Skip to content

AUDIT_CHECKLIST.md

Latest commit

 

History

History
133 lines (100 loc) · 3.98 KB

AUDIT_CHECKLIST.md

File metadata and controls

133 lines (100 loc) · 3.98 KB

ADIC Audit Checklist

This checklist should be completed before engaging with a professional security auditor.

Pre-Audit Verification

Code Quality

  • cargo fmt --check passes
  • cargo clippy --all-targets --all-features -D warnings passes
  • cargo test --workspace --exclude adic-network passes
  • cargo doc --all --no-deps builds without warnings

Security Tooling

  • cargo audit shows no vulnerabilities (or all are documented/accepted)
  • cargo deny check passes
  • Fuzz tests run without panics (60-second smoke test each)

Memory Safety

  • cargo +nightly miri test -p adic-crypto passes (critical paths)
  • No uninitialized memory reads (Miri verified)
  • All unsafe blocks documented and justified

Pre-Audit Sanitizer Runs

Run these manually before audit (not in CI - too resource intensive):

# AddressSanitizer - memory errors
RUSTFLAGS="-Zsanitizer=address" cargo +nightly test \
  --workspace --exclude adic-network \
  --target x86_64-unknown-linux-gnu

# ThreadSanitizer - data races
RUSTFLAGS="-Zsanitizer=thread" cargo +nightly test \
  --workspace --exclude adic-network \
  --target x86_64-unknown-linux-gnu

Document results:

  • AddressSanitizer: ______ (date, result)
  • ThreadSanitizer: ______ (date, result)

Documentation

  • SECURITY.md up to date
  • THREAT_MODEL.md reviewed and accurate
  • README build instructions verified
  • Cargo.lock committed to repository

Toolchain Information

Record the toolchain used for audit:

Rust version: ______ (output of `rustc --version`)
MSRV: 1.70
Platform: ______

Unsafe Code Inventory

Location Justification Reviewed
copyover module OS interop [ ]

Known Issues / Accepted Risks

Issue Risk Level Justification
adic-network tests require network Low Tests excluded, module tested separately

Fuzz Testing Coverage

Target Module Last Run Duration Issues Found
fuzz_canonical_json adic-types ______ ______ ______
fuzz_admissibility adic-consensus ______ ______ ______
fuzz_message_validation adic-consensus ______ ______ ______
fuzz_signature_verification adic-crypto ______ ______ ______
fuzz_encryption adic-crypto ______ ______ ______

Audit Test Results

Run all *_audit_test.rs files:

cargo test --workspace audit_test -- --nocapture
Test File Module Status
admissibility_fuzz_test.rs adic-consensus [ ]
deposit_state_audit_test.rs adic-consensus [ ]
energy_descent_audit_test.rs adic-consensus [ ]
per_axis_acyclicity_test.rs adic-consensus [ ]
reputation_sybil_audit_test.rs adic-consensus [ ]
finality_dual_audit_test.rs adic-finality [ ]
sybil_resistance_audit_test.rs adic-mrw [ ]
eclipse_storm_audit_test.rs adic-network [ ]
serialization_dos_audit_test.rs adic-network [ ]
security_attacks_test.rs adic-crypto [ ]

Quick Verification Commands

# Full audit preparation check
cargo fmt --check
cargo clippy --all-targets --all-features -D warnings
cargo test --workspace --exclude adic-network
cargo audit
cargo deny check

# Fuzz smoke test (60 seconds each)
cd crates/adic-types && cargo +nightly fuzz run fuzz_canonical_json -- -max_total_time=60
cd crates/adic-consensus && cargo +nightly fuzz run fuzz_admissibility -- -max_total_time=60
cd crates/adic-crypto && cargo +nightly fuzz run fuzz_signature_verification -- -max_total_time=60

# Critical path Miri check
cargo +nightly miri test -p adic-crypto

Contact Information

  • Security Contact: security@adic.network
  • Vulnerability Response SLA: 48 hours
  • Security Policy: See SECURITY.md

Sign-off

Role Name Date Signature
Lead Developer
Security Lead