC-SHA-256 over an explicit random IV (replacing the previous CryptoJS passphrase-mode construction), and the relayer's ECDH public key is pinned at the application layer in production builds.
  • TLS SPKI pinning is wired into the relayer transport with mandatory sha256/-prefixed pins, support for multiple pins to survive certificate rotation, and a fail-closed production path that refuses to ship without pins configured.
  • Commitment secrets, nullifiers, and randomness are AES-encrypted at rest with per-address keys held in SecureStore using the same authenticated wire format as the transport layer; legacy plaintext rows remain readable through a backward-compatibility flag, and a versioned ciphertext prefix lets the decoder distinguish new from legacy records.
  • The RPC endpoint and privacy-pool contract address are no longer hardcoded: the SDK resolves the RPC URL through an explicit argument, then a build-time environment variable, then a per-chain registry, and resolves the pool address from the active network rather than the literal “sepolia”.
  • A single shared toContractProof helper performs the snarkjs-to-Solidity mapping and validates the relayer-returned publicInputs against a per-circuit specification (length, positional fields, locally-known values) before any transaction is submitted, eliminating the previous duplicate inline mapping and catching field-swap attacks client-side.
  • Token decimals are now captured from ERC20.decimals() at commitment-save time and persisted on the commitment, so balance display and emergency-withdraw amounts are correct for any token (WBTC = 8, USDC = 6, ETH = 18, …) instead of relying on hardcoded symbol-based assumptions.
  • On-chain commitment sync now queries spentNullifiers with the Poseidon-derived nullifierHash rather than the random preimage, with BN254 field-modulus range validation, so recovery and reconciliation flows correctly mark spent commitments.
  • PIN removal forwards the PIN that was just verified by the UI to the underlying service instead of submitting a hardcoded literal, restoring the intended user flow.
  • The pinned-fetch wrapper no longer defaults missing response statuses to 200; malformed responses surface as errors instead of being silently treated as success.
  • The previously-committed third-party block-explorer API key has been removed from eas.json; rotation of the leaked key with the provider and scrubbing the literal from version-control history are operational follow-ups outside the code-review scope, but remain necessary because the literal otherwise stays recoverable from history.
  • Production logging is centralised behind a build-flag-gated logger, sensitive interpolations have been redacted, and emergency withdrawal cannot bypass PIN verification.

Auditor's Closing Remarks

The team's response across the two audit cycles has been substantive: twenty-three findings - including all four issues originally rated critical on the cryptographic and storage layers, the previously-open TLS pinning misconfiguration, and every Medium-class finding - have been properly closed. No Critical or High items remain open. The remaining ten open findings have been formally acknowledged by the team with documented compensating controls and a remediation roadmap: one Medium (the relayer trust assumption, re-rated from Critical in this cycle to reflect the layered compensating controls), one Low (proof-level chain binding, accepted on the basis of the contract-level deployment-chain modifier and tied to the same roadmap milestone as on-device proving), two Informational (a developer-only relayer URL and a leafIndex placeholder that is not consumed by the current proof path), and six Optimization items deferred to post-production. Notwithstanding the formal acknowledgments, the audit team flags two of the deferred Optimization items as warranting pre-release attention because both are single-digit-line-count fixes with disproportionate operational impact: wiring resetHandshake into the wallet-switch, delete, network-switch, and disconnect paths so a single transient ECDH handshake failure does not silently latch the relayer into a throwing state for the remainder of the session, and capturing the AppState subscription in securityStore.initialize with a teardown to prevent listener stacking. The absence of automated test coverage for the now-fail-closed cryptographic paths and the absence of crash-reporting telemetry are likewise no longer optional in spirit even where they remain optional in scope: without observability, regressions in those paths will be invisible to operators.

Note — This audit report consists of a security analysis of the Veilon mobile application source code at the revision provided for re-review. The analysis did not include dynamic penetration testing of compiled builds, in-device verification of the now-corrected TLS-pinning behaviour against a deliberately misconfigured pin in a release build, confirmation that the previously-committed API key has been rotated with the provider or scrubbed from version-control history, or formal review of the off-chain relayer service and underlying ZK circuits, which fall outside the scope of this engagement and were audited separately. We recommend the team complete the listed operational verification steps, action the two pre-release fixes flagged in the closing remarks (resetHandshake wiring and AppState teardown), integrate crash-reporting telemetry to surface any production regressions in the hardened cryptographic paths once feasible, and that users perform their own security review before transacting significant value through the application.

