In a recent fireside chat, we sat down with Tomer Weller (Chief Product Officer) from the Stellar Development Foundation to discuss the Soroban Security Audit Bank, an initiative aimed at bolstering the security of the Stellar ecosystem, particularly for projects building on Soroban.

Tomer unpacks how the Audit Bank works, how you can get an audit funded through it, and why it serves as a model for the broader Web3 ecosystem. Tomer also shares advice for developers on what kinds of issues to watch out for when building on Soroban.

The conversation is hosted by Kostas Ferles from Veridise.

See the full timestamps and text summary below.

Timestamps

00:00 Introduction
00:59 Inspiration behind the Soroban Security Audit Bank?
03:05 How projects can access audits from the Audit Bank?
04:31 Expected bugs and vulnerabilities?
09:15 Can this model be a blueprint for other ecosystems?
10:45 Ecosystem insights (Kostas)
13:44 Evaluation criteria for the Soroban Security Audit Bank program?
15:40 Security advice for Soroban builders?
16:32 What are common bugs to avoid in Soroban?
19:07 What’s next for Soroban?
22:24 ZK and privacy: where to focus? (Kostas)
23:42 Closing remarks

Summary of the fireside chat

Below is a text summary of the fireside chat.

What is Stellar and Soroban?

Stellar is a decentralized, public blockchain that gives developers the tools to create experiences that are more like cash than crypto. Soroban is Stellar’s smart contract platform.

What is the Soroban Security Audit Bank?

The Soroban Security Audit Bank is a system designed to support projects building on Stellar and Soroban by enabling them to seek out third-party security reviews from external security auditors. This program represents a significant shift from reactive security—responding after an incident—to a proactive approach, embedding security from the outset.

The inspiration: A proactive stance for Soroban

Tomer Weller explained that the program was inspired by the launch of Soroban, Stellar’s new smart contracts runtime based on WebAssembly with its main SDK in Rust, about a year and a half ago. Stellar, a robust and trusted network since 2015, aimed to maintain its high level of trust and robustness as it entered the smart contract space, which inherently exposes new security surface areas. Recognizing the financial challenges and barriers for builders, especially those just starting, the Audit Bank was created to alleviate for example the sheer financial cost of audits.

How does it work? Free audits for qualifying projects

The Audit Bank provides developers with a free audit if they meet a specific set of criteria. As a protocol grows and its Total Value Locked (TVL) increases, additional security audits become available. The Stellar Development Foundation collaborates with a set of vetted auditors, including Veridise.

A key pathway for projects to receive an audit is through the Stellar Community Fund. If for example a DeFi protocol is accepted into this fund, it automatically qualifies for an audit sponsored by the Stellar Development Foundation (SDF). This integrated approach helps remove the friction often seen in the industry, allowing projects to prioritize both speed and security. Tomer noted that the program has been successful so far, with no major vulnerabilities observed in the ecosystem since Soroban’s launch, partly thanks to the Audit Bank.

Prioritizing security: Testing, tooling, and unique considerations

The Stellar ecosystem places a strong emphasis on security, advocating that most bugs should be found during testing. Tomer highlighted that Stellar and Soroban were built from the ground up for testability. Tomer emphasized test-driven development is a must-have paradigm.

Key testing and tooling infrastructure includes:

• Local testing mode: Allows for fast and efficient Rust unit testing without running a blockchain or WebAssembly.
• Integration testing: Also supported by the local testing mode.
• Property-based testing and fuzzing: The SDK supports these, allowing developers to use tools like cargo-fuzz.
• Static analysis and formal verification: Collaborations with tooling providers like CoinFabrik (for their Scout tool) and Certora (for formal verification of smart contracts) are in place.

Tomer also pointed out that many basic vulnerabilities common in other ecosystems, such as reentrancy attacks, are simply not possible on Stellar due to its fundamental security-first design. Additionally, quirks related to safe math and specific EVM issues are largely absent because Soroban’s runtime is designed to be “more logical and sensible”.

