VerifiedX-Core - VerifiedX

1. Introduction

VerifiedX engaged Halborn to conduct a security assessment on their vBTC V2 system from January 19th, 2026 to February 20th, 2026. The security assessment scope was limited to the system components provided to Halborn. Commit hashes and further details can be found in the Scope section of this report.

VerifiedX vBTC V2 is a tokenized Bitcoin system built on the VerifiedX (VFX) blockchain. It uses FROST threshold Schnorr signatures (via a Rust FFI library) to coordinate distributed key generation (DKG) for Taproot (P2TR) deposit addresses and to collectively sign Bitcoin withdrawals. The system integrates on-chain consensus/state transitions (VFX transactions and state tree updates) with Bitcoin coordination (validator discovery, MPC ceremony orchestration, ElectrumX-based Bitcoin network interactions).

2. Assessment Summary

Halborn was allocated 25 days for this engagement and assigned one full-time security engineer to conduct a comprehensive review of the system components within scope. The engineer(s) have expertise in blockchain protocol security, Bitcoin coordination security, and cryptographic integration, with advanced skills in penetration testing and exploitation of node-side APIs and MPC systems.

The objectives of this assessment were to:

• Identify potential security vulnerabilities within the system.

• Verify that the system functionality operates as intended.

In summary, Halborn identified several areas for improvement to reduce the likelihood and impact of risks, which were fully addressed by the VerifiedX team. The main recommendations were:

• Implement and enforce end-to-end MPC correctness: ensure DKG yields valid Bech32m P2TR addresses derived from the group key, and ensure signing produces verifiable Schnorr witnesses over correct BIP341 sighashes (per-input as required), failing closed on any mismatch.

• Ensure consensus/state coverage matches the protocol for all vBTC V2 transaction types, binding state transitions to consensus-validated transaction properties and preventing “no-op” or divergent behavior.

• Harden validator/MPC networking surfaces (validator discovery, FROST endpoints, ElectrumX I/O) with strict input validation, bounded resource usage, timeouts, and clear operational runbooks to prevent liveness failures and abuse.