Files and details

Findings and Audit result

Critical
High
1
Medium
1
Low
6
Optimization
2
Informational
medium Issues | 6 findings

Acknowledged

#1 medium Issue
Relayer Holds Cleartext Secrets
services/veilon-sdk.ts + services/relayer-crypto.ts
Lveilon-sdk.ts:31-51
Lproof-generation call sites; relayer-crypto.ts:23-103
Description

The relayer receives the cleartext secret, nullifier, and randomness and generates the proof server-side. A compromised or coerced relayer can de-anonymise every shielded operation. ECDH transport encryption mitigates passive interception; active MITM is mitigated by TLS SPKI pinning and application-layer relayer public-key pinning.

Comments

Severity was lowered from Critical to High in this re-audit cycle, then again from High to Medium at the team's request. The first downgrade is warranted because the exploitable network-level vectors - passive interception, active MITM, and field-swap by the relayer - are now properly mitigated: ECDH+AES authenticated transport (FE-NEW-02, FE-NEW-07), application-layer relayer ECDH public-key pinning (FE-NEW-01), correctly-configured TLS SPKI pinning (FE-MED-04), and client-side publicInputs validation (FE-MED-06). What remains is the relayer operator's visibility into cleartext secrets during proof generation, and that's an architectural trust assumption rather than an exploitable flaw. The second downgrade to Medium reflects that the realistic attack surface has been narrowed to relayer-operator compromise only - everything else is covered by the controls above. Team position: server-side proof generation is required by current business logic and client-side proving in React Native is not viable on the target devices at this revision; client-side proof generation remains on the roadmap as the long-term fix. The operational recommendation still stands - treat the relayer as a trust-critical component and run multiple operators where feasible. One caveat worth recording for any future re-audit: Medium is the lower bound of what the residual architectural risk supports. The blast radius on a relayer compromise is still total de-anonymisation of every active user, so further downgrade below Medium would not be defensible without either client-side proof generation or some form of relayer decentralisation. Residual risk formally accepted (2026-05-26) by the dev team for this release per ROADMAP-FE-CRIT-04.md; team will request a targeted re-audit covering relayer trust model, chainid binding, and trusted-setup ceremony transcript when the FE-CRIT-04 milestone ships.

Alleviation

Mandatory ECDH+AES authenticated transport encryption between client and relayer. Application-layer relayer ECDH public-key pinning is enforced in production builds. TLS SPKI pinning is correctly configured in production builds (pkPinning: true, sha256/-prefixed, multi-pin). Relayer-returned publicInputs are validated against the circuit specification client-side before submission.

Resolved

#2 medium Issue
TLS Certificate Pinning Misconfigured
services/pinned-fetch.ts + services/relayer-crypto.ts + constants/relayer.ts
Lpinned-fetch.ts:74-80
L82-87; relayer-crypto.ts:46-67; relayer.ts:32-44
Description

The TLS pinning wrapper passes hashes via sslPinning.certs without setting pkPinning: true and without the sha256/ prefix. Under react-native-ssl-pinning v1.6.0 this configuration is interpreted as certificate-file pinning, not public-key pinning, so the library searches the bundle for files named after the hash values. No such files are bundled. In production this either errors out at runtime or, depending on platform fall-through, allows requests through with no pinning enforced.

Comments

Re-audit: Fix verified. pinned-fetch.ts:112 sets pkPinning: true; pins are normalized with mandatory "sha256/" prefix at line 55-57; multiple pins supported via comma-separated EXPO_PUBLIC_RELAYER_CERT_SHA256_PINS; production path fails closed if no pins are configured (lines 99-103). Severity high -> medium in this cycle: the original 'high' reflected an unmitigated TLS pinning misconfiguration in a production-critical path; the fix is verified in this re-audit, so the archival severity is adjusted to align with the other now-resolved pinning-stack items.

