Soroban smart contract security audits | Veridise

Soroban smart contract auditing

Comprehensive security analysis of your Soroban smart contracts to identify vulnerabilities and provide clear guidance on how to remediate them.

Soroban smart contract auditing involves experienced security analysts manually examining your Rust- and WebAssembly-based contracts, supported by our in-house security tools to facilitate effective vulnerability discovery. The end result is a thorough smart contract audit that our team assists you to implement.

soroban logo

  TRUSTED BY:

redstone logo
wombat logo
hot logo
untangled logo

  TRUSTED BY:

Soroban audits

Soroban audits are one of our core competencies at Veridise. If you’re building on Soroban, we help teams understand its security model and audit risks early.

Historically, the Stellar network has been the straight man of the crypto world: excellent for payments and financials, without a general-purpose smart contract platform. That changed with the debut of Soroban, which brings expressive smart contract logic to Stellar’s fast and inexpensive rails. 

soroban-symbol

When auditing Soroban contracts, the experience is fundamentally different from EVM-based systems. Unlike many newer chains that replicate the Ethereum Virtual Machine, Soroban was built from scratch using Rust. This was a wise strategic move. Rust is widely regarded as one of the safest languages for systems programming. It’s a natural fit for a network that handles billions in global value. By using WebAssembly, Soroban makes it easy to build contracts that are elegant and highly performant.

With Soroban, you get the speed of Stellar (five-second settlements) with the power of smart contracts. On the flip side, though, developers must learn a new framework, and do so without the extensive libraries and legacy code that one might have on hand with platforms like Ethereum. If you need a Soroban audit, it’s important to work with auditors who understand these differences in depth.

Soroban is brought to us by the Stellar Development Foundation, who emphasize that Soroban is a specialized tool for the real world, aimed at companies like MoneyGram or Circle that bridge the gap between traditional finance and blockchain. Soroban is well suited for teams that prioritize security, cost predictability, and production readiness from day one.

The Veridise edge: Why us?

Seasoned professionals

Veridise is composed of a team of seasoned security professionals, blending the latest research insights from academia with extensive industry expertise.

In-house tooling

In addition to rigorous human auditing, our industry-leading tools detect bugs that the human eye has a difficult time finding. This enhances the quality and effectiveness of our audits.

Confidentiality and ownership

Upon request, we uphold the confidentiality of the report, although many of our clients find value in publishing it. Additionally, our reports become fully yours upon completion of the audit, unlike with some other providers.

AuditHub access included.
No extra setup

Access detection tool results instantly, collaborate directly with our auditors, and ensure your fixes are valid.

Veridise audit or traditional audit?
See the difference

Veridise audit with
AuditHub

Traditional
audit

Our Soroban audit process

1. Assessment

Our experts assess the scope of the audit: We check the source repository and set key requirements to be verified.

2. Review

At the next step, our team formalizes key properties of your project and utilizes our proprietary analysis tools to check for common vulnerabilities and deeper logical bugs.

3. Report

At the end of the audit, we deliver a detailed audit report summarizing our findings and recommendations. Our reports include any uncovered vulnerabilities, their potential impact, and mitigation strategies.

4. Fixes & Fixes Review

Our clients’ teams fix discovered bugs and vulnerabilities. The Veridise team then verifies the new code to ensure it is secure.

5. Final Report

Once all bug fixes are verified, we issue a final audit report and it is up to our clients whether to make the final report public or not.

Soroban Core audited by Veridise

We audited Soroban Core in an engagement commissioned by the Stellar Development Foundation. The five-person review gave us first-hand insight into the platform’s security model and real-world risk surface—experience we bring directly into Soroban application audits.

soroban logo

Four Soroban-specific details you should know

1. Validate complex inputs (Vec & Map<K,V)

Soroban converts container inputs into raw host values with no guaranteed round-trip type safety. Without explicit validation, storing or later retrieving these types can halt execution or break logic.

2. Design for fuzz testing, avoid bare panics

Soroban’s fuzzing tools treat panic! as a bug. Using panic_with_error! and writing fuzzable logic improves test coverage and helps catch edge cases before deployment.

