Security Audits

Security auditing is a critical milestone on the path to mainnet. Dualis Finance has completed internal security hardening across all protocol layers and is preparing for external audit engagement ahead of the mainnet launch.

Current Status

As of the current development phase, Dualis has completed comprehensive internal security hardening across the full stack. This includes systematic review of all DAML smart contracts, API endpoint security, frontend input handling, and infrastructure configuration. The protocol is deployed on Canton devnet, where all DeFi operations -- supply, withdraw, borrow, repay, add collateral, and liquidation -- have been tested end-to-end.

Pre-Audit Stage

Dualis Finance has not yet undergone a formal external security audit. The protocol is currently on Canton devnet. An external audit is a prerequisite for mainnet deployment and is planned for Q1-Q2 2026.

Security Hardening Completed

The following security measures have been implemented and tested internally:

DAML contract review: All 38 contract templates across 25 modules reviewed for signatory correctness, observer scope, choice authorization, and state transition integrity.
API security: Rate limiting, Helmet headers, CORS policy, CSRF protection, and Zod schema validation deployed across all 272 endpoints.
Authentication: JWT token lifecycle, bcrypt password hashing, refresh token rotation, and session management reviewed and hardened.
Input validation: Zod schemas enforce strict type and range checking on all request payloads. Fuzz testing performed on critical financial endpoints.
Error handling: Centralized error mapper prevents information leakage. Raw Canton and database errors are logged internally but never exposed to clients.
Infrastructure: Docker containers run with minimal privileges. TLS 1.3 enforced on all external connections. Canton participant access restricted to Docker internal network.
Financial math: 230+ unit tests in the shared package validate interest rate calculations, health factor computation, liquidation thresholds, and accrual logic.

Planned External Audit

An external security audit is planned for the Q1-Q2 2026 timeframe, prior to mainnet deployment. The audit will be conducted by a reputable blockchain security firm with experience in both DAML/Canton and TypeScript/Node.js application security.

Audit Scope

The external audit will cover four primary areas:

Area	Scope	Focus
DAML Smart Contracts	25 modules, 38 templates	Signatory/observer correctness, choice authorization, state machine integrity, interest calculation accuracy, liquidation logic, governance execution safety
API Layer	272 endpoints, middleware chain	Authentication bypass, authorization escalation, input validation completeness, rate limiting effectiveness, CSRF/CORS configuration, error information leakage
Frontend	119 React components, 43 pages	XSS vectors, sensitive data exposure in client state, wallet interaction security, client-side validation bypass paths
Infrastructure	Docker, Nginx, PostgreSQL, Redis	Container isolation, network segmentation, TLS configuration, database access controls, Redis authentication, secret management

Post-Audit Process

Once the external audit is complete, the following steps will be taken:

All findings will be triaged by severity (Critical, High, Medium, Low, Informational).
Critical and High severity findings will be remediated before mainnet deployment.
Medium findings will be addressed in the first post-launch maintenance window.
The full audit report will be published on the Dualis documentation site.
A re-audit of remediated findings will confirm that fixes are effective.

Continuous Security

Security does not end with a single audit. Dualis will implement a continuous security program post-launch that includes regular penetration testing, dependency vulnerability scanning, and an ongoing bug bounty program to incentivize responsible disclosure from the security research community.