Alleviation

Application-layer ECDH public-key pinning is enforced in production via PINNED_PUBLIC_KEY_HASH (relayer-crypto.ts) when the build-time environment variable is set. Transport-layer pinning is wired in but currently inert.

Resolved

#3 medium Issue
Hardcoded RPC Endpoint
services/veilon-sdk.ts
L62
Description

When no RPC URL is supplied, the SDK falls back to a hardcoded public Sepolia endpoint. The provider can correlate every balance and getLogs query with the wallet address.

Comments

Re-audit: Fix verified. veilon-sdk.ts:initialize (lines 256-298) resolves the RPC URL with priority: explicit rpcUrl arg > EXPO_PUBLIC_RPC_URL env > CHAINS[chainId].rpcUrls[0]. Fails closed when none resolves rather than silently falling back to a public Sepolia endpoint.

Resolved

#4 medium Issue
Privacy Pool Address Hardcoded to Sepolia
services/veilon-sdk.ts
L410
L526
L594
L799
L1036
L1214
Description

All privacy-pool entry points pass the literal "sepolia" to getContractAddress regardless of the active network. On any non-Sepolia chain the operation either reverts or interacts with whatever contract happens to live at that address.

Comments

Re-audit: Fix verified. A private currentNetwork field is set from chainId via networkNameForChainId() in initialize() and switchNetwork(); all call sites (lines 608, 724, 792, 997, 1224, 1424) now pass this.currentNetwork to getContractAddress(). Unsupported chains throw fail-closed.

Resolved

#5 medium Issue
API Key Committed in eas.json
eas.json
L11
L20
L26
Description

A third-party block-explorer API key is committed in eas.json for all three build profiles. Because the variable is prefixed EXPO_PUBLIC_ it is also embedded in the shipped APK. The literal value remains recoverable from git history even after rotation in HEAD.

Comments

Re-audit: In-source fix verified — the env block with the API key has been removed from eas.json entirely; no EXPO_PUBLIC_ literals remain in any build profile. CAVEAT: cannot verify from the current snapshot whether the leaked key was rotated with the provider or whether the literal was scrubbed from git history; both remain operational tasks. If the key was not rotated, it is still recoverable from history and effectively still leaked.

Resolved

#6 medium Issue
Public Inputs Not Validated Before Submission
services/veilon-sdk.ts
L853-861
L1061-1066
Description

publicInputs returned by the relayer are forwarded to the contract without checking length, position, or content. A malicious or buggy relayer could swap field positions; the client would submit the proof without noticing.

Comments

Re-audit: Fix verified. toContractProof() (lines 85-172) validates publicSignals length against CIRCUIT_PUBLIC_INPUTS spec (9 for unshield, 10 for transfer) and checks that nullifierHash, inputCommitment, outputAmount, changeAmount, changeCommitment, outputCommitment, and recipient appear at the positions the circuit defines. Throws fail-closed on mismatch before gas is burned. Used at both submitUnshieldTransaction (line 1040) and submitPrivateTransfer (line 1255).

low Issues | 7 findings

Acknowledged

#1 low Issue
Cross-Chain Replay — Proof-Level Binding Disabled
services/veilon-sdk.ts + smartcontract-main/contracts/PrivacyPoolV2.sol + smartcontract-main/scripts/deploy-sepolia.js
LPrivacyPoolV2.sol:131-134
L389-391; deploy-sepolia.js:74-76
Description

PrivacyPoolV2 contains both an always-on onlyDeploymentChain modifier and an optional proof-level chain binding gated by chainIdEnforced. The modifier blocks cross-deployment replay unconditionally. The proof-level binding is disabled at deployment because the current ZK circuits do not include block.chainid as a public input. Residual risk is limited to circuit-confusion attacks across verifier-sharing contracts on the same chain.