3. Watch out for hidden dependency drift

Using createimport! without explicit dependency declarations can lead to outdated or mismatched contract versions at deployment, causing subtle behavior differences from test environments.

4. Manage unbounded storage carefully

Putting ever-growing data in instance storage can spike costs and risk DoS; even persistent storage needs careful design so entries don’t grow unchecked.

Soroban resources

Veridise security analysts have written in-depth articles on Soroban security, based on our real audit findings and hands-on experience. Explore the resources below to learn more.

Soroban audit funding

The Soroban ecosystem provides financial support for security audits through initiatives such as the Soroban Security Audit Bank, funded by the Stellar Development Foundation (SDF). Veridise discussed how this program works in a fireside chat with Tomer Weller from SDF.

Explore our Soroban audit reports

Review our publicly available Soroban audit reports below.

ProtocolResource
Start Date
CompanyLanguage(s)Tag(s)
Verseprop: VersepropReportNov 2025VersepropRustSmart Contracts, Soroban, Rust, Token / ERC20, Privacy/Compliance, Soroban-SDK
RedStone: Stellar ConnectorReportOct 2025RedStoneRustSmart Contracts, Stellar, Soroban, Rust, Radix
AhaLabs: Scaffold RegistryReportSep 2025AhaLabsRustSmart Contracts, Soroban, Rust, Registry, Loam-SDK
Hot Dao: Hot BridgeReportJul 2025HOT DaoRustSmart Contracts, Relayer/Off-Chain backend Service, NEAR, Soroban, Rust, Bridge
Untangled Finance: Untangled VaultReportMay 2025Untangled FinanceRust, TypescriptSmart Contracts, Relayer/Off-Chain Backend Service, Soroban, Rust, Typescript, Price Oracle, Vault
PotLock: GrantPicksReportJan 2025PotLockRustSmart Contracts, Soroban, Rust
Zenith Protocols: OrbitCDPReportDec 2024OrbitRustSmart Contracts, Soroban, Lending
Wombat: Wombat-ExchangeReportSep 2024WombatRustSmart Contracts, Soroban, AMM
57Blocks: Stellar Timelock ContractReportJul 202457blocksRustSmart Contracts, Soroban, Library/Infrastructure
Lydia Labs: HiYieldReportApr 2024Lydia LabsRustSmart Contracts, Soroban, Lending
DeFi #55Feb 2024RustRelayer/Off-Chain Backend Service, Smart Contracts, AWS, Solidity, Soroban, ethers, Bridge, Cross-Chain
Moonbite: Phoenix DEXReportJan 2024Moonbite GmbHRustSmart Contracts, Soroban, AMM

FAQs

Frequently asked questions

What is Soroban?

Soroban is a smart contract platform built on the Stellar network, designed to support complex application logic while maintaining Stellar’s focus on performance, predictable fees, and real-world financial use cases.

A Soroban smart contract is a program written in Rust and compiled to WebAssembly (Wasm) that runs within Stellar’s execution environment. This enables programmable logic such as tokens, payments, and financial protocols.

Soroban has a distinct execution, storage, and authorization model, introducing risks such as authorization context errors, TTL misuse, and host-boundary type issues that do not exist in EVM-based systems.

Veridise tailors Soroban audits by focusing on the platform’s unique execution and security model, rather than applying generic EVM checklists. We review authorization boundaries, arithmetic and ledger-based time logic, storage and TTL assumptions, and host-boundary type safety.

Our team has audited a number of Soroban contracts and published best-practice guidance based on real audit findings.

Ideally before deployment (first deployment or ugprade) and current live systems.

Soroban audit pricing depends on code size (lines of code), contract complexity, and system architecture. We provide custom quotes after an initial scoping review. Some teams may be eligible for audit funding through The Soroban Audit Bank program.

Considering Soroban audit?

Don’t leave your project’s security to chance.
Get verified by Veridise and secure your blockchain future.

Contact us for a security audit quote

Secure an earlier audit slot by reaching out early.

 

Contact us for a security audit quote

Secure an earlier audit slot by reaching out early.