Prepared by:
HALBORN
Last Updated 11/18/2025
Date of Engagement: September 5th, 2025 - October 30th, 2025
100% of all REPORTED Findings have been addressed
All findings
4
Critical
0
High
1
Medium
0
Low
0
Informational
3
VeChain Foundation engaged Halborn to conduct a security assessment of the VeChainThor Go codebase beginning on September 5, 2025 and ending on October 31, 2025. The security assessment was scoped to consensus, staking, networking, API, and runtime components in the GitHub repository provided to the Halborn team.
A senior Halborn security engineer performed a full manual review of the Go codebase with targeted automation. The objectives were to:
Ensure protocol components operate as intended under adversarial conditions.
Identify logic, state-transition, and concurrency risks.
Recommend robust, low-risk remediations aligned with production constraints.
Key risk themes included:
Unsigned arithmetic underflows in staking and epoch housekeeping could block expected activations or corrupt state.
Scheduler policy allows offline proposers to be included and auto-reactivated, weakening uptime enforcement.
Panic usage in consensus flow reduces fault tolerance and can crash nodes under rare invariants.
Input validation gaps (e.g., zero weights) reduce robustness and future maintainability.
Harden arithmetic in staking/housekeeping: Guard decrements and bounds checks to prevent unsigned underflow when the leader set is empty and an exit is scheduled; validate subtraction does not underflow queued stake.
Enforce proposer liveness policy: Exclude offline validators from scheduling and remove auto-activation side-effects; ensure updates cannot clear OfflineBlock implicitly.
Replace panics in consensus-critical paths: Return typed errors instead of panics in scheduling/consensus to prevent node crashes and enable graceful rejection/recovery.
Validate scheduler inputs: Require weight > 0 before computing scores to avoid undefined behavior and simplify invariants.
Strengthen state-transition prechecks: Centralize and reuse validation guards for staking transitions to ensure consistent behavior across services and edge epochs.
Architecture and threat modeling: Reviewed consensus, staking, scheduling, activation/exit flows, and state persistence boundaries.
Manual code review: Deep review of consensus, scheduler, staking services, epoch housekeeping, and API boundaries for logic and state-transition flaws.
Static analysis and linters: Ran Go-focused checks (e.g., go vet, staticcheck, golangci-lint) to flag common correctness and robustness issues.
Targeted dynamic validation: Reproduced edge scenarios described in findings; leveraged existing fuzz and property tests around blocks and state transitions where present; recommended additional unit/property tests for activation/exit edge cases.
Defense-in-depth recommendations: Proposed invariant checks, error handling upgrades, and precondition guards to improve resilience and maintainability.
| EXPLOITABILITY METRIC () | METRIC VALUE | NUMERICAL VALUE |
|---|---|---|
| Attack Origin (AO) | Arbitrary (AO:A) Specific (AO:S) | 1 0.2 |
| Attack Cost (AC) | Low (AC:L) Medium (AC:M) High (AC:H) | 1 0.67 0.33 |
| Attack Complexity (AX) | Low (AX:L) Medium (AX:M) High (AX:H) | 1 0.67 0.33 |
| IMPACT METRIC () | METRIC VALUE | NUMERICAL VALUE |
|---|---|---|
| Confidentiality (C) | None (C:N) Low (C:L) Medium (C:M) High (C:H) Critical (C:C) | 0 0.25 0.5 0.75 1 |
| Integrity (I) | None (I:N) Low (I:L) Medium (I:M) High (I:H) Critical (I:C) | 0 0.25 0.5 0.75 1 |
| Availability (A) | None (A:N) Low (A:L) Medium (A:M) High (A:H) Critical (A:C) | 0 0.25 0.5 0.75 1 |
| Deposit (D) | None (D:N) Low (D:L) Medium (D:M) High (D:H) Critical (D:C) | 0 0.25 0.5 0.75 1 |
| Yield (Y) | None (Y:N) Low (Y:L) Medium (Y:M) High (Y:H) Critical (Y:C) | 0 0.25 0.5 0.75 1 |
| SEVERITY COEFFICIENT () | COEFFICIENT VALUE | NUMERICAL VALUE |
|---|---|---|
| Reversibility () | None (R:N) Partial (R:P) Full (R:F) | 1 0.5 0.25 |
| Scope () | Changed (S:C) Unchanged (S:U) | 1.25 1 |
| Severity | Score Value Range |
|---|---|
| Critical | 9 - 10 |
| High | 7 - 8.9 |
| Medium | 4.5 - 6.9 |
| Low | 2 - 4.4 |
| Informational | 0 - 1.9 |
Critical
0
High
1
Medium
0
Low
0
Informational
3
| Security analysis | Risk level | Remediation Date |
|---|---|---|
| Queued underflow enables contract drain | High | Solved - 09/17/2025 |
| Epoch Housekeeping Underflow | Informational | Acknowledged |
| Uncaught panic in Schedule leads to hard process crash | Informational | Acknowledged |
| Zero-weight proposer accepted in scheduler score computation | Informational | Acknowledged |
//High
//Informational
//Informational
//Informational
Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.
// Download the full report
Thor
* Use Google Chrome for best results
** Check "Background Graphics" in the print settings if needed