Comments

Acknowledged by team (post-re-audit): the always-on onlyDeploymentChain modifier in PrivacyPoolV2 is accepted as sufficient mitigation for launch. It blocks cross-deployment replay unconditionally; the residual risk is limited to circuit-confusion attacks across verifier-sharing contracts on the same chain. Full fix (regenerate circuits with block.chainid as a public input, redeploy verifier+pool, call setChainIdEnforced(true)) is tied to the same roadmap milestone as client-side proof generation (FE-CRIT-04). Recommended to bundle the two so the circuits are touched only once. Re-audit consolidation (2026-05-26): this finding is the mobile-scope reflection of cross-chain replay; in the customer-facing consolidated report it is merged into the single canonical entry at smartcontract MED-02. Residual risk acceptance and fix plan are recorded in ROADMAP-FE-CRIT-04.md.

Alleviation

onlyDeploymentChain modifier is applied to all five privacy-pool entry points, blocking replay across deployments of this contract.

Resolved

#2 low Issue
On-Chain Nullifier Sync Uses Preimage Instead of Hash
utils/commitment-store-rn.ts + services/veilon-sdk.ts
Lcommitment-store-rn.ts:280-325; veilon-sdk.ts:295-297
L1167
Description

syncCommitmentsWithBlockchain queries spentNullifiers using the random nullifier preimage stored locally in c.nullifier. The contract is keyed by the Poseidon-derived nullifier hash returned by the relayer as nullifierHash. Lookups always return false, so commitments are never marked spent through sync. Local marking of spent commitments still works, so the impact is limited to recovery and reconciliation flows.

Comments

Re-audit: Fix verified. StoredCommitment.nullifierHash field added (commitment-store-rn.ts:21-25); veilon-sdk.ts:saveCommitment takes nullifierHash as a parameter and forwards it to the store (line 1339, 1379). syncCommitmentsWithBlockchain (lines 322-357) queries spentNullifiers using c.nullifierHash with field-modulus range validation, and skips legacy entries that lack it.

Resolved

#3 low Issue
Duplicated snarkjs-to-Contract Proof Conversion
services/veilon-sdk.ts
L841-861
L1061-1066
Description

The snarkjs proof shape is mapped to the Solidity proof struct by two separate, slightly different inlined blocks (one in submitUnshieldTransaction, one in submitPrivateTransfer). Easy to drift; one path slices pi_a and pi_c, the other indexes directly.

Comments

Re-audit: Code fix verified. Single shared toContractProof helper (lines 85-172) is the sole snarkjs->Solidity mapping site; submitUnshieldTransaction (line 1040) and submitPrivateTransfer (line 1255) both delegate to it. Explicit pi_a/pi_b/pi_c shape checks are in place. NOTE: the second half of the auditor's recommendation ("Cover with unit tests") is not addressed — see FE-INFO-01.

Resolved

#4 low Issue
Hardcoded Token Decimals
utils/commitment-store-rn.ts + app/emergency-withdraw.tsx
Lcommitment-store-rn.ts:200-202; emergency-withdraw.tsx:106
Description

Two call sites assume six decimals for USDC and USDT and eighteen for everything else. Tokens with other decimals (for example WBTC at eight) display incorrect balances.

Comments

Re-audit: Fix verified. StoredCommitment.decimals field is captured from ERC20.decimals() at save time in veilon-sdk.ts:saveCommitment (lines 1362-1370) and persisted alongside the commitment. Both call sites now read commitment.decimals first and only use the symbol-based 6/18 lookup as a legacy fallback (commitment-store-rn.ts:214-216; emergency-withdraw.tsx:110-111).

Resolved

#5 low Issue
PIN Removal Always Fails Unless PIN Equals 000000
components/PinSecuritySettings.tsx + services/pin-security.ts
LPinSecuritySettings.tsx:54-63; pin-security.ts:189-198
Description

PinSecuritySettings calls removePin with the literal string "000000" after a UI-side verification step. removePin re-runs verifyPin internally and throws unless the actual PIN happens to be 000000.

Comments

Re-audit: Fix verified. PinSecuritySettings.handleVerificationSuccess now receives the verified PIN string from PinVerification.onSuccess (line 47-55) and forwards it to PinSecurityService.removePin(verifiedPin) via removePin(verifiedPin) (line 57-65). The hardcoded "000000" literal is gone.

