Security Audits

The 8mix codebase has undergone 4 rounds of security audits covering smart contracts, API server, frontend, and deployment infrastructure.

Round	Focus	Findings Fixed
v1	Core logic, data flow, deployment	15 (2 critical, 7 high, 6 medium)
v2	Relayer security, input validation	7 (2 critical, 2 high, 3 medium)
v3	Edge cases, DoS vectors, race conditions	6 (2 high, 4 medium)
v4	Private key leak audit, penetration testing	3 (1 medium, 2 low)

Total: 31 vulnerabilities identified and fixed. Zero critical or high-severity issues remain.

Key areas audited:

• Smart contracts: Reentrancy, double-spend, front-running, token compatibility, Merkle tree correctness

• ZK proofs: Circuit constraints, trusted setup, on-chain/off-chain verification consistency

• Frontend: XSS prevention (CSP), address validation, note handling, timeout/abort on all network calls

• API: Rate limiting, input validation, CORS whitelist, private key isolation, off-chain proof verification

• Infrastructure: No source maps, no exposed secrets, separate API keys, Helmet headers, TLS 1.3

The relayer private key was verified safe across all layers: source code, frontend bundles, live JS files, API error responses, and documentation.