Skip to main content

Security Audits

NullGraph has NOT undergone formal security audits. This is a hackathon/demo project built for educational and demonstration purposes.

Audit Status

Current State

As of March 2026, NullGraph has:
  • No formal security audits conducted
  • No third-party security review performed
  • No penetration testing completed
  • No economic security analysis done
  • No formal verification of smart contract logic
  • No bug bounty program established

Project Context

NullGraph was developed as a hackathon submission to demonstrate:
  • Solana program development with Anchor framework
  • SPL Token Interface integration for BIO token operations
  • PDA-based account architecture
  • Bounty marketplace mechanics for scientific data
  • React frontend with Solana Wallet Adapter
The codebase prioritizes functionality and demonstration over production-grade security hardening.
This project is suitable for learning, experimentation, and proof-of-concept purposes. It is not ready for production deployment without significant additional security work.

Security Risks

Critical Risks

Deploying unaudited smart contracts to mainnet exposes users to:
  1. Loss of funds - Bugs in token transfer logic could lock or drain escrowed BIO tokens
  2. Unauthorized access - Flaws in authorization checks could allow malicious actors to approve/close bounties
  3. Arithmetic vulnerabilities - Despite checked arithmetic, edge cases may exist in fee calculations
  4. State corruption - Race conditions or unexpected state transitions could brick accounts
  5. Economic attacks - MEV, front-running, and other DeFi attack vectors not analyzed

Known Limitations

See Security Model - Known Limitations for detailed list of unimplemented security features.

Pre-Production Checklist

Complete ALL items before considering production deployment:

1. Code Audit

Scope: Full security review of programs/nullgraph/src/lib.rs (~593 lines) Focus areas:
  • Authority validation in all instructions
  • PDA seed derivation correctness
  • Token transfer logic and vault authority
  • Arithmetic overflow/underflow scenarios
  • State machine transition validation
  • Reentrancy protection
  • Account validation completeness
  • CPI security (SPL Token Interface calls)
Recommended auditors:
  • Zellic - Specializes in Solana/Anchor audits
  • Neodyme - Solana-focused security firm
  • OtterSec - Audits major Solana protocols
  • Trail of Bits - General smart contract auditing
  • Halborn - Blockchain security specialists
Timeline: 2-4 weeks for thorough review Budget: 15,00015,000-50,000 depending on firm and scope

2. Testing & Coverage

Requirements:
  • Unit tests for all instructions
  • Integration tests covering full workflows
  • Edge case tests (overflow, underflow, zero amounts)
  • Negative tests (unauthorized access, invalid states)
  • Fuzz testing with random inputs
  • Code coverage >90%
Current state: Basic integration tests in tests/nullgraph.ts cover happy paths only.

3. Economic Security Analysis

Research questions:
  • Can MEV bots front-run bounty submissions?
  • Are there sandwich attack vectors in token transfers?
  • What is the economic impact of protocol fee manipulation?
  • Can malicious actors grief researchers or bounty creators?
  • Are there sybil attack vectors in NKA submission?
  • What is the optimal fee structure to prevent spam?
Recommended partners:
  • Blockchain Capital research team
  • Gauntlet (DeFi economic modeling)
  • Chaos Labs (risk simulation)

4. Formal Verification

Optional but recommended:
  • Formal specification of protocol invariants
  • Model checking of state transitions
  • Mathematical proof of core properties
  • Symbolic execution of critical paths
Tools:

5. Operational Security

Infrastructure:
  • Deploy to mainnet with upgrade authority held by multisig
  • Implement timelock for protocol parameter changes
  • Set up monitoring and alerting for suspicious activity
  • Establish incident response procedures
  • Create security disclosure policy
  • Set up bug bounty program
Key management:
  • Protocol authority in cold storage or multisig
  • Treasury wallet in hardware wallet or multisig
  • No single point of failure in key custody

6. Bug Bounty Program

Structure:
  • Critical vulnerabilities: $50,000+
  • High severity: 10,00010,000-50,000
  • Medium severity: 2,0002,000-10,000
  • Low severity: 500500-2,000
Platforms:

7. Testnet Deployment

Timeline: Minimum 3-6 months on devnet/testnet before mainnet Objectives:
  • Stress test with high transaction volume
  • Public testnet with real users (fake tokens)
  • Monitor for unexpected behavior or edge cases
  • Iterate on fixes without mainnet risk

8. Documentation & Transparency

Required materials:
  • Comprehensive security documentation (in progress)
  • Architecture diagrams
  • Threat model documentation
  • Incident response playbook
  • Public audit reports (after completion)
  • Known issues disclosure

Responsible Disclosure

Reporting Vulnerabilities

If you discover a security vulnerability in NullGraph:
  1. Do NOT disclose publicly until patched
  2. Contact the development team through secure channels
  3. Provide detailed reproduction steps
  4. Allow reasonable time for remediation (90 days standard)

Disclosure Timeline

Standard process:
  • Day 0: Vulnerability reported to team
  • Day 1-7: Team confirms and assesses severity
  • Day 7-30: Fix developed and tested
  • Day 30-60: Fix deployed to production
  • Day 60-90: Public disclosure with credit to researcher
Critical vulnerabilities affecting funds may require expedited disclosure and emergency patches.

Security Best Practices for Users

For Researchers

  • ✅ Only connect trusted wallets (Phantom, Solflare)
  • ✅ Verify transaction details before signing
  • ✅ Keep seed phrases secure and offline
  • ✅ Use hardware wallets for high-value accounts
  • ❌ Never share private keys or seed phrases
  • ❌ Don’t approve suspicious transactions

For BioDAOs and Bounty Creators

  • ✅ Start with small bounty amounts to test
  • ✅ Verify researcher credentials before approval
  • ✅ Monitor vault balances regularly
  • ✅ Use multisig wallets for treasury operations
  • ❌ Don’t create bounties with entire treasury balance
  • ❌ Don’t approve submissions without thorough review

For Protocol Integrators

Do NOT integrate NullGraph into production applications until formal security audits are completed and all pre-production checklist items are addressed.
If building on NullGraph for hackathons or demos:
  • Use devnet/testnet only
  • Clearly label as “experimental”
  • Include security disclaimers
  • Never handle real user funds
  • Keep dependencies updated

Timeline to Production

Estimated timeline for production-ready deployment:
PhaseDurationActivities
Testing & Hardening2-3 monthsComprehensive test suite, edge case coverage, initial fixes
Security Audit1-2 monthsFormal audit with reputable firm, address findings
Economic Analysis1 monthModel attack vectors, optimize fee structure
Testnet Deployment3-6 monthsPublic testnet with real users, monitor and iterate
Bug BountyOngoingLaunch program, address reported issues
Mainnet Deployment1 monthStaged rollout with monitoring
Total: 8-13 months minimum from current state to production-ready Budget estimate: 50,00050,000-150,000 (audits, bounties, infrastructure)

Conclusion

NullGraph demonstrates innovative mechanics for tokenizing scientific null results, but requires significant security investment before production deployment.
This documentation is intentionally transparent about security limitations. Honesty about audit status and risks is critical for user safety and project credibility.
Current recommendation: Use for learning, demos, and hackathons on devnet/testnet only. Do not deploy to mainnet or handle real funds without completing the pre-production checklist. For questions about security roadmap or production deployment plans, contact the development team.

Build docs developers (and LLMs) love

Get started for freeTalk to us