Security is foundational to the YoorQuezt MEV platform. This document covers smart contract security patterns, audit status, infrastructure security layers, testing coverage, and the roadmap for external audits and formal verification.
Smart Contract Security Patterns
All settlement contracts implement industry-standard security patterns:
| Pattern | Purpose | Contracts |
|---|---|---|
| Ownable2Step | Two-step ownership transfer (propose + accept) prevents accidental loss | All contracts |
| ReentrancyGuard | Prevents reentrancy attacks on all ETH-transferring functions | AuctionSettlement, RebateDistributor, IntentRegistry |
| Pausable | Emergency pause capability halts all operations | All contracts |
| SafeERC20 | Safe token transfer wrappers for non-standard ERC20 (USDT, BNB) | All contracts |
| MerkleProof | Efficient on-chain verification of off-chain computations | RebateDistributor |
| Address validation | Zero-address checks on all setters and constructors | All contracts |
| Pull over push | Users claim funds instead of automatic distribution | AuctionSettlement, RebateDistributor |
| Arithmetic safety | Solidity 0.8.x built-in overflow/underflow protection | All contracts |
| Fund isolation | Per-epoch and per-auction accounting prevents cross-contamination | AuctionSettlement, RebateDistributor |
Deployed Contracts
| Contract | Purpose | Chain | Address | Status |
|---|---|---|---|---|
| ArbExecutor | Two-leg arbitrage (V2/V3 routers) | Ethereum | 0xF3a2... | Deployed, verified |
| ArbExecutor | Two-leg arbitrage (V2/V3 routers) | Arbitrum | 0xEDFD... | Deployed, verified |
| AuctionSettlement | Sealed-bid auction settlement | Sepolia | (testnet) | Pre-external audit |
| RebateDistributor | Merkle-proof MEV rebates | Sepolia | (testnet) | Pre-external audit |
| IntentRegistry | Intent submission + solver staking | Sepolia | (testnet) | Pre-external audit |
Mainnet deployment of settlement contracts is pending external audit completion.
Audit Status
Internal Audit (March 2026)
| Severity | Found | Fixed | Remaining |
|---|---|---|---|
| Critical | 0 | 0 | 0 |
| High | 8 | 8 | 0 |
| Medium | 5 | 5 | 0 |
| Low | 12 | 12 | 0 |
| Informational | 7 | 7 | 0 |
| Total | 32 | 32 | 0 |
All 8 HIGH findings were resolved internally:
- Missing reentrancy guard on
claimPayout-- addednonReentrantmodifier - Unchecked return value on ERC20 transfer -- switched to
SafeERC20 - Missing zero-address check on solver registration -- added validation
- Potential front-running on sealed-bid reveal -- implemented commit-reveal scheme
- Missing pause checks on critical functions -- added
whenNotPaused - Integer overflow in fee calculation -- covered by Solidity 0.8+ built-in checks
- Missing event emissions on state changes -- added events for all mutations
- Stale epoch data not cleaned up -- added
recoverExpiredfunction
External Audit
External audit is deferred pending funding ($10-25K estimated cost). The RFP is prepared at docs/audit-rfp.md.
Scope:
- AuctionSettlement.sol (~350 LOC)
- RebateDistributor.sol (~280 LOC)
- IntentRegistry.sol (~320 LOC)
- Deploy scripts and configuration
Settlement Security Model
The settlement layer uses a sealed-bid auction model:
- Deposit -- searchers deposit ETH as bidding collateral into AuctionSettlement.
- Commit -- bids are committed as hashes (commit-reveal prevents front-running).
- Reveal -- bids are revealed and validated against commitments.
- Settle -- winner is determined, funds are transferred, protocol fee is locked per-auction.
- Claim -- winner claims payout via pull pattern (no automatic push distribution).
Security properties:
- Bids are hidden until reveal phase (sealed-bid).
- Deposits are locked until settlement or withdrawal window.
- Protocol fees are capped (MAX_FEE_BPS = 2000, i.e., 20%) and locked at settlement time.
