Soqucoin Blockchain Node - Soqucoin

1. Introduction

Halborn was engaged to conduct a security assessment of the Soqucoin blockchain node, focusing on the post-quantum cryptographic subsystems, wallet encryption module, and block validation logic.

The audit scope encompassed the following components:

• src/crypto/dilithium/ — ML-DSA-44 (Dilithium2) reference implementation (key generation, signing)

• src/crypto/pat/ — Post-Quantum Aggregate Transactions (logarithmic proof construction, BLAKE2b)

• src/wallet/pqwallet/ — Post-quantum wallet module (key management, HD derivation, wallet encryption, address encoding, RPC commands)

• src/wallet/ — Core wallet files (auxpow, hash, pow, pubkey, validation)

2. Assessment Summary

The security assessment was conducted over a 22-day engagement by a multidisciplinary security engineer. The evaluation targeted memory safety, cryptographic correctness, key and wallet lifecycle management, consensus-critical logic, and operational robustness across the in-scope components.

The audit identified 30 findings — 3 Critical, 1 High, 3 Medium, and 3 Low, with 20 informational — spanning cryptographic design, wallet encryption, key derivation, memory hygiene, integer safety, and consensus validation.

Recommended remediation is organized into three priority tiers:

1. Immediate (Critical/High): Eliminate silent failure modes in the KDF and key derivation subsystems, implement functional HD seed-based key generation, persist KDF algorithm identifiers in the wallet file format, and correct the mainnet SegWit deployment configuration to enable witness-based Dilithium transactions.

2. Short-term (Medium): Harden memory handling by adopting SecureBytes and memory_cleanse consistently for all buffers containing key material, passphrases, and cryptographic intermediates. Add bounds checking at all size_t-to-int conversion boundaries, enforce block-level verification cost limits for post-quantum proof types, and extend HMAC coverage to include all encryption parameters.

3. Longer-term (Low/Structural): Validate RPC input ranges, implement atomic file write operations for wallet persistence, and remove unreachable code paths from the RPC execution layer.

3. Test Approach and Methodology

The assessment followed a layered methodology combining manual expert analysis with automated tooling to maximize coverage across the in-scope components.

Phase 1 — Specification Review and Threat Modeling. The engagement began with a review of project documentation, protocol specifications, and design logs to establish intended behaviors, trust boundaries, and the threat model. Key documents included the wallet cryptographic specification, PAT architecture, consensus cost specification, and the HD key derivation design log.

Phase 2 — Manual Code Review. Security engineers performed line-by-line review of consensus-critical and cryptographic code paths, including the Dilithium signing implementation, wallet encryption and key derivation routines, HD seed derivation, PAT proof construction, and block validation logic. This phase targeted logic errors, cryptographic design flaws, key lifecycle management issues, and silent failure modes that automated tools typically cannot detect.

Phase 3 — Automated Analysis. Static analysis and automated scanning were applied to broaden surface coverage and detect common defect classes including integer overflows, type truncation, buffer boundary violations, and API misuse patterns.

Phase 4 — Targeted Validation. Where feasible, findings were validated through targeted dynamic checks and runtime simulation to confirm exploitability and assess practical impact. This included tracing execution paths for KDF fallback behavior, verifying BIP9 state machine transitions for deployment configurations, and confirming memory residue behavior for sensitive data buffers.

The effort was weighted toward manual review for high-risk code paths — particularly wallet encryption, key derivation, and consensus validation — while automated techniques provided breadth across lower-risk surface area. All findings include reproducible descriptions and actionable remediation guidance.