However, some unique aspects of Stellar and Soroban that can be sources of confusion and potential bugs include:

• State archival: Stellar mitigates state bloat by allowing persistent data entries to be evacuated and restored from the ledger, requiring developers to be mindful of how their contracts handle state that might not always exist.
• Multi-tier state system: Developers must understand the different storage tiers:
  • Instance storage: Limited ledger entries attached to contracts, no state archival worries (e.g., pool parameters, finite state).
  • Temporary state: Very cheap, recommended for non-financially meaningful data that doesn’t need to live forever (e.g., oracle information relevant for a short period).
  • Persistent storage: The highest tier, reserved primarily for financially meaningful information like balances or DeFi positions.

Developers are strongly encouraged to review existing audit reports, as the Audit Bank mandates that all reports are open source. So far, there are around 40 to 50 audit reports for developers to learn from past experiences and avoid common pitfalls, such as those related to state management.

To prepare for an audit, protocols are required to have:

• A significant test suite.
• Threat analysis.
• A clear specification of their protocol’s invariants and assumptions, including edge cases. Tomer noted that simply writing these down often helps projects identify missed scenarios.

A blueprint for other ecosystems?

Both Tomer and Kostas believe the Soroban Security Audit Bank could serve as a model for other blockchain ecosystems. Tomer observed that other ecosystems sometimes adopt similar programs, unfortunately, only after a hack has occurred. He emphasized that the reputation of a blockchain is closely intertwined with the security of its protocols, and a hack, even if not in the core blockchain implementation, projects a negative image for the entire ecosystem. Stellar’s “late mover advantage” into DeFi and smart contracts allowed them to observe what worked and what didn’t in the broader space, enabling them to build a more secure tech stack and prepare their ecosystem effectively.

Kostas added that while projects often prioritize speed, Veridise is always proud to see projects that build security from the ground up, with robust test cases and clear threat modeling.

Defining success: Qualitative over quantitative

When asked how to evaluate the program’s success, Tomer admitted it’s challenging to put metrics around. Stellar aims for zero money lost to hacks and bugs. However, he cautioned against metrics like “number of bugs found” or “number of audits,” as these could indicate a lack of prior legwork by protocols or merely superficial audits. Instead, Stellar focuses on qualitative measures: they seek security auditors who are curious, deeply understand the protocol, and produce comprehensive technical documents, even if no significant findings are present. Tomer mentioned Veridise as a strong example of this.

Advice for builders on Soroban

For those building on Soroban, Tomer advised:

• Utilize the extensive security documentation on Stellar’s dev docs.
• Engage with the friendly developer community on the Stellar developer Discord to ask questions and learn.
• Read previous audit reports to learn from existing protocols and findings.
• Pay close attention to storage tiers, as this is a novel and potentially confusing mechanism in Stellar.
• Leverage existing Rust knowledge, as the Stellar contract SDK is largely Rust-based, and tools like cargo-fuzz are transferable.

Kostas shared Veridise’s auditing experience with storage as a common area for Soroban-specific bugs, beyond general business logic issues.

Exciting future developments: Scalability, usability, and privacy

Looking ahead, Tomer highlighted that Stellar, which has been focused on real-world utility and equitable access since 2015 (particularly in payments and stablecoins), now feels feature complete with Soroban.

Current efforts are concentrated on:

• Scalability and Usability: Increasing throughput and reducing block times (currently five seconds).
• Privacy: This is a growing concern, especially for traditional financial institutions entering the space, driven by compliance needs and protecting user/merchant data. Stellar is investing in Zero-knowledge infrastructure and prototyping solutions like confidential payments and privacy pools.

Kostas, with Veridise’s experience auditing ZK-based protocols, advised staying updated on the fast-moving ZK space, choosing technology that fits the use case (e.g., proving times), and prioritizing usability for end-users, as ZK can add significant complexity.

In closing, Tomer invited anyone interested in building secure everyday financial instruments to come build on Stellar, and consider getting audited by Veridise, an awesome auditor!

Author:

Mikko Ikola, VP of Marketing