Transparency is a core value at NexusForge, and nowhere is that more important than in security. Today we are publishing the full results of our most recent security audit, conducted by Trail of Bits over a six-week engagement from January 6 to February 14, 2026. We want to walk through the scope, methodology, findings, and our remediation steps in detail.
Scope of the Audit
Trail of Bits reviewed two primary components of the NexusForge protocol:
- Core Protocol Contracts -- the on-chain verifier contracts, agent registry, stake management, and proof aggregation logic deployed on Ethereum mainnet. This comprises approximately 4,200 lines of Solidity across 18 contracts.
- Execution Layer -- the off-chain execution runtime that runs inside TEE enclaves, including the proof generation pipeline, the agent scheduler, and the cross-chain relay interface. This comprises approximately 28,000 lines of Rust.
The audit did not cover the frontend application, the SDK, or third-party dependencies (which are audited separately on a rolling basis). Trail of Bits assigned a team of four senior security engineers to the engagement.
Methodology
Trail of Bits used a combination of manual code review, formal verification (for critical Solidity paths), property-based fuzzing (using Echidna for Solidity and custom harnesses for Rust), and architecture review. They also performed adversarial testing against a private testnet deployment, simulating scenarios including malicious node operators, proof forgery attempts, and relay manipulation.
Findings Summary
The audit identified a total of 7 findings:
- Critical: 0
- High: 0
- Medium: 2
- Low: 5
All findings have been addressed. Below we describe the two medium-severity findings in detail.
Medium Finding 1: Proof Replay in Cross-Chain Relay
Trail of Bits identified a scenario in which a cross-chain proof could be replayed on the target chain if the relay submitted the same proof twice before the target chain's verifier contract updated its nonce registry. This was possible because the nonce check and the proof verification were performed in separate transactions, creating a narrow window for replay.
Remediation: We refactored the verifier contract to perform nonce registration and proof verification atomically within a single transaction. The nonce is now committed to storage before the proof is verified, eliminating the replay window entirely. This fix was deployed to mainnet on February 18, 2026, as part of contract upgrade v2.3.4.
Medium Finding 2: Insufficient Entropy in Agent ID Generation
The agent ID generation function in the execution layer used a combination of the deployer's address and a block timestamp to derive agent IDs. Trail of Bits demonstrated that in certain conditions -- specifically when multiple agents were deployed in the same block by the same address -- ID collisions were theoretically possible, though no collision was found in production data.
Remediation: We replaced the ID generation function with a scheme that incorporates the deployer address, a monotonically increasing counter stored in the registry contract, and a domain separator unique to each chain. This makes collisions computationally infeasible. The fix shipped in execution layer v2.3.5 on February 20, 2026.
Low-Severity Findings
The five low-severity findings covered: a missing event emission in the stake withdrawal path (informational), two instances of gas-inefficient storage patterns in the proof aggregator, a documentation mismatch between the spec and the implementation for the relay timeout parameter, and a non-critical rounding inconsistency in the fee calculation logic. All five were addressed in patch releases between February 21 and February 28.
Timeline
- January 6: Audit engagement begins
- February 14: Trail of Bits delivers final report
- February 15-17: Internal review and remediation planning
- February 18-28: All fixes deployed to mainnet
- March 2: Public disclosure (this post)
The full Trail of Bits report, including detailed technical descriptions of all findings, is available on our Security page. We encourage the community to review it.
Our Commitment to Ongoing Security
This audit is the third engagement we have completed with a top-tier security firm in the past 12 months. Our previous audits by Zellic (September 2025) and OpenZeppelin (June 2025) are also publicly available. We maintain a continuous audit program with rotating firms to ensure fresh perspectives, and we operate a bug bounty program with rewards up to $500,000 for critical vulnerabilities.
Security is not a checkbox -- it is an ongoing practice. We are committed to maintaining the highest security standards as the protocol grows, and we will continue to publish audit results with full transparency. If you find a vulnerability, please report it through our responsible disclosure process on the Security page.