bouclier.eth

Product ▼

Resources ▼

Developers Documentation GitHub Bug Bounty

Audit Reports _

Security

Full transparency on every security analysis performed on the Bouclier protocol. All findings, fixes, and accepted risks are documented here.

Overall Status

SECURITY ASSESSMENTINTERNAL AUDIT COMPLETE — RISK: LOW

All five core contracts have undergone static analysis (Slither v0.11.5), symbolic execution (Mythril v0.24.8), invariant fuzzing (Foundry, 128K+ calls), and manual security review. All identified issues have been resolved or formally accepted with documented rationale. Certora formal verification specs are written and pending cloud execution. Third-party audit is planned pre-mainnet.

Test Suite

100/100

All tests passing

Invariants

9/9

Hold after 128K fuzz calls

Critical Findings

Zero unresolved

Overall Risk

LOW

All findings addressed

Slither Static Analysis

SLITHER v0.11.5 — ALL 5 CONTRACTS5 FINDINGS — ALL RESOLVED

ID	Severity	Finding	Status	Resolution
S-1	Info	Locked ether in PermissionVault	Fixed	Added receive() revert + rescueETH()
S-2	Low	Reentrancy-events in emergencyRevoke	Fixed	Event moved before external call (CEI pattern)
S-3	Info	Unused return in logAction()	Acknowledged	Return value intentionally unused — annotated
S-4	Info	Unused return in latestRoundData()	Acknowledged	Partial destructuring is intentional — annotated
S-5	Info	Solc version pragma	Fixed	Updated to ^0.8.24

Mythril Symbolic Execution

MYTHRIL v0.24.8 — RUNTIME BYTECODE ANALYSIS0 ACTIONABLE FINDINGS

Contract	Issues	SWC IDs	Disposition
AgentRegistry	0	—	Clean
PermissionVault	0	—	Clean
RevocationRegistry	0	—	Clean
AuditLogger	0	—	Clean
SpendTracker	1	SWC-116	Accepted — block.timestamp needed for oracle staleness
PermissionVault (ext)	2	SWC-123, SWC-101	False positives — receive() revert by design; Solidity 0.8.24 overflow protection

12 SWC vulnerability classes tested. All critical classes (SWC-104, SWC-106, SWC-107, SWC-110, SWC-112, SWC-113, SWC-114) returned clean across all contracts.

Invariant Fuzzing

FOUNDRY v1.5.1 — 256 RUNS × 500 CALLS = 128,000 FUZZ CALLS PER INVARIANT9/9 INVARIANTS HOLD

ID	Property	Result
INV-1	Agent count consistency	HOLDS
INV-2	Revocation irreversibility	HOLDS
INV-3	Audit record immutability	HOLDS
INV-4	Scope revocation permanence	HOLDS
INV-5	Module type invariant	HOLDS
INV-6	Rolling spend monotonicity	HOLDS
INV-7	Admin non-nullity	HOLDS
INV-8	Revoked agent blocked	HOLDS
INV-9	Grant/revoke consistency	HOLDS

A BouclierHandler contract with 7 handler functions drives the fuzzer through realistic protocol operations including agent registration, permission grants, revocations, audit logging, spend recording, and timestamp warping.

Manual Security Review

MANUAL CODE REVIEW — ALL CONTRACTS2 FINDINGS — ALL FIXED

ID	Severity	Finding	Status	Resolution
M-1	High	EIP-712 SCOPE_TYPEHASH mismatch	Fixed	SCOPE_TYPEHASH string did not include nonce field — violated EIP-712 spec. Corrected to include uint256 nonce.
M-2	Info	Dead code in PermissionVault	Fixed	Unreachable code path removed.

Formal Verification

CERTORA PROVER — 3 SPEC FILES, 15 RULESSPECS WRITTEN — PENDING CLOUD RUN

Spec File	Contract	Rules	Key Properties
PermissionVault.spec	PermissionVault	7	Revoked agent always fails, binary validation result, nonce monotonicity, expired scope rejection
SpendTracker.spec	SpendTracker	4	Spend cap enforced, zero cap = no limit, rolling monotonicity
RevocationRegistry.spec	RevocationRegistry	4	Revoke always sets flag, timelock respected, double-revoke reverts

Configuration files prepared. Execution requires CERTORAKEY API access. Will be run prior to mainnet deployment.

Test Suite

Unit tests84/84

Integration tests7/7

Invariant tests9/9

All 100 Solidity tests pass after all security fixes including EIP-712 SCOPE_TYPEHASH correction and oracle circuit breaker implementation.

Accepted Risks

Low

Block timestamp in oracle staleness check

Required for Chainlink heartbeat validation. ±15s manipulation is negligible.

Low

Block timestamp in scope expiry

Permission windows are hours/days — ±15s is irrelevant.

Medium

Chainlink single oracle dependency

Stale-price revert implemented. TWAP fallback planned.

Key Fixes Applied

Locked Ether Protection

Added receive() revert and rescueETH() for accidental ETH recovery.

CEI Pattern Enforcement

Events moved before external calls in emergencyRevoke to prevent reentrancy-events.

EIP-712 Typehash Correction

SCOPE_TYPEHASH corrected to include nonce field per EIP-712 specification.

Oracle Circuit Breaker

5% deviation threshold on Chainlink price feeds with admin-refreshable anchor prices.

Responsible Disclosure

DiscoveryT+0

Vulnerability reported via the bug bounty program or direct disclosure

AssessmentT+24h

Security team triages severity and confirms reproducibility

RemediationT+72h

Patch developed, tested with formal verification

DeploymentT+96h

Multi-sig approves fix. Timelock executed for non-critical

DisclosureT+30d

Full public disclosure with technical write-up

Pre-Mainnet Roadmap

Certora Cloud Run

Execute all 15 formal verification rules via Certora Prover cloud API.

Planned

Third-Party Audit

Competitive audit via Code4rena or engagement with Trail of Bits / OpenZeppelin.

Prepared

Immunefi Bug Bounty

$100K bounty pool — $50K critical, $10K high, $2K medium, $500 low.

Found a Vulnerability?

We take security seriously. Report any issues through our bug bounty program.

Bug Bounty Program View Source