- Emergency pause halts all operations.
- Two-step ownership prevents accidental admin transfer.
Infrastructure Security
| Layer | Mechanism | Purpose |
|---|---|---|
| Transport | QUIC + TLS 1.3 | Authenticated encryption, forward secrecy, 0-RTT |
| Application Encryption | AES-256-GCM (optional) | Defense-in-depth payload encryption (see Encryption Toggle) |
| Message Integrity | ECDSA P-256 signing | Authenticity and non-repudiation on all gossip messages |
| Deduplication | Bloom filter | Prevents replay and amplification attacks |
| Authentication | Bearer tokens | API key per-searcher with role-based rate limiting |
| Monitoring | Prometheus + Grafana + Loki | Gas spikes, failed bundles, relay errors, log aggregation |
| Tracing | OpenTelemetry + Tempo | Latency anomalies, distributed trace correlation |
Audit Trail
Every MEV capture and rebate payout is recorded in a tamper-evident audit log:
- SHA256 proof hashes for all settlements
- On-chain events for all state changes
- Originators can verify rebates via
/v1/ofa/audit/verifyendpoint - Bundle lifecycle logging (submitted, simulated, landed, failed)
- Solver registration, matching, and slashing events
- Configuration changes and emergency pause/unpause events
Testing Coverage
| Component | Tests | Coverage Notes |
|---|---|---|
| Solidity contracts (Foundry) | 96 | All functions, edge cases, access control, fuzz testing (256 local / 1024 CI) |
| MEV engine (Go) | 1,246 | Unit (counterfeiter fakes), smoke, integration (httptest), E2E (Docker) |
| Mesh network (Go) | 200+ | Unit, integration (testcontainers), E2E (testnet with live chains) |
| TypeScript SDK | 89 | Client, gateway, streaming, errors across 5 test suites |
| Python SDK | 75+ | Client, gateway, models, utils |
Test methodologies:
- Unit tests -- counterfeiter fakes for interfaces, table-driven subtests
- Smoke tests -- lightweight validation without external dependencies
- Integration tests -- httptest servers, testcontainers (Docker)
- E2E tests -- Docker containers with real services, testnet connectors with live chains
- Race detection --
go test -raceon all Go packages - Fuzz testing -- Foundry fuzz on contract boundary conditions
External Audit Timeline
| Phase | Scope | Timeline | Est. Cost |
|---|---|---|---|
| Phase 1 | ArbExecutor (deployed, handles funds) | Q2 2026 | $10-15K |
| Phase 2 | Settlement contracts (pre-mainnet) | Q3 2026 | $15-25K |
| Phase 3 | Full re-audit after mainnet deployment | Q4 2026 | $20-30K |
Security Roadmap
| Quarter | Milestones |
|---|---|
| Q2 2026 | External audit RFP distribution, auditor selection, ArbExecutor audit, formal verification of AuctionSettlement invariants |
| Q3 2026 | Settlement contracts external audit, findings remediation, mainnet deployment, bug bounty program launch (Immunefi) |
| Q4 2026 | Multisig migration for contract ownership (Gnosis Safe, see docs/multisig-migration.md), SOC 2 Type I assessment, timelock on admin operations (24h delay), full system re-audit |
Responsible Disclosure
If you discover a security vulnerability, please report it responsibly:
- Email: security@yoorquezt.io
- Do not disclose publicly until a fix is deployed.
- Include reproduction steps and impact assessment.
- We aim to respond within 48 hours and resolve critical issues within 7 days.
Bug Bounty (Planned Q3 2026)
| Severity | Scope | Reward |
|---|---|---|
| Critical | Fund loss, unauthorized access | Up to $50,000 |
| High | Protocol disruption, privilege escalation | Up to $20,000 |
| Medium | Data leak, DoS, griefing | Up to $5,000 |
| Low | Informational, best practices | Up to $1,000 |
Scope will include smart contracts, API endpoints, and P2P protocol. Program hosted on Immunefi.