Resolved

#6 low Issue
CryptoJS AES Used in Passphrase Mode
services/relayer-crypto.ts + utils/commitment-crypto.ts
Lrelayer-crypto.ts:108-120; commitment-crypto.ts:37-46
Description

Encryption helpers pass the key to CryptoJS.AES as a string, which routes through the EvpKDF passphrase code path with CBC and no AEAD. Both call sites already feed in a high-entropy key, so the practical impact is bounded; the construction nonetheless lacks integrity protection and follows a deprecated pattern.

Comments

Re-audit: Fix verified. New utils/secure-aes.ts implements aesEncryptAuthenticated / aesDecryptAuthenticated with: hex-parsed AES-256 key (no EvpKDF passphrase path), explicit random 128-bit IV, AES-CBC + Pkcs7, and HMAC-SHA-256 over (iv||ct) with a separate HMAC key derived from SHA-256(aesKey), and constant-time-ish verification. relayer-crypto.ts (lines 119-132) and commitment-crypto.ts (lines 47-68) both route through this helper for new writes; decryptField auto-detects "v1." blobs and only falls back to the legacy passphrase path for backward compatibility.

Resolved

#7 low Issue
Pinned Fetch Defaults Status to 200
services/pinned-fetch.ts
L82-87
Description

pinnedRequest returns a status of 200 when the underlying library response has no status field. A malformed or unexpected response is reported as success to callers.

Comments

Re-audit: Fix verified. pinned-fetch.ts (lines 129-134) now throws when (resp as any).status is undefined or null, refusing to assume success. Callers no longer get a fake 200 on malformed library responses.

optimization Issues | 6 findings

Acknowledged

#1 optimization Issue
No Test Coverage
N/A
LN/A
Description

No test files exist in the repository. Jest is configured but unused. The recent transport, PIN, and scrypt changes ship without automated regression coverage.

Comments

Acknowledged by team (post-re-audit): deferred to post-production. Auditor note: now that several security-critical paths fail closed by design (scrypt, ECDH handshake, SPKI pinning, secure-aes, toContractProof), the absence of automated regression coverage means a future refactor could break them silently. Priority targets when picked up: pin-security, relayer-crypto, commitment-crypto, pinned-fetch, secure-aes, and the toContractProof helper.

Acknowledged

#2 optimization Issue
Deprecated Method Still Exported
services/veilon-sdk.ts
L544-560
Description

shield() remains exported and delegates to shieldETH despite being marked deprecated. No internal callers remain.

Comments

Acknowledged by team (post-re-audit): deferred to post-production. No external consumer outside the app uses the public SDK surface in this revision, so the dead delegation has no immediate impact. Recommend removing or converting to a throwing stub in a follow-up cleanup pass.

Acknowledged

#3 optimization Issue
Unused SDK Wrapper Layer
utils/sdk/
LN/A
Description

utils/sdk/ provides a wrapper class whose proof-generation methods all throw. veilon-sdk.ts uses ethers and the relayer directly, so the wrapper adds maintenance surface without benefit.

Comments

Acknowledged by team (post-re-audit): deferred to post-production. The wrapper is the planned attachment point for the future on-device proof-generation work (FE-CRIT-04 roadmap), so the team prefers to keep it in place until that decision is made rather than delete-and-rebuild. Until then it remains dead maintenance surface.

Acknowledged

#4 optimization Issue
No Crash Reporting or Telemetry
N/A
LN/A
Description

There is no Sentry, Crashlytics, or equivalent integration. Production failures in scrypt, ECDH, and SSL pinning are invisible to operators.

Comments

Acknowledged by team (post-re-audit): deferred to post-production. Auditor note: without observability, regressions in the fail-closed paths (scrypt, ECDH handshake, SPKI pinning, secure-aes) will surface as silent UX failures rather than reported errors. Strongly recommend prioritising this for the first post-launch milestone so operators can see the production failure modes the hardening introduced.

Acknowledged

#5 optimization Issue
AppState Listener Subscription Leak
stores/securityStore.ts
L140-145
Description

AppState.addEventListener in securityStore.initialize does not capture or remove the returned subscription. Repeated initialize calls (for example across hot reloads) stack listeners.

Comments

Acknowledged by team (post-re-audit): deferred to post-production. Production impact is bounded (initialize() is normally called once on cold start), but in dev/hot-reload scenarios listeners stack and re-fire lock() per listener, which has historically masked real issues. Low-effort fix; recommend handling pre-release if the team is touching securityStore for any other reason.

