Credit Accounts - THORChain / Rujira

1. Introduction

THORChain engaged Halborn to conduct a security assessment of the Ghost Credit contracts, beginning on October 29th, 2025 and ending on November 4th, 2025. This security assessment was scoped to the CosmWasm smart contracts in the Rujira Ghost repository. Commit hashes and further details can be found in the Sources section of this report.

Ghost Credit is a decentralized credit module designed for the Rujira ecosystem. It enables users to create self-custodied credit accounts that interact with mapped Ghost Vault markets to borrow and repay assets against on-chain collateral. The system enforces per-account Loan-to-Value (LTV) ratios, supports permissionless liquidations with bounded over-liquidation windows, and integrates liquidation preferences to determine the order of collateral consumption. The contracts are implemented in Rust using CosmWasm and operate over THOR chain.

2. Assessment Summary

The team at Halborn assigned a full-time security engineer to verify the security of the smart contracts. The security engineer is a blockchain and smart-contract security expert with advanced penetration testing, smart-contract hacking, and deep knowledge of multiple blockchain protocols.

The purpose of this assessment is to:

• Ensure that smart-contract functions operate as intended

• Identify potential security and logic issues within the contract implementation

In summary, Halborn identified several improvements to reduce the likelihood and impact of operational and financial risks, which were partially addressed by the Rujira team. The main ones were the following:

• Refactor liquidation validation to separate collateral and debt sets, ignore debt-denom increases, and compute slippage in USD value with oracle pricing.

• Treat “Account Safe” (LTV below adjustment threshold) as a successful liquidation outcome or remove the unnecessary unsafe check from the liquidation path.

• Validate liquidation preferences on save to reject cycles, self-references, and invalid or non-whitelisted denoms, and ensure acyclic dependency enforcement.

• Add strict configuration validation enforcing coherent thresholds, fee sums below 1, valid liquidation windows, and consistent parameter ranges on every update.

• Enforce cross-validation in SetVault and SetCollateral ensuring ratios are in [0,1], borrow denoms are whitelisted, and mappings remain consistent under governance updates.

• Guard LTV calculations against division-by-zero and rounding errors by returning safe sentinel values and performing conservative comparisons in post-checks.

3. Test Approach and Methodology

Halborn performed a combination of manual and automated security testing to ensure coverage and precision throughout this assessment. Manual review focused on business logic, inter-contract interactions, and edge-case validation, while automated tooling was used to detect known vulnerability classes and dependency risks. The following phases and techniques were used during the audit:

• Research into the architecture, purpose, and integration with Ghost Vault contracts.

• Manual line-by-line code review and walkthrough of all CosmWasm modules in scope.

• Manual assessment of critical functions to detect arithmetic and logical vulnerabilities.

• Evaluation of post-check atomicity and liquidation invariants.

• Verification of authorization boundaries and sudo/admin safety.

• Review of cross-contract calls to external vaults and potential DoS vectors.

• Automated static analysis using cargo audit and other Rust-specific scanning tools.

• Review and verification of integration and multi-test scenarios for borrow/repay/liquidation flows.