Acknowledged

#6 optimization Issue
resetHandshake Never Invoked
stores/walletStore.ts + services/veilon-sdk.ts
LwalletStore.ts:73-103
L430-469; veilon-sdk.ts:14
L1236-1241
Description

resetHandshake is imported in veilon-sdk but never called from setActiveWallet, deleteWallet, switchNetwork, or disconnect. After a handshake failure for the active wallet, getSharedKey throws on every subsequent call until app restart.

Comments

Acknowledged by team (post-re-audit): deferred to post-production. AUDITOR FLAG — this is classified as Optimization but has a real functional/UX impact: a single transient ECDH handshake failure (timeout, dropped Wi-Fi, etc.) latches getSharedKey() into a throwing state for the active wallet's address until the app is fully restarted, because handshakeAttemptedFor is never cleared. Switching wallets, switching networks, or signing out does not recover. Strongly recommend wiring resetHandshake() into setActiveWallet, deleteWallet, switchNetwork, and disconnect BEFORE production release — the fix is single-digit-line-count, the import already exists, and shipping without it materially increases support load.

informational Issues | 14 findings

Resolved

#1 informational Issue
PIN Brute-Force Protection
stores/securityStore.ts
L13-16,179-265
Description

PIN verification enforces a five-attempt lockout with a 30-second base duration and exponential backoff. Per-attempt delays escalate. Lockout state is persisted to SecureStore and survives application restarts.

Comments

Verified across securityStore.ts and pin-security.ts.

Alleviation

verifyPin enforces MAX_PIN_ATTEMPTS=5 with escalating delays and exponential lockout. Counters and lockout deadline are persisted to SecureStore.

Resolved

#2 informational Issue
Cryptographic Randomness Hardening
services/veilon-sdk.ts
L295-297
L430-432
L686-688
L932-939
Description

All Math.random fallbacks in cryptographic paths have been removed. Random generation now fails closed if the platform CSPRNG is unavailable.

Comments

ethers.randomBytes is reliably backed by react-native-get-random-values.

Alleviation

crypto-shim.js, global-setup.js, and proof-generator.ts throw rather than fall back to Math.random when the CSPRNG is missing.

Resolved

#3 informational Issue
Single Private-Key Storage Path
stores/walletStore.ts + services/veilon-sdk.ts
LwalletStore.ts:81,194,235,302,392,440; veilon-sdk.ts:93-107
Description

Private keys are stored exclusively per-address as wallet_pk_{address}. The legacy global key has been removed and initializeFromStorage now requires an address.

Alleviation

walletStore reads, writes, and deletes consistently use wallet_pk_{address}; veilon-sdk.ts:initializeFromStorage rejects calls without an address.

Resolved

#4 informational Issue
Contract Address Resolution
services/veilon-sdk.ts
L1214
Description

syncCommitments resolves the PrivacyPool address via getContractAddress(). No literal hex address remains.

Alleviation

Address is sourced from constants/contracts.ts.

Resolved

#5 informational Issue
Per-Wallet ECDH Cache
services/relayer-crypto.ts
L16-17
L23-24
L75-76
L90-103
L125-128
Description

The ECDH shared-key cache and handshake-attempt tracker are keyed by wallet address. Switching wallets triggers a fresh handshake.

Comments

resetHandshake is not invoked on wallet switch or disconnect; tracked separately as FE-RE-03.

Alleviation

sharedKeyCache is a Map<address, key>; handshakeAttemptedFor is a Set<address>; resetHandshake clears both.

Resolved

#6 informational Issue
Plaintext Fallback Removed
services/veilon-sdk.ts + services/relayer-crypto.ts
Lveilon-sdk.ts:31-51; relayer-crypto.ts:79-103
Description

encryptedPost unconditionally encrypts request bodies. Handshake failures throw instead of falling back to cleartext.

Alleviation

getSharedKey throws on handshake failure. No plaintext code path remains.

Resolved

#7 informational Issue
No Math.random in Cryptographic Paths
utils/crypto-shim.js + global-setup.js + utils/sdk/utils/proof-generator.ts
Lcrypto-shim.js:17-22; global-setup.js:214-217,235-237; proof-generator.ts:557-568
Description

getRandomValues, randomFillSync, and generateSecret throw if the platform CSPRNG is unavailable. No silent downgrade to Math.random remains.

Alleviation

See FE-MED-02.

Resolved

#8 informational Issue
PIN Modal Length Alignment
components/PinVerificationModal.tsx
L17-18
L48-58
L109
L142-146
Description

The PIN verification modal supports four to six digit PINs. Auto-submit only triggers at the maximum length; an explicit Submit button is shown for shorter PINs.

Alleviation

MIN_PIN_LENGTH=4 and MAX_PIN_LENGTH=6 align the modal with PinSecurityService validation.

Resolved

#9 informational Issue
Emergency Withdraw Requires PIN
app/emergency-withdraw.tsx
L50-65
L67-70
Description

Emergency withdraw requires PIN verification. If no PIN is set, the flow is blocked with a user-facing prompt to set one up.

Alleviation

handleEmergencyWithdraw branches on isPinSet; executeEmergencyWithdraw is only invoked after successful verification.

Resolved

#10 informational Issue
PIN Hashing — scrypt
stores/securityStore.ts + services/pin-security.ts
Lpin-security.ts:24-131; securityStore.ts:43-50,106-110,231-251
Description

PIN hashing uses scrypt with parameters N=2^14, r=8, p=1 and a per-PIN random salt. Legacy iterated SHA-256 hashes migrate transparently on the next successful verify and are force-wiped after the migration deadline.

Comments

Migration deadline LEGACY_MIGRATION_DEADLINE = 2026-05-01.

Alleviation

scrypt-js (N=2^14, r=8, p=1). Algorithm parameters are stored alongside the hash so future migrations are versioned. Constant-time comparison is used for hash equality.

Resolved

#11 informational Issue
Centralised Logger
utils/logger.ts + services/veilon-sdk.ts + stores/* + utils/commitment-store-rn.ts + app/*.tsx
Lutils/logger.ts:14-34; call sites across services
Lstores
Lutils
Lapp
Description

A central logger gates debug, info, and warn output behind __DEV__. All call sites have been migrated, and sensitive interpolations have been replaced with non-revealing messages.

Alleviation

utils/logger.ts is the single entry point for non-error logging. logger.error remains enabled in production for crash diagnostics; spot-checks confirm no secret values reach it.

Resolved

#12 informational Issue
Encrypted Commitment Storage
utils/commitment-store-rn.ts + utils/commitment-crypto.ts
Lcommitment-store-rn.ts:55-77,216-230; commitment-crypto.ts:16-89
Description

Commitment secret, nullifier, and randomness fields are AES-encrypted with a per-address 32-byte key from SecureStore before being written to AsyncStorage. Legacy plaintext rows are read through a backward-compatibility flag.

Comments

CryptoJS passphrase-mode weakness in the underlying primitive is tracked as FE-NEW-07.

Alleviation

Per-address AES key in SecureStore. _encrypted flag identifies new-format rows.

Acknowledged

#13 informational Issue
Hardcoded Development Relayer URL
constants/relayer.ts
L17-18
Description

The development relayer URL is a fixed LAN IP. The build only works on one developer machine.

Comments

Acknowledged by team (post-re-audit): deferred to post-production. Informational; dev-only impact (production URL is unaffected). Recommend moving the dev URL to a build-time environment variable in a follow-up cycle.

Acknowledged

#14 informational Issue
leafIndex Hardcoded to Zero
services/veilon-sdk.ts
L1147
Description

Saved commitments use leafIndex = 0 with a TODO to parse the value from the Shield event log. Any future client-side proof generation that needs a Merkle path will be incorrect until this is implemented.

Comments

Acknowledged by team (post-re-audit): deferred to post-production. The leafIndex is not consumed by any current proof-generation path (relayer generates proofs server-side and does not require the local Merkle path), so the placeholder has no runtime impact today. Must be implemented in lockstep with the future client-side proof-generation work (FE-CRIT-04 roadmap), otherwise on-device proofs will